Solaris 10 bulk password setting via sed

We have a client that likes to generate their own /etc/shadow password hashes and have us assign them to a bulk list of their userids. This enables them to not have to pass along a plain-text password to us, their hosting provider. We’re in the process of transitioning this client to our LDAP configuration, but until we get them converted it’s each individual machine and I wasn’t thrilled about having to spend an entire day to vi the shadow file on more than 50 servers for 17 userids on each server.

Prior to Solaris 10 this was easy enough to do via a script given the limited characters for password generation. I needed to figure out a way to script it out for Solaris 10 with the inclusion of $ and / into the password hashes. I finally got it working via command line and then had to slightly modify the way it was done via script. The only funkiness I noticed was the literal interpretation of $ when read in from a variable, so please note that the line in the script containing the password must include “\” prior to every occurance of $.

For example, if your password salt is “$1$aQmSf/ZM$CBSTF10TXrvpOe..OaCtH/” then you’ll need to set your salt into the script’s variable thusly:

PASSWD=”\$1\$aQmSf/ZM\$CBSTF10TXrvpOe..OaCtH/”

I added a few idiot checks around the script since wiping out your /etc/shadow file is never a fun thing to explain to the boss. Feel free to tweak this if you can think of any other ways to streamline it or any additional idiot checks. Please also note that while this script does clean up after itself in the /root/scripts working directory, it will leave a time-stamped copy of /etc/shadow in /etc in case you run into any need to rollback your changes.

#!/usr/bin/bash

# Check for userid

if [[ $1 = “” ]]
then
echo ” Usage: pwchange.sh <userid>”
exit
else
sleep 0
fi

DATE=`date +%m%d%y%H%M%S`
USER=$1
OLDPW=`grep $USER /etc/shadow | cut -f 2 -d “:”`
USERCK=`grep $USER /etc/shadow | cut -f 2 -d “:” | wc -l`

# Check if userid exists in /etc/shadow.

if [[ $USERCK -lt 1 ]]
then
echo “No users matching $USER”
exit
else
sleep 0
fi

# Check if multiple userids exist. If there are, fail out.

if [[ $USERCK -gt 1 ]]
then
echo “Multiple users matching $USER”
exit
else
sleep 0
fi

PASSWD=”\$1\$aQmSf/ZM\$CBSTF10TXrvpOe..OaCtH/”

# Check if password has already been set to salt.

if [[ $OLDPW = $PASSWD ]]
then
echo “Password already matches for $USER”
exit
else
sleep 1
fi

echo “Setting password for $1”

/usr/bin/cp -rp /etc/shadow /etc/shadow.$DATE
/usr/bin/cp -rp /etc/shadow /root/scripts/shadow
/usr/bin/sed -e “/$USER/s|$OLDPW|$PASSWD|g” /root/scripts/shadow > /etc/shadow
/usr/bin/rm /root/scripts/shadow

Advertisements

boot net:speed=100,duplex=full – install

This is a gem for jumpstarting, usually people have a begin script that sets the interface to 100M Full. But this sets the interface immediately at boot time. It speeds this up a bit, and makes it easier to configure your jumpstart server. For more information see EXAMPLES in boot(1m).

Setting ce driver parameters with ce.conf

I am starting to run into a situation where I need both a 100M Full Duplex set on one ce interface, but 1000M Auto Negotiate on another. To put it bluntly this is a chore. I have done it a few times over the last year, but never remember the steps. I am sure there are some descent docs out there but I have pieced this together from looking at the documentation, which was wrong at one point. What you need to do is unambiguously identify the exact PCI device to supply different parameters. Otherwise it is easy you just add the following to /platform/sun4u/kernel/drv/ce.conf:

adv_autoneg_cap=0 \
adv_1000fdx_cap=0 \
adv_1000hdx_cap=0 \
adv_100fdx_cap=1 \
adv_100hdx_cap=0 \
adv_10fdx_cap=0 \
adv_10hdx_cap=0;

Of course you can use ndd in an rcX.d script to set these parameters, but SUN is quick to point out in the documentation that it is not supported. Plus I always viewed the conf files as the best practice.

NOTE: The following should work exactly the same for bge devices

Read the rest of this entry »

Brightmail ControlCenter not updating properly

About a week ago I noticed that Brightmail was no longer sending me daily reports telling me how many messages came in, what percentage was spam, virus, etc. so I finally got around to looking into it. Turns out the ControlCenter within Brightmail was no longer updating so it was not showing updates for virus or spam definition files, nor was it tracking how many messages were handled. I searched their online knowledgebase, but it’s not very user friendly. After a call to their support center I got the instructions I needed to get the ControlCenter updating again. Here are the steps I took:

# cd /opt/symantec/sbas/ControlCenter/MySQL/mysql-pro-4.0.16-sun-solaris2.8-sparc/bin

NOTE: this is the default install directory. If you installed in a non-standard place you will need to replace the above path with your install directory

# ./mysqlcheck –h 127.0.0.1 --auto-repair –ubrightmailuser –ppassword brightmail

The password can be obtained by looking for the password attribute located in:

/opt/symantec/sbas/ControlCenter/Tomcat/jakarta-tomcat-4.1.27/conf/server.xml

I generally direct the output from this command to a text file, although it is of very little actual value:

# ./mysqlcheck –h 127.0.0.1 --optimize –ubrightmailuser –ppassword brightmail
# /etc/init.d/tomcat4 stop
# /etc/init.d/mysql.server stop
# /etc/init.d/mailwall stop
# /etc/init.d/mysql.server start
# /etc/init.d/mailwall start
# /etc/init.d/tomcat4 start

I was able to then restart the ControlCenter and log in, and I found all of my information was once again updating correctly and I am able to pull reports on the messages that have been scanned.

Veritas 4.1 encapsulation problem on V445

I installed VxVM 4.1 dozens of times and never had an issue until today. I rebooted after encapsulating the disk and see this:

VxVM vxvm-reconfig ERROR V-5-2-337 The encapsulation of the Boot Disk failed.
VxVM vxvm-reconfig NOTICE V-5-2-393 The system will now be rebooted.

The problem is a bad line in the /usr/lib/vxvm/bin/vxroot. This bug caused the my system to boot without the following lines in /etc/system:

rootdev:/pseudo/vxio@0:0
set vxio:vol_rootdev_is_volume=1

So I had to boot off the network, mount up the drive and add them to /etc/system. After that everything worked fine. I found the answers here. In the future you should be able to edit vxroot before you boot. You might want to make it part of your jumpstart finishing script.

Creating a Jumpstart server from Solaris 9 ISOs

Did you know you can just download iso images from SUN and mount them over a loopback device? I usually don’t need to do this because someone has the CD images. But today I needed the new Solaris 9 09/05 HW release for the V445 I am working on. I mounted up the iso:

# lofiadm -a /jumpstart/sol-9-905hw-ga-sparc-v1.iso
# mount -F hsfs /dev/lofi/1 /mnt

I run the jumpstart setup script out of Tools and get this:

# ./setup_install_server /jumpstart/OS/t
ERROR: Install boot image /mnt/Solaris_9/Tools/Boot does not exist
Check that boot image exists, or use [-t] to
specify a valid boot image elsewhere.

It turns out that the iso has two slices in it. There is a nice guide here, on how to do it.