Monday, November 27, 2006

SCSI Sense Keys

KEY	DESCRIPTION
0	NO SENSE There is no specific sense key information to be reported for the designated logical unit. This would be the case for a successful command or a command that received CHECK CONDITION or COMMAND TERMINATED status because one of the filemark, EOM, or ILI bits is set to one.
1	RECOVERED DATA The last command completed successfully with some recovery action performed by the target. Details may be determined by examining the additional sense bytes and the information field.
2	NOT READY The logical unit addressed cannot be accessed. Operator intervention may be required to correct this condition.
3	MEDIUM ERROR The command terminated with a non-recovered error condition that was probably caused by a flaw in the medium or an error in the recorded data. This sense key may also be returned if the target is unable to distinguish between a flaw in the medium and a specific hardware failure (sense key 4).
4	HARDWARE ERROR The target detected a non-recoverable hardware failure while performing the command or during self test.
5	ILLEGAL REQUEST There was an illegal parameter in the command descriptor block or in the additional parameters supplied as data for some commands. If the target detects an invalid parameter in the command descriptor block, then it shall terminate the command without altering the medium. If the target detects an invalid parameter in the additional parameters supplied as data, then the target may have already altered the medium. This sense key may also indicate that an invalid IDENTIFY message was received.
6	UNIT ATTENTION The removable medium may have been changed or the target has been reset.
7	DATA PROTECT A command that reads or writes the medium was attempted on a block that is protected from this operation.
8	BLANK CHECK A write-once device or a sequential-access device encountered blank medium or format-defined end-of-data indication while reading or a write-once device encountered.
9	Vendor Specific This key is available for reporting vendor specific conditions.
a	COPY ABORTED A COPY, COMPARE, or COPY AND VERIFY command was aborted due to an error condition on the source device, the destination device, or both.
b	ABORTED COMMAND The target aborted the command. The initiator may be able to recover by trying the command again.
c	HARDWARE ERROR The target detected a non-recoverable hardware failure while performing the command or during self test.
d	VOLUME OVERFLOW A buffered peripheral device has reached the end-of-partition and data may remain in the buffer that has not been written to the medium.
e	MISCOMPARE The source data did not match the data read from the medium.
f	Reserved

Network Information Services (NIS and NIS+) Guide

Network Information Services (NIS and NIS+) Guide

Installing and Configuring NIS

For information on installing the Network Information Service (NIS) and the Network File System (NFS), see the AIX Installation Guide.

Configuring NIS

For each NIS domain you want to configure on your network, do the following:

Decide which hosts on your network you want to include in this domain. Choose a domain name for the domain and make a note of it for use later in the configuration process.
Choose a host that has the characteristics described in Master Servers. Then follow the instructions in Configuring the NIS Master Server.
Decide which hosts, if any, will act as slave servers. Then, for each slave server, follow the instructions in Configuring an NIS Slave Server.
Decide which hosts will be clients in this domain. Then, for each client, follow the instructions in Configuring an NIS Client.

Notes:

If you want non-root users to be able to log into a server, you must configure the server as a NIS client as well.

If the file /var/yp/securenets exists, the server only provides NIS services to the hosts within the Internet Protocol (IP) range specified.

Setting the NIS Domain Name

To set the NIS domain name of a host (whether client or server), use the Web-based System Manager fast path, wsm network, or use one of the following procedures.

Using the System Management Interface Tool (SMIT):

Enter the fast path: smit chypdom
Enter the domain name in the Domain name of this host field.
Specify both in the CHANGE domain name take effect... field.
Accept your changes and exit SMIT. The NIS domain name is now set.

Using the command line, enter: chypdom -B newdomainname

Each of these methods perform two actions. First, they run the domainname command, setting the NIS domain name. Second, they modify the /etc/rc.nfs file so that the NIS domain name is set when the system restarts.

Configuring the NIS Master Server

Attention: An NIS record has a maximum size of 1024 bytes. This limitation applies to all NIS map files. For example, a list of users in a group can contain a maximum of 1024 characters in single-byte character set file format. Before doing the following procedure, ensure that no configuration file is beyond this limit. NIS cannot operate correctly with map files that exceed this maximum.

