Authentication with LDAP: Elasticsearch, Logstash, Kibana

Use Apache Httpd Server as reverse proxy server to authenticate ELK

You may need install mod_ldap to enable ldap authentication for httpd.

# yum --enablerepo=ol7_optional_latest install mod_ldap

<Location "/">
        AuthType Basic
        AuthName "OnLine Services"

        AuthBasicProvider ldap

        AuthLDAPURL "ldap://ldap.goweekend.ca/dc=goweekend,dc=ca?uid?sub?(objectclass=*)"
        REQUIRE valid-user

        ProxyPass "http://127.0.0.1:5601/"
        ProxyPassReverse "http://127.0.0.1:5601/"

</Location>

Apache: Oracle Linux 7 Ldap Authentication

yum --enablerepo=ol7_optional_latest install mod_ldap

Solaris 11 ACL

ACL entry types, which are the ACL representations of owner, group, and other, are described in the following table.
Table 8-1 ACL Entry Types

ACL Entry Type Description owner@ Specifies the access granted to the owner of the object. group@ Specifies the access granted to the owning group of the object. everyone@ Specifies the access granted to any user or group that does not match any other ACL entry. user With a user name, specifies the access granted to an additional user of the object. Must include the ACL-entry-ID, which contains a username or userID. If the value is not a valid numeric UID or username, the ACL entry type is invalid. group With a group name, specifies the access granted to an additional group of the object. Must include the ACL-entry-ID, which contains a groupname or groupID. If the value is not a valid numeric GID or groupname, the ACL entry type is invalid.

ACL access privileges are described in the following table.
Table 8-2 ACL Access Privileges

Access Privilege Compact Access Privilege Description add_file w Permission to add a new file to a directory. add_subdirectory p On a directory, permission to create a subdirectory. append_data p Placeholder. Not currently implemented. delete d Permission to delete a file. delete_child D Permission to delete a file or directory within a directory. execute x Permission to execute a file or search the contents of a directory. list_directory r Permission to list the contents of a directory. read_acl c Permission to read the ACL (ls). read_attributes a Permission to read basic attributes (non-ACLs) of a file. Think of basic attributes as the stat level attributes. Allowing this access mask bit means the entity can execute ls(1) and stat(2). read_data r Permission to read the contents of the file. read_xattr R Permission to read the extended attributes of a file or perform a lookup in the file's extended attributes directory. synchronize s Placeholder. Not currently implemented. write_xattr W Permission to create extended attributes or write to the extended attributes directory.Granting this permission to a user means that the user can create an extended attribute directory for a file. The attribute file's permissions control the user's access to the attribute. write_data w Permission to modify or replace the contents of a file. write_attributes A Permission to change the times associated with a file or directory to an arbitrary value. write_acl C Permission to write the ACL or the ability to modify the ACL by using the chmod command. write_owner o Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file.Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required.

ACL Inheritance

The purpose of using ACL inheritance is so that a newly created file or directory can inherit the ACLs they are intended to inherit, but without disregarding the existing permission bits on the parent directory.
By default, ACLs are not propagated. If you set a non-trivial ACL on a directory, it is not inherited to any subsequent directory. You must specify the inheritance of an ACL on a file or directory.
The optional inheritance flags are described in the following table.
Table 8-3 ACL Inheritance Flags

Inheritance Flag Compact Inheritance Flag Description file_inherit f Only inherit the ACL from the parent directory to the directory's files. dir_inherit d Only inherit the ACL from the parent directory to the directory's subdirectories. inherit_only i Inherit the ACL from the parent directory but applies only to newly created files or subdirectories and not the directory itself. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit. no_propagate n Only inherit the ACL from the parent directory to the first-level contents of the directory, not the second-level or subsequent contents. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit. - N/A No permission granted.

In addition, you can set a default ACL inheritance policy on the file system that is more strict or less strict by using the aclinherit file system property. For more information, see the next section.

ACL Property (aclinherit)

The ZFS file system includes the aclinherit property to determine the behavior of ACL inheritance. Values include the following:

• discard – For new objects, no ACL entries are inherited when a file or directory is created. The ACL on the file or directory is equal to the permission mode of the file or directory.
• noallow – For new objects, only inheritable ACL entries that have an access type of deny are inherited.
• restricted – For new objects, the write_owner and write_acl permissions are removed when an ACL entry is inherited.
• passthrough – When property value is set to passthrough, files are created with a mode determined by the inheritable ACEs. If no inheritable ACEs exist that affect the mode, then the mode is set in accordance to the requested mode from the application.
• passthrough-x – Has the same semantics as passthrough, except that when passthrough-x is enabled, files are created with the execute (x) permission, but only if execute permission is set in the file creation mode and in an inheritable ACE that affects the mode.

The default mode for the aclinherit is restricted.

Expand LUN in LDOM thru Control Domain

How to modify the EFI label for a LUN that was online expanded and that belongs to a zpool. ( Doc ID 2129335.1 )

1. Before starting save a prtvtoc output from the disk on the control
domain:

# prtvtoc /dev/rdsk/cX***d0s2 > /var/tmp/LUN-vtoc.txt


2. Set the auto expand property to on the zpool

# zpool set autoexpand=on <zpool_name>


3. Increase the size of the LUN on the back end storage.

4. Run "format -e" on the control domain.

5. Select "expand", to expand to the new size of the LUN.

6. Print the current partition table, check the starting sector and the
total disk sectors, example:


Total disk sectors available: 146784222 + 16384 (reserved sectors)

Part Tag Flag First Sector Size Last Sector
0 usr wm 256 59.99GB 125812702
<....>


6. Select "0", to modify the initial slice and follow the prompts:

Enter partition id tag[usr]: <- accept default
Enter partition permission flags[wm]: <- accept default
Enter new starting Sector[34]: 256 <- Type 256 as above

On the following question use the max size as reported by format (69g):

Enter partition size[146784154b, 146784409e, 71671mb, 69gb, 0tb]:


7. Check the partition table, if the starting block is 256, all the
spaces is in slice 0 and there are no overlaps, use the "label" command
and select 1 for "[1] EFI Label" type.