To configure an NIS master server, do the following tasks on the master server host:

Follow the instructions in Preparing a Host for NIS Configuration.
Set the domain name by following the instructions in Setting the NIS Domain Name.
Decide what information you want to manage using NIS. By default, you manage all the information contained in the files listed in NIS Maps. You may want to customize how you manage users, groups, and host names, especially if you have already configured a domain name server. To do so, follow the instructions in Customizing NIS Map Input).

You will now create the directory for this domain, build the NIS maps, and start the NIS daemons. Use the Web-based System Manager fast path, wsm network, or use one of the following procedures.

Using SMIT, enter: smit mkmaster.

Specify in the HOSTS that will be slave servers field the names of the hosts, if any, that you want to act as slave servers.

Specify yes in the fields Can existing MAPS for the domain be overwritten? and EXIT on errors, when creating master server? because you will want to know if an error occurs.

If you want to configure your NIS domain for secure Remote Procedure Call (RPC) networking, specify yes in the START the yppasswdd daemon? and START the ypupdated daemon? fields. You should also configure secure NFS by following the instructions in AIX Version 4.3 System Management Guide: Communications and Networks.

Specify yes in the START the ypbind daemon? field to configure the master server to use the NIS databases.

Specify both in the START the master server... field.

Accept your changes and exit SMIT.

The system takes a few minutes to perform several tasks. First, it runs the ypinit command. If the ypinit command exits successfully, the system uncomments the entries in the /etc/rc.nfs file for the daemons to which you specified yes above. Finally, the system starts these daemons.

The ypinit command is a shell script that performs two tasks. First, it creates the directory /var/yp/domainname, where domainname is the domain name you defined above. Second, it runs the make command on the /var/yp/Makefile, which creates all the NIS maps specified in the /var/yp/Makefile.

Using the command line:

Enter the ypinit -m command. This command prompts you for various information, including the names of any slave servers, and takes a few minutes to complete.
Start the ypserv and ypbind daemons (and the yppasswdd and ypupdated daemons if you want) by following the instructions in Starting and Stopping the NIS Daemons.
Edit the /etc/rc.nfs file and uncomment the lines that use the startsrc commands to start these daemons (delete the pound signs at the beginning of each line). For example, if the original lines look like the following:

#if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then #       startsrc -s ypserv #fi

Remove the pound signs so the file looks like:

if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then        startsrc -s ypserv fi

Further Considerations When Using the yppasswd Daemon

If you chose to use a password file other than /etc/passwd to build the passwd map (see Customizing NIS Map Input), you must specify to the yppasswdd daemon the path to that file. By default, the yppasswdd daemon changes passwords for entries in the /etc/passwd file. To change the default password file to another file, do the following:

Edit the /etc/rc.nfs file, and locate the following stanza:

#Uncomment the following lines to start up the NIS  #yppasswd daemon. DIR=/etc if [ -x /usr/etc/rpc.yppasswdd -a -f $DIR/passwd ]; then         start rpc.yppasswdd /usr/lib/netsvc/yp/rpc.yppasswdd         /etc/passwd ~m fi

Change the DIR statement so that it specifies the path to your alternate passwd file. For example, if you use the /var/yp/passwd file, the DIR statement should look like:

DIR=/var/yp

Save the file and exit the editor.
Enter the following three commands:

stopsrc -s yppasswdd  chssys -s yppasswdd -a '/var/yp/passwd -m passwd'  startsrc -s yppasswdd

The yppasswdd daemon will now use your alternate password file.

Configuring an NIS Slave Server

After configuring the master server, you must decide which hosts are to act as slave servers. Slave servers keep exact replicas of the master server's maps and share the processing burden by answering queries when the master server is busy or unavailable. The following procedure must be done for each slave server.

Prerequisites

The NIS master server is configured.

Procedure

To configure an NIS slave server, do the following tasks on the slave server host:

Notes:

If you are configuring a slave server that is not on the same IP network, you must configure the new server as an NIS client first. Use the ypset command to explicitly point the new server to the NIS master. For example, ypset 129.23.22.1, where 129.23.22.1 is the IP address of the master server.