8. Check the size of the zpool on the guest domain, if needed run the
following command:

# zpool online -e <pool_name> <LUN>

++++ end ++++

This instructions are from the document. The most important thing is that you shouldn't use "auto config" option.

>>> 2. whole LUN is allocated to guest LDOM and managed by ASM in Oracle RAC

How to modify the EFI label for a LUN that was online expanded and that belongs to a zpool

Solaris Operating System - Version 10 3/05 to 11.3 [Release 10.0 to 11.0]
Information in this document applies to any platform.

A zpool can become suspended after online expanding a LUN that belongs to the zpool after using the "Auto configure" option from the format utility.  The objective of this article is to prevent such problems.

Solution

Note: In Solaris 10, the patch 148098-03 (SPARC) / 148099-03 (x86) or later, needs to be installed for this procedure to work.

Before modifying the LUN and the zpool, make sure you have a backup of the data in the zpool and save the prtvtoc(1) output of each of the LUNs that are going to be modified:

# prtvtoc /dev/rdsk/c0t600144F0E1765470000056DDFBAC0001d0s2 > /var/tmp/c0t600144F0E1765470000056DDFBAC0001d0-label.txt

Also, make sure that the ZFS autoexpand property is set to on:

# zpool set autoexpand=on tank
# zpool get autoexpand tank
NAME  PROPERTY    VALUE  SOURCE
tank  autoexpand  on     local

Now proceed to add the space to the LUN(s) and follow the next steps to modify or verify that the label of the LUN recognizes the added space:

1. Use "format -e  <LUN>" to verify/modify the label of the LUN.

2. Select the "partition" option from the format menu.

3. Select "print" to review the partition table, verify partition zero starts at block 256 and has all the space assigned to it, except for the slice eight that will have 8 MB. Verify if the partition table reports the added space. Use the prtvtoc(1) output that was saved in the beginning to compare if needed.

4. If the new space is not reported use the "expand" option from the format->partition sub menu.

5. Print again the partition table, the new space should be visible on the second line, where it say "Total disk sectors available: XXXXXXX  + 16834 (reserved sectors)". Save the value of the first sector of the partition 8.

6. Type "0" on the "partition>" prompt to modify the first partition.

7. Accept the defaults for partition id tag, permission, starting sector (it should be 256).

8. Calculate the last sector of the partition zero by subtracting one from the first sector of the partition 8 noted on step #5. For example, if the first sector for partition 8 is 4177887 then use 4177886e (the "e" denotes the ending sector) on the prompt "Enter partition size". The character "$" can be used so the partition uses all available space.

9. Print again the partition table, make sure that this time the first partition starts at 256 and has the new space added to it. Do not proceed to the next step if the starting sector of the first partition is 34 or any number different from 256.

10. Type the command "label" to save the label to the disk. Select EFI if prompted for the label type and quit the format utility.

11. Check with "zpool list" if the zpool is now expanded. If not, use the command "zpool online -e <zpool_name> <LUN>" to expand the space and verify again if the space is now visible.

Important considerations:
1. Never use the "type -> Auto configure" option from the format facility.
2. Never label a LUN used by ZFS if the starting sector for the first partition is 34 or anything different from 256 for a zpool using whole disks labeled as EFI.
3. If the zpool was created created against the slice 0 of an EFI LUN (instead of using the whole disk), then the starting sector could be 34, the important consideration is that after adding the space and changing the label, the starting sector should remain the same.

The following is an example of the procedure outlined above:

# format -e c0t600144F0E1765470000056DDFBAC0001d0

c0t600144F0E1765470000056DDFBAC0001d0: configured with capacity of 1023.75MB
selecting c0t600144F0E1765470000056DDFBAC0001d0
[disk formatted]


FORMAT MENU:
        disk       - select a disk
        type       - select (define) a disk type
        partition  - select (define) a partition table
        current    - describe the current disk
        format     - format and analyze the disk
        repair     - repair a defective sector
        label      - write label to the disk
        analyze    - surface analysis
        defect     - defect list management
        backup     - search for backup labels
        verify     - read and display labels
        save       - save new disk/partition definitions
        inquiry    - show disk ID
        scsi       - independent SCSI mode selects
        cache      - enable, disable or query SCSI disk cache
        volname    - set 8-character volume name
        !<cmd>     - execute <cmd>, then return
        quit
format> partition


PARTITION MENU:
        0      - change `0' partition
        1      - change `1' partition
        2      - change `2' partition
        3      - change `3' partition
        4      - change `4' partition
        5      - change `5' partition
        6      - change `6' partition
        expand - expand label to use the maximum allowed space
        select - select a predefined table
        modify - modify a predefined partition table
        name   - name the current table
        print  - display the current table
        label  - write partition map and label to the disk
        !<cmd> - execute <cmd>, then return
        quit
partition> print
Current partition table (original):
Total disk sectors available: 2080701 + 16384 (reserved sectors)

Part      Tag    Flag     First Sector       Size       Last Sector
  0        usr    wm               256   1015.86MB        2080734  
  1 unassigned    wm                 0         0             0  
  2 unassigned    wm                 0         0             0  
  3 unassigned    wm                 0         0             0  
  4 unassigned    wm                 0         0             0  
  5 unassigned    wm                 0         0             0  
  6 unassigned    wm                 0         0             0  
  8   reserved    wm           2080735      8.00MB        2097118

partition> expand
The expanded capacity is added to the unallocated space.

partition> print
Current partition table (original):
Total disk sectors available: 4177853 + 16384 (reserved sectors)

Part      Tag    Flag     First Sector       Size       Last Sector
  0        usr    wm               256   1015.86MB        2080734  
  1 unassigned    wm                 0         0             0  
  2 unassigned    wm                 0         0             0
  3 unassigned    wm                 0         0             0  
  4 unassigned    wm                 0         0             0
  5 unassigned    wm                 0         0             0  
  6 unassigned    wm                 0         0             0  
  8   reserved    wm           4177887      8.00MB        4194270  

partition> 0 
Part      Tag    Flag     First Sector       Size       Last Sector
  0        usr    wm               256      1.99GB        4177885

Enter partition id tag[usr]:
Enter partition permission flags[wm]:
Enter new starting sector[256]:
Enter partition size[4177630b, 4177885e, 2039mb, 1gb, 0tb]: 4177886e
partition> print
Current partition table (unnamed):
Total disk sectors available: 4177853 + 16384 (reserved sectors)

Part      Tag    Flag     First Sector       Size       Last Sector
  0        usr    wm               256      1.99GB        4177886  
  1 unassigned    wm                 0         0             0  
  2 unassigned    wm                 0         0             0  
  3 unassigned    wm                 0         0             0  
  4 unassigned    wm                 0         0             0  
  5 unassigned    wm                 0         0             0  
  6 unassigned    wm                 0         0             0  
  8   reserved    wm           4177887      8.00MB        4194270

partition> label
[0] SMI Label
[1] EFI Label
Specify Label type[1]:
Ready to label disk, continue? y

Solaris 11 - NFS - Trouble Shooting

Log File
/var/svc/log/network-nfs-server:default.log
# fmadm faulty -a

# nfsstat

Oracle: Patch RAC

If you don't specify -local, opatch is going to patch all nodes. As a DBA, you should test on one node first, then roll out the patch on all other nodes.

If you have multiple Grid Infrastructure Home or Oracle Home, you can specify which one to patch:
$ opatch apply -local -oh /oracle/apps/grid/11.2.0.3



If only one of them and you are using specified opatch for each home, you can run opatch as below:
$ opatch apply -local

Then roll out the patch on individual node.



$ opatch apply -remote_nodes db02


 Roll back specified patch

$  opatch rollback -id 15983996

Display Oracle RAC Information

# Run as grid user

echo "======================================/etc/hosts======================================================"
# Display /etc/hosts
cat /etc/hosts

echo "=====================================Nodes in Cluster================================================="
# List all nodes
olsnodes

echo "=======================================Cluster Name==================================================="
# Display Cluster Name
olsnodes -c

echo "=================================the Public and VIP Node Name========================================="
# Display the Public and VIP Node Name
olsnodes -n -i

echo "====================================the Private IP Details============================================"
# Display the Private IP Details
olsnodes -n -i -l -p

echo "======================================Subnet Info====================================================="
# Display Subnet Info in Oracle Clusterware
oifcfg getif

exit

Oracle Database: Switch UNDO Tablespace online

CREATE UNDO TABLESPACE UNDOTBSNEW DATAFILE '/DATAFILES/UNDOTBSNEW.DBF'  AUTOEXTEND ON NEXT 100M  SIZE 4096M;


ALTER SYSTEM SET UNDO_TABLESPACE= UNDOTBSNEW;

DROP TABLESPACE UNDOTBSOLD INCLUDING CONTENTS AND DATAFILES;

Linux 7: polkit-agent-helper-1: pam_authenticate failed: Authentication failure

Problem:

[feijiangnan@server01 ~]$ systemctl stop crond.service
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to stop 'crond.service'.
Authenticating as: root
Password:
polkit-agent-helper-1: pam_authenticate failed: Authentication failure

Investigation:

# grep feijiangnan /etc/passwd
feijiangnan:x:1024:1025::/home/feijiangnan:/bin/bash






# usermod -u 500 feijiangnan

[root@server01 pam.d]# id feijiangnan
uid=500(feijiangnan) gid=1025(feijiangnan) groups=1025(feijiangnan),1024(sysadmin)

Verification:

[feijiangnan@server01 ~]$ sudo systemctl restart crond.service
[sudo] password for feijiangnan:

ZFS: Remove all non-trivial ACEs from a file

Removing all non-trivial ACEs from a file

% chmod A- filename

Apache2: List Directoy Contents

Create .htaccess in the folder which will be controlled.

# cat .htaccess
order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
allow from all
Options +Indexes

Oracle LDOM and ASM Best Practice

http://www.oracle.com/technetwork/server-storage/vm/overview/index.html


1.) Running Oracle Real Application Clusters on Oracle VM Server for SPARC (PDF)

http://www.oracle.com/technetwork/server-storage/vm/overview/index.html
Under
Oracle VM Server for SPARC Technical White Papers

Which is a very through White Paper.
This suggests direct I/O and defines domain types and how you can
create an I/O domain or root domain and assign a pcie bus directly to that
guest domain It's fairly detailed.

The number of I/O domains is dependent on the system type and hba's need to
be supported hba's as well.

2.)
Next I also review
Oracle VM Server for SPARC Best Practices
http://www.oracle.com/technetwork/server-storage/vm/ovmsparc-best-practices-2334546.pdf

Specifically you may want to review the sections on I/O.

3.)
Make sure HBA's are supported for Direct I/O.

Review:
1325454.1 Oracle VM Server for SPARC PCIe Direct I/O and SR-IOV Features

4.) if needed
There are also other Best Practice Documents for Oracle VM for Sparc
http://www.oracle.com/technetwork/server-storage/vm/overview/index.html


5.) Be sure that you also go over any best practices for ASM disks. I've seen several customers not follow ASM best practices and
overwrite their disk labels

Oracle Solaris logging "primary label corrupt; using backup" or "Corrupt Label; wrong magic number" in Oracle ASM environment ( Doc ID 1532506.1 )
and

ASM Technical Best Practices For 10g and 11gR1 Release ( Doc ID 265633.1 )