When using subnets, a slave server must be configured on each subnet that has NIS clients for the given NIS domain. This allows clients to bind at startup and provides a fallback if the master goes down for any reason.

Follow the instructions in Preparing a Host for NIS Configuration.
Set the domain name by following the instructions in Setting the NIS Domain Name.

You will now create the directory for this domain, start the NIS daemons, and obtain copies of the NIS maps from the master server. Use the Web-based System Manager fast path, wsm network, or use one of the following procedures.

Using SMIT:

Enter the fast path: smit mkslave.
Specify the hostname of the master server for this domain in the HOSTNAME of the master server field.
Specify yes in the fields Can existing MAPS for the domain be overwritten? and Quit if errors are encountered? because you will want to know if an error occurs.
Specify both in the START the slave server... field.
Accept your changes and exit SMIT.

The system takes a few minutes to perform several tasks. First, it runs the ypinit command. If the ypinit command exits successfully, the system uncomments the entries in the /etc/rc.nfs file for the ypserv and ypbind daemons. Finally, the system starts these daemons.

The ypinit command is a shell script that performs two tasks. First, it creates the directory /var/yp/domainname, where domainname is the domain name you defined above. Second, it runs the ypxfr command to obtain the NIS maps from the master server.

Note: If this NIS slave server is not on same IP network as the NIS master server (that is, a gateway router is positioned between the slave server and the master server), you must explicitly identify the NIS master server by using the ypset command. For example, enter the command:

ypset 129.23.22.1

where 129.23.22.1 is the IP address of the NIS master server.

Using the command line:

Start the ypbind daemon by following the instructions in Starting and Stopping the NIS Daemons to bind to the master server.
Enter the ypinit -s mastername command, where mastername is the host name of the master server. This command prompts you for various information and takes a few minutes to complete.
Start the ypserv and ypbind daemons by following the instructions in Starting and Stopping the NIS Daemons.

Note: If this NIS slave server is not on same IP network as the NIS master server (that is, a gateway router is positioned between the slave server and the master server), you must explicitly identify the NIS master server by using the ypset command. For example, enter the command:

ypset 129.23.22.1

where 129.23.22.1 is the IP address of the NIS master server.

Edit the /etc/rc.nfs file and uncomment the lines that use the startsrc commands to start these daemons. Delete the pound signs in the following example:

#if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then #       startsrc -s ypserv #fi

so it looks like:

if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then        startsrc -s ypserv fi

Note: If NIS users need to log into an NIS slave server, the slave server must also be configured as a client, and should have the following line as the last line in its /etc/passwd file:

+::::::

Configuring an NIS Client

NIS clients make up the majority of hosts in an NIS domain. Clients do not maintain maps, but rather query servers for information. (Clients do not distinguish between master and slave servers.) If you are configuring a slave server that is not on the same IP network as the master server, you must configure the new server as an NIS client first.

Prerequisites

The NIS master server is configured.

Procedure

To configure an NIS client, do the following tasks on the client host:

Follow the instructions in Preparing a Host for NIS Configuration
.
Set the domain name by following the instructions in Setting the NIS Domain Name.

You then start the client using NIS. Use the Web-based System Manager fast path, wsm network, or use one of the following procedures.

Using SMIT:

Enter the fast path: smit mkclient.
Specify both in the START the NIS client... field.
Accept your changes and exit SMIT.

The system performs two tasks. First, it starts the ypbind daemon. Second, it uncomments the entry in the /etc/rc.nfs file for the ypbind daemon.

Follow the instructions in Setting Up NIS Client Files to Use NIS Services.