GRID: Create New Disk Group

Shutdown Database

Create A New LUN at Storage Side

Discover new LUN

# format
format> disk                                          
AVAILABLE DISK SELECTIONS:
       0. c0t5000CCA0562C310Cd0 <HITACHI-H109060SESUN600G-A690-558.91GB>
          /scsi_vhci/disk@g5000cca0562c310c                           
          /dev/chassis/SYS/SASBP/HDD0/disk                            
       1. c0t5000CCA0562C3070d0 <HITACHI-H109060SESUN600G-A690 cyl 64986 alt 2 hd 27 sec 668>  solaris
          /scsi_vhci/disk@g5000cca0562c3070                                                         
          /dev/chassis/SYS/SASBP/HDD1/disk                                                          
       2. c0t60080E500036B7F800000C0C55B86E3Ad0 <SUN-LCSM100_F-0784 cyl 15358 alt 2 hd 64 sec 64>   
          /scsi_vhci/ssd@g60080e500036b7f800000c0c55b86e3a                                          
       3. c0t60080E500036B7F800000C0E55B86ED1d0 <SUN-LCSM100_F-0784 cyl 30718 alt 2 hd 64 sec 64>   
          /scsi_vhci/ssd@g60080e500036b7f800000c0e55b86ed1                                          
       4. c0t60080E500036B7F800000C0955B86D60d0 <SUN-LCSM100_F-0784 cyl 40958 alt 2 hd 128 sec 64>  
          /scsi_vhci/ssd@g60080e500036b7f800000c0955b86d60                                          
       5. c0t60080E500036B7F800000E00566FCC76d0 <SUN-LCSM100_F-0784 cyl 25598 alt 2 hd 64 sec 64>     
          /scsi_vhci/ssd@g60080e500036b7f800000e00566fcc76                                          
       6. c7t5d31 <SUN-Universal Xport-0784 cyl 8 alt 2 hd 64 sec 64>                               
          /pci@400/pci@2/pci@0/pci@8/SUNW,qlc@0/fp@0,0/ssd@w20660080e53683c6,1f                     
       7. c8t10d31 <SUN-Universal Xport-0784 cyl 8 alt 2 hd 64 sec 64>                              
          /pci@400/pci@2/pci@0/pci@8/SUNW,qlc@0,1/fp@0,0/ssd@w20570080e53683c6,1f                   
Specify disk (enter its number)[3]: 5                                                               
selecting c0t60080E500036B7F800000E00566FCC76d0                                                     
[disk formatted]                                                                                    
Disk not labeled.  Label it now? yes                                                                
format> p                                                                                           
PARTITION MENU:
        0      - change `0' partition
        1      - change `1' partition
        2      - change `2' partition
        3      - change `3' partition
        4      - change `4' partition
        5      - change `5' partition
        6      - change `6' partition
        7      - change `7' partition
        select - select a predefined table
        modify - modify a predefined partition table
        name   - name the current table           
        print  - display the current table        
        label  - write partition map and label to the disk
        !<cmd> - execute <cmd>, then return             
        quit                                            
partition> p                                            
Current partition table (default):                      
Total disk cylinders available: 25598 + 2 (reserved cylinders)

Part      Tag    Flag     Cylinders         Size            Blocks
  0       root    wm       0 -    63      128.00MB    (64/0/0)       262144
  1       swap    wu      64 -   127      128.00MB    (64/0/0)       262144
  2     backup    wu       0 - 25597       50.00GB    (25598/0/0) 104849408
  3 unassigned    wm       0                0         (0/0/0)             0
  4 unassigned    wm       0                0         (0/0/0)             0
  5 unassigned    wm       0                0         (0/0/0)             0
  6        usr    wm     128 - 25597       49.75GB    (25470/0/0) 104325120
  7 unassigned    wm       0                0         (0/0/0)             0
partition> quit
FORMAT MENU:
        disk       - select a disk
        type       - select (define) a disk type
        partition  - select (define) a partition table
        current    - describe the current disk      
        format     - format and analyze the disk    
        repair     - repair a defective sector      
        label      - write label to the disk        
        analyze    - surface analysis               
        defect     - defect list management         
        backup     - search for backup labels       
        verify     - read and display labels        
        save       - save new disk/partition definitions
        inquiry    - show disk ID                     
        volname    - set 8-character volume name      
        !<cmd>     - execute <cmd>, then return       
        quit                                          
format> quit    

Change new disk owner and permission 

(This step must be done on all nodes, otherwise, you won't be able to see it in asmca)

 # ls -l /dev/rdsk/c0t60080E500036B7F800000E00566FCC76d0s6                                   
lrwxrwxrwx   1 root     root          67 Dec 15 10:21 /dev/rdsk/c0t60080E500036B7F800000E00566FCC76d0s6 -> ../../devices/scsi_vhci/ssd@g60080e500036b7f800000e00566fcc76:g,raw
# chown grid:asmadmin ../../devices/scsi_vhci/ssd@g60080e500036b7f800000e00566fcc76:g,raw
# chmod g+w ssd@g60080e500036b7f800000e00566fcc76:g,raw
# ls -l ../../devices/scsi_vhci/ssd@g60080e500036b7f800000e00566fcc76:g,raw                                                                             
crw-rw----   1 grid     asmadmin 237, 334 Dec 18 09:02 ../../devices/scsi_vhci/ssd@g60080e500036b7f800000e00566fcc76:g,raw

Add New LUN to existing ASM diskgroup with asmca

Login as grid, and run asmca
$ asmca
Right click on the existing diskgroup, and choose add disks.

Solaris ZFS: Compress ZFS

It is not possible to compress an existing boot enviroment, i suggest to delete old files and snapshot that are no longer needed.I have attached a guide on How To Delete Files on a ZFS Filesystem that is 100% Full ( Doc ID 1537335.1 ) .
For the futher take in consideration activating compression rate option while creating the new boot environment.
# beadm create -p rpool2 -o compression=on BE

Also you can enable compression of zfs.
Disabling and Enabling File System Compression

# zfs set compression=off pool/home
# zfs set compression=on pool/home/anne

Note: This only affects the data that is written after setting the parameter .

Tape Operation on Solaris

cpio -itv /dev/rmt/0 filelist
http://docs.oracle.com/cd/E19620-01/805-4440/6j4753egr/index.html

http://tariqnazir.tripod.com/backup.htm

# mt -f /dev/rmt/0n fsf 2
# mt -f /dev/rmt/0n status
/usr/gnu/bin/tar tvf /dev/rmt/0n

https://www.cyberciti.biz/hardware/unix-linux-basic-tape-management-commands/

Troubleshooting SSSD

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html

Solaris 11.3 SMB Server Authentication with Windows AD

Reference: https://docs.oracle.com/cd/E23824_01/html/821-1449/configuringoperationmodetm.html

Enable the SMB Service:

# svcadm enable -r smb/server

Synchoronize Clock with Domain Controller

Make sure the clock difference between client and domain controller is less than 5 minutes
# ntpdate dc01.goweekend.ca

Enable SMB service

# svcadm enable -r smb/server

Join Windows Domain

smbadm will create all the objects required on domaincontroller
# smbadm join -u ouadmin  goweekend.ca

Map ID

# idmap add -d "winuser:*@*" "unixuser:*"

# idmap list

Change Name Server Switch Configuration

# svccfg -s svc:/system/name-service/switch
svc:/system/name-service/switch> setprop config/password = astring: "files nis ad"
svc:/system/name-service/switch> setprop config/group = astring: "files nis ad"
svc:/system/name-service/switch> select system/name-service/switch:default
svc:/system/name-service/switch:default> refresh
svc:/system/name-service/switch:default> quit

# svcadm refresh svc:/system/name-service/switch

Create SMB Shares on Solaris Server

# zfs create -o mountpoint=/myshare upool/myshare

# zfs share -o share.smb=on -o share.smb.abe=on -o share.smb.guestok=off upool/myshare%myshare_
# zfs set aclinherit=passthrough  upool/myshare

# chmod -R A+user:testuser:rwxpdDaARWcCos:fd-----:allow /myshare

Configurate SMB Autohome Shares

https://docs.oracle.com/cd/E36784_01/html/E36832/autohomeshares.html#scrolltoc

On Solaris Client
# cat /etc/smbautohome
+nsswitch       OU=Users,DC=ad,DC=goweekend,DC=ca

New user on Solaris Server

If you found your new user status is locked, look like below in /etc/shadow
usertest :*LK*:16245::::::
or
# passwd -s usertest
usertest  LK
You need run below command to activate new user:
# passwd -r files usertest
or, unlock existing user
# passwd -u usertest

Boot Solaris LDOM Guest into OK prompt

Sometimes, you might need boot your LDOM into OK prompt, below instructions will get you there:

1. Connect LDOM console, either on LDOM Host or other machine if remote connection is enabled
2. On LDOM host, run command
   # ldm set-var auto-boot\?=false <your ldom>
   # ldm stop <your ldom>
   # ldm start <your ldom>
Now, you can see the ok prompt on your console.

Solaris Update/Patch

Get Keys and Certificate
https://pkg-register.oracle.com/register/certificate/

Instructions to set up publisher
https://pkg-register.oracle.com/register/product_info/1/

11.3 Updates
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=294144479859886&id=2045311.1&_afrWindowMode=0&_adf.ctrl-state=ybap7kpk0_690#aref_section31

Enable Solaris 11 Authentication with OpenLDAP

https://blogs.oracle.com/paulie/configuring-a-basic-ldap-server-client-in-solaris-11



https://blog.teodeh.com/2012/11/30/configuring_solaris_11_to_use_active_directory_accounts_as_unix_accounts/

$ ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a defaultSearchBase=dc=web,dc=goweekend,dc=ca \
-a domainName=web.goweekend.ca \
-a defaultServerList=122.15.10.138 \
-a proxyDN=cn=admin,dc=web,dc=goweekend,dc=ca \
-a proxyPassword=xxxxxxxx \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=homeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=posixgroup \
-a objectClassMap=passwd:posixAccount=posixaccount \
-a objectClassMap=shadow:shadowAccount=posixaccount \
-a serviceSearchDescriptor=passwd:dc=web,dc=goweekend,dc=ca \
-a serviceSearchDescriptor=group:dc=web,dc=goweekend,dc=ca \
-a serviceSearchDescriptor=shadow:dc=web,dc=goweekend,dc=ca

Configure Single HTTPServer to Route to Multiple WebSphere Application Servers

Sometime you need configure Single HTTPServer to Route to Multiple WebSphere Application Server, here is a way you can make it:

Scenario:

WAS Server: A and B
HTTP Server: C

Give same HTTPServer Name on Both A and B
1. Create HTTPServer on A, and Generate plugin-cfg.xml and kdb/sth files and propagate them to HTTP Server.
2. Rename them with prefix a-, i.e. a-plugin-cfg.xml, a-plugin-key.kdb, a-plugin-key.sth

Repeat above steps on B, and rename the files with prefix b-

3. Merge the 2 plugin-cfg.xml with pluginCfgMerge.sh, if your HTTPServer and WebSphere Application Server are on different machines, you can merge them on WebSphere Application Server first, then copy to HTTPServer
/opt/IBM/WebSphere/AppServer/bin/pluginCfgMerge.sh a_plugin-cfg.xml b_plugin-cfg.xml plugin-cfg.xml 

4. Verify merged plugin-cfg.xml to ensure the kdb and sth files point correct files
                <Property Name="keyring" Value="/opt/IBM/HTTPServer/Plugins/config/HTTPServer/a-plugin-key.kdb"/>
                <Property Name="stashfile" Value="/opt/IBM/HTTPServer/Plugins/config/HTTPServer/a-plugin-key.sth"/>

5. append below lines to /opt/IBM/WebSphere/conf/httpd.conf
LoadModule was_ap22_module /opt/IBM/WebSphere/Plugins/bin/64bits/mod_was_ap22_http.so
WebSpherePluginConfig  /opt/IBM/HTTPServer/Plugins/config/HTTPServer/plugin-cfg.xml

Apach 2.4
LoadModule was_ap24_module /opt/IBM/WebSphere/Plugins/bin/64bits/mod_was_ap24_http.so
WebSpherePluginConfig  /opt/IBM/WebSphere/Plugins/config/secure9Web/plugin-cfg.xml

HTTPServer 8.0 HTTP Rewrite Configuration

Edit /opt/IBM/HTTPServer/conf/httpd.conf, and add below lines into it:

LoadModule rewrite_module modules/mod_rewrite.so

NameVirtualHost *:80

<VirtualHost *:80>
ServerName server1.goweekend.ca
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*)$ https://server1.goweekend.ca/$1 [R]
RewriteLogLevel 0
RewriteLog logs/server1_rewrite.log
</VirtualHost>

<VirtualHost *:80>
ServerName suzhou.goweekend.ca
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*)$ https://server2.goweekend.ca/$1 [R]
RewriteLogLevel 0
RewriteLog logs/server2_rewrite.log
</VirtualHost>

Solaris 11: Inconsistent password files

# useradd -u 166 -g 0 -m -d /export/home/user01 user01
/usr/lib/passmgmt: Inconsistent password files
UX: useradd: ERROR: Inconsistent password files.  See pwconv(1M).

Run pwconv command, you will be able to locate the problem


# pwconv
pwconv: ERROR: bad entry or blank line at line 1394 in /etc/passwd
pwconv: Unexpected failure. Conversion not done.

Fedora 25: Keep using DHCP after installation

Fedora 25 keeps using DHCP after installation even Static IP has been configured during installation.

1. Stop and disable gnome NetworkManager

# systemctl stop NetworkManager.service

# systemctl disable NetworkManager.service

2. Start and enable network service

# systemctl restart network.service
# systemctl enable network.service 

3.make changes in 

TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=eth0
UUID=15da7b6d-8cde-3858-883b-2901ba6168b6
ONBOOT=yes

Upgrade Mongodb Driver for PHP

pecl config-show
pecl version

Download the binary from
https://pecl.php.net/package-changelog.php?package=mongo&release=1.2.5


wget http://pecl.php.net/get/mongo
pecl install mongodb-*.tgz
or
pecl upgrade mongodb-*.tgz

Apache HTTPD Redirect http to https

<VirtualHost *:80>
ServerName www.goweekend.ca
DocumentRoot /usr/share/dboard

<If "req('Host') == 'www.goweekend.ca'">
    Redirect permanent / https://www.goweekend.ca/
</If>

</VirtualHost>

Authenticate Mongodb Connection with Selfsigned Certificates

Create a selfsigned SSL Certificate
Reference: http://www.akadia.com/services/ssh_test_certificate.html


# cat mongodb.conf

logpath = /opt/sysAdmin/logs/mongodb.log
dbpath = /opt/sysAdmin
port = 27017

sslMode = requireSSL
sslPEMKeyFile = /home/mongodb/ssl/mongodb.pem
sslPEMKeyPassword = test
sslCAFile = /home/mongodb/ssl/client.pem


Step 1:
http://demarcsek92.blogspot.ca/2014/05/mongodb-ssl-setup.html

Create Certificate for Server
$ openssl req -new -x509 -days 365 -out mongodb-cert.crt -keyout mongodb-cert.key
or

$ openssl req -new -x509 -days 3650 -out server.crt -keyout encrypted-server.key -subj '/C=CA/ST=ON/L=TORONTO/O=GOWEEKEND/OU=FINANCE/CN=127.0.0.1'

You can remove passphrase from key, but make sure limit the permission of the key file

$ cp mongodb-cert.key mongodb-cert.key.encrypted
$ openssl rsa -in mongodb-cert.key.encrypted -out mongodb-cert.key

$ cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

Create Certificate for Client
$ openssl req -new -x509 -days 365 -out client-cert.crt -keyout client-cert.key

OR

$ openssl req -new -x509 -days 3650 -out client.crt -keyout encrypted-client.key -subj '/C=CA/ST=ON/L=Toronto/O=GOWEEKEND/OU=IT/CN=127.0.0.1'


You can remove passphrase from key, but make sure limit the permission of the key file

$ cp client-cert.key client-cert.key.encrypted
$ openssl rsa -in client-cert.key.encrypted -out client-cert.key
$ 

$ cat client-cert.key client-cert.crt > client.pem

Startup Server
mongod -f /etc/mongodb.conf

Connect to Database with mongodb
mongo --ssl --sslCAFile ./mongodb.pem --sslPEMKeyFile ./client.pem

Step 2:
https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/

Problem:
Within PHP, below error popped up:
UserNotFound: Could not find user CN=127.0.0.1,OU=FINANCE,O=GOWEEKEND,L=TORONTO,ST=ON,C=CA@$external

$ openssl x509 -in client.pem -inform PEM -subject -nameopt RFC2253
subject= CN=127.0.0.1,OU=WS,O=GOWEEKEND,L=TORONTO,ST=ON,C=CA

Connect to Database

db.getSiblingDB("$external").runCommand(
  {
    createUser: "CN=127.0.0.1,OU=WS,O=GOWEEKEND,L=TORONTO,ST=ON,C=CA",
    roles: [
             { role: 'readWrite', db: 'mydb' },
             { role: 'userAdminAnyDatabase', db: 'admin' }
           ],
    writeConcern: { w: "majority" , wtimeout: 5000 }
  }
)

Use Certificate to connect to mongodb server

http://demarcsek92.blogspot.ca/2014/05/mongodb-ssl-setup.html

SVN: pre-commit hook in svn: could not be translated from the native locale to UTF-8

Append below line to httpd.conf

SVNUseUTF8 on

WebSphere 8.5 and 9.0 Silent Installation

1. Record Response File

#   Windows = imcl.exe -acceptLicense -showProgress
#     input <response_file_path_and_name> -log <log_file_path_and_name>
#   Linux, UNIX, IBM i and z/OS = ./imcl -acceptLicense -showProgress 
#     input <response_file_path_and_name> -log <log_file_path_and_name>
# For example:
#   Windows = IBMIM.exe -record c:\temp\responsefiles\WASv85.install.Win32.xml
#     -skipInstall c:\temp\skipInstall\WebSphere_Temp_Registry
#   Linux or UNIX = ./IBMIM -record /home/user/responsefiles/WASv85.install.RHEL64.xml
#     -skipInstall c:\temp\skipInstall\WebSphere_Temp_Registry

2. Install

#
#   Windows = imcl.exe -acceptLicense -showProgress
#     input <response_file_path_and_name> -log <log_file_path_and_name>
#   Linux, UNIX, IBM i and z/OS = ./imcl -acceptLicense -showProgress 
#     input <response_file_path_and_name> -log <log_file_path_and_name>
#
# For example:
#   Windows = imcl.exe -acceptLicense -showProgress
#     input c:\temp\responsefile\WASv85.install.Win32.xml
#   Linux, UNIX, IBM i and z/OS = ./imcl -acceptLicense -showProgress
#     input /home/user/responsefile/WASv85.install.RHEL64.xml

Remove SeLinux attribute on files or folders

setfattr -h -x security.selinux /tmp

Disable PrivateTmp for Apache in REDHAT

https://www.reddit.com/r/Fedora/comments/35bsym/how_do_i_disable_privatetmp_for_apache/

/usr/lib/systemd/system/httpd.service.

PrivateTmp = false

Install Microsoft Driver for unixODBC

Problem:
[unixODBC][Driver Manager]Data source name not found, and no default driver specified (SQL-IM002)
No DBI connect:[unixODBC][Driver Manager]Data source name not found, and no default driver specified (SQL-IM002) at xxxxxxx line 17.

Solution: 
http://www.perlmonks.org/?node_id=1033737

perl -MDBI -e 'DBI->installed_versions'

[root@goweek01 tds]# perl -MDBI -e 'DBI->installed_versions'
  Perl            : 5.024001    (x86_64-linux-thread-multi)
  OS              : linux       (4.10.0-0.rc4.git0.2.fc26.x86_64)
  DBI             : 1.636
  DBD::Sponge     : 12.010003
  DBD::Pg         : 3.5.3
  DBD::PO         : install_driver(PO) failed: Global symbol "@A" requires explicit package name (did you forget to declare "my @A"?) at /usr/local/share/perl5/DBD/PO/Locale/PO.pm line 291, <DATA> line 755.
Compilation failed in require at /usr/local/share/perl5/DBD/PO/Text/PO.pm line 11, <DATA> line 755.
BEGIN failed--compilation aborted at /usr/local/share/perl5/DBD/PO/Text/PO.pm line 11, <DATA> line 755.
Compilation failed in require at /usr/local/share/perl5/DBD/PO/dr.pm line 10, <DATA> line 755.
BEGIN failed--compilation aborted at /usr/local/share/perl5/DBD/PO/dr.pm line 10, <DATA> line 755.
Compilation failed in require at /usr/local/share/perl5/DBD/PO.pm line 12, <DATA> line 755.
BEGIN failed--compilation aborted at /usr/local/share/perl5/DBD/PO.pm line 12, <DATA> line 755.
Compilation failed in require at (eval 53) line 3, <DATA> line 755.

 at -e line 1.

  DBD::Oracle     : 1.74
  DBD::ODBC       : 1.56
  DBD::Multi      : 0.18
  DBD::Mock       : 1.45
  DBD::Log        : DBD::Log initialisation failed: Can't call method "driver" without a package or object reference at /usr/local/share/perl5/DBD/Log.pm line 219, <DATA> line 755.
 at -e line 1.

  DBD::LDAP       : 0.22
  DBD::Gofer      : 0.015327
  DBD::File       : 0.44
  DBD::ExampleP   : 12.014311
  DBD::DBM        : 0.08

[root@goweek01 tds]# odbcinst -j
unixODBC 2.3.4
DRIVERS............: /etc/odbcinst.ini
SYSTEM DATA SOURCES: /etc/odbc.ini
FILE DATA SOURCES..: /etc/ODBCDataSources
USER DATA SOURCES..: /root/.odbc.ini
SQLULEN Size.......: 8
SQLLEN Size........: 8
SQLSETPOSIROW Size.: 8

[root@goweek01 etc]# odbcinst -q -s
[SQLdev]
[classdata]
[mssqldev]

-bash-4.3$ odbcinst -j
unixODBC 2.3.4
DRIVERS............: /etc/odbcinst.ini
SYSTEM DATA SOURCES: /etc/odbc.ini
FILE DATA SOURCES..: /etc/ODBCDataSources
USER DATA SOURCES..: /home/goweekendweb/.odbc.ini
SQLULEN Size.......: 8
SQLLEN Size........: 8
SQLSETPOSIROW Size.: 8

[MSSQLprod]
Driver          = SQLServer
Description     = goweekendWeb production
Server          = classdata.toronto.ca
TDS_Version     = 7.0
Database        = goweekendWeb


-bash-4.3$ odbcinst -q -s
[MSSQLprod]
[SQLdev]
[classdata]
[mssqldev]

[root@goweek01 parks]# cat /etc/odbc.ini
[SQLdev]
Driver          = SQLServer
Description     = goweekendWeb Dev
Server          = mssds152q.goweekend.ca
Database        = goweekendWeb
Trace           = Yes
TraceFile       = /var/tmp/sqlserver.log


[root@goweek01 parks]# cat /etc/odbcinst.ini
[PostgreSQL]
Description=ODBC for PostgreSQL
Driver=/usr/lib/psqlodbcw.so
Setup=/usr/lib/libodbcpsqlS.so
Driver64=/usr/lib64/psqlodbcw.so
Setup64=/usr/lib64/libodbcpsqlS.so
FileUsage=1

[MySQL]
Description=ODBC for MySQL
Driver=/usr/lib/libmyodbc5.so
Setup=/usr/lib/libodbcmyS.so
Driver64=/usr/lib64/libmyodbc5.so
Setup64=/usr/lib64/libodbcmyS.so
FileUsage=1

[SQLServer]
Description=Microsoft ODBC Driver 13 for SQL Server
Driver=/opt/microsoft/msodbcsql/lib64/libmsodbcsql-13.1.so.4.0
UsageCount=1

Disable firewall/firewalld in Fedora

systemctl mask firewalld

IBM HTTP Server: Startup FAQ and mustgather

http://publib.boulder.ibm.com/httpserv/ihsdiag/gather_startup_doc.html#SOLGSKIT2

On some Solaris/SPARC systems manufactured by Fujitsu, GSKit can hang during startup. To resolve the issue, take the following two steps:

• Upgrade GSKit to 8.0.50.61 or later (8.5.5.10, 8.0.0.13, or older fixpacks with PI60207)
• Specify SSLAttributeSet 4007 1 to prevent the FIPS certified ICC 8.4 from being loaded. Note: If using SSLFIPSEnable, you must also opt-in to using a non-certified cryptograhic module with environment variable ICC_IGNORE_FIPS=YES
  Some other instructions may refer to removing a "C/" directory from the GSKit lib directory. This should have the same result as SSLAttributeSet 4007 1 -- disabling the initialization of the FIPS certified cryptographic module inside of GSKit. There is always a 2nd, non-certified cryptographic module that can be used.

  Append below line at the end of httpd.conf

    SSLAttributeSet 4007 1
 

You may need reboot the server.

I tried " SSLAttributeSet 4007 1", it doesn't fix the problem, then I deleted
"C/" directory from the GSKit lib directory, and it works.

CMS type missed in ikeyman - IBM HTTP Server 9.0

In Linux:
export JAVA_HOME=/opt/IBM/HTTPServer/java/8.0/jre
export PATH=/opt/IBM/HTTPServer/java/8.0/jre/bin:$PATH

Add below line into file /opt/IBM/HTTPServer/java/8.0/jre/lib/security/java.security


security.provider.10=com.ibm.security.cmskeystore.CMSProvider

bash: /sbin/reboot: Input/output error

Reference: http://www.linuxjournal.com/content/rebooting-magic-way

    # reboot
    bash: /sbin/reboot: Input/output error

The "magic SysRq key" provides a way to send commands directly to the kernel through the /proc filesystem. It is enabled via a kernel compile time option, CONFIG_MAGIC_SYSRQ, which seems to be standard on most distributions. First you must activate the magic SysRq option:

    echo 1 > /proc/sys/kernel/sysrq

When you are ready to reboot the machine simply run the following:

    echo b > /proc/sysrq-trigger

Setup PHP Server

http://www.oracle.com/technetwork/articles/dsl/technote-php-instant-12c-2088811.html


# yum install httpd httpd-devel
# yum install php php-devel

Setup proxy for pecl

# yum install php-pear
# pear config-set http_proxy http://username:xxxxx@proxy.goweekend.ca:8888


Trouble sooting

PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/oci8.so' - libclntsh.so.12.1: cannot enable executable stack as shared object requires: Permission denied in Unknown on line 0


-rwxr-xr-x. 1 root root  575176 Feb 15 14:12 oci8.so


# find . -print0 |xargs -0 -n 1 setfattr -h -x security.selinux

Install Mongodb and OCI8 Extension




Certain software are required to install mongodb
# dnf install gcc* -y
# dnf -y install re2c
# dnf -y install openssl-devel
# pecl install oci8
# pecl install mongodb


add "extension=mongodb.so" to /etc/php.ini
# dnf -y install openldap-clients mod_ldap openldap-devel openldap
# yum install php-ldap
# yum install mod_ssl openssl

# yum install mailx
# yum install sendmail

Add below snippet to /etc/php.ini

[OCI8]
connection_class = MyApp
extension_dir=/usr/lib64/php/modules
extension=mongodb.so
mongodb.debug=DEBUG

extension=oci8.so




PHP OCI8 Using Oracle Wallet

PHP OCI8 Using Oracle Wallet

http://www.c2b2.co.uk/middleware-blog/how-to-configure-php-to-use-the-oracle-wallet.php

Initialize LDOM Host

# ldm add-vcc port-range=5000-5100 primary-vcc0 primary
# ldm add-vds primary-vds0 primary
# ldm add-vsw net-dev=vaggr1 primary-vsw0 primary

# ldm set-vcpu 4 primary
# ldm set-memory 1g primary
# ldm set-domain extended-mapin-space=on primary
# ldm add-config initial
# ldm list-config
factory-default [current]
initial [next]
# shutdown -y -g0 -i6

Enable vntsd
#  svcs -l vntsd
# svcadm enable vntsd
# svcadm start vntsd

https://docs.oracle.com/cd/E38405_01/html/E38406/maximizenetperftask.html

Svn: E155037: Previous operation has not finished; run ‘cleanup’ if it was interrupted

1. Backup the file in trouble
2. Install sqlite if not installed already: yum install sqlite
3. Change directory to the workspace root, and change to .svn
4. Find the wc.db in .svn folder, and run: sqlite3 wc.db "select * from work_queue"
5. Cleanup work queue: sqlite3 wc.db "delete from work_queue"
6. In workspace root level, run command: svn cleanup

Mount NFS Share for Oracle Database

ORA-27054: NFS file system where the file is created or resides is not mounted with correct options

mount -o hard,rw,noac,rsize=32768,wsize=32768,suid,proto=tcp,vers=3 mynfsserver.goweekend.com:/myshare /mnt

Install Homebrew and GDB on Mac

Reference: https://www.ics.uci.edu/~pattis/common/handouts/macmingweclipse/allexperimental/mac-gdb-install.html

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

brew install gdb