Using the command line:

Start the ypbind daemon by following the instructions in Starting and Stopping the NIS Daemons.
Edit the /etc/rc.nfs file and uncomment the lines that use the startsrc command to start this daemon. Specifically, delete the pound signs in the following example:

#if [ -x /usr/etc/ypbind ]; then #       startsrc -s ypbind #fi

so it looks like:

if [ -x /usr/etc/ypbind ]; then        startsrc -s ypbind fi

Preparing a Host for NIS Configuration

Before you configure NIS on a master server, slave server, or client, do the following:

Verify that the PATH variable in the /.profile file includes the /usr/sbin directory where the NIS commands reside.
Verify that Transmission Control Protocol/Internet Protocol (TCP/IP) is running by entering the command:

lssrc -s inetd

A message similar to the following displays:

Subsystem         Group            PID     Status   inetd            tcpip            4923    active

If the status does not indicate active, follow the instructions in Configuring the inetd Daemon for starting the inetd daemon.

Verify that the portmap daemon is running by entering the command:

lssrc -s portmap

A message similar to the following displays:

Subsystem         Group            PID     Status   portmap          portmap          14003   active

If the status does not indicate active, enter the command:

startsrc -s portmap

You are now ready to configure NIS on this host. If you are configuring a master server, continue with the following section, Customizing NIS Map Input. If you are configuring a client or slave server, continue with Starting and Stopping NIS Daemons.

Customizing NIS Map Input

The most common customizations made to NIS involve users, groups, and host names. However, you can customize any of the information managed by NIS. Although this discussion focuses on users, groups, and host names, you can use the same techniques to customize input to other maps.

Note: Perform all of these instructions on the master server host.

Users and Groups

Attention: An NIS record has a maximum size of 1024 bytes. This limitation applies to all NIS map files. For example, a list of users in a group can contain a maximum of 1024 characters in single-byte character set file format. Before doing the following procedure, ensure that no configuration file is beyond this limit. NIS cannot operate correctly with map files that exceed this maximum.

By default, NIS uses the /etc/passwd and /etc/group files on the master server as the input for the passwd and group maps. All users and groups on the master server are thus included automatically in the maps. The simplest configuration is to add every user and group in this entire domain to the /etc/passwd and /etc/group files.

Note: It is possible to manage users and groups without using NIS; however, managing users and groups is the primary benefit of NIS. For more secure methods of user and group management, see No comments:

Why do all my ethernet interfaces have the same ethernet MAC address?

Document

Q. Why do all my ethernet interfaces have the same ether MAC address?
How do I modify the interfaces to have unique ethernet MAC addresses?





I have multiple interfaces, but they show up as the same ethernet MAC
address as my built-in interface. Setting NVRAM parameter
local-mac-address?=true does not seem to affect the address?

A. Explanation/discussion:


IEEE leaves it up to the vendor to use the station address approach vs.
per port approach. Sun used the concept of a host-based MAC identity prior
to the newer network interface cards (NICs).
Usually this does not present a problem. Only systems on the same subnet
(connected to same switch/hub) are required to have unique hardware address
(arp entries).

If you are configuring a multi-homed host with more than one interface on the
same physical subnet (connections to same hub), choosing and configuring a
unique ether address that is different from the primary host-based assigned
ethernet Mac address may be necessary.
The older network interface drivers in Sun systems get the MAC address for the
ethernet interface from the PROM on the system. The MAC address does not come from
the ethernet chip or interface hardware. There is just one ethernet MAC address for all
interfaces on a system. The intel (i.e.), lance (le) ethernet interfaces along with the
SunSwift[TM] (hme) and SunFastEthernet[TM] 1.0 (be) and 2.0 Adapters (hme) use the host assigned
address of the CPU OpenBoot PROM.

Sun Microsystems uses reserved OUI reserved ethernet ranges of
08:00:20:#:#:#  or 00:03:ba:#:#:# and assigns unique numbers for each OBP and
NIC that support local-mac-address.
The ones with local MAC addresses today are:
--------------------------------------------

TRI/P (4/16mbps UTP/STP Token Ring) x1039a
FreshChoice light (PCI) FastEthernet x1033a
FreshChoice (PCI) FW-scsi/FastEthernet combo x1032a
QFE/Sbus (4 MAC addresses) x1042a, x1049a
QFE/PCI (4 MAC addresses) x1034a
       QFE/cPCI (4 MAC addresses) x1234
GEM/Sbus (Gigabit v2.0) x1140a
GEM/PCI (Gigabit v2.0) x1141a
GBE/PCI        (Gigaswift v1.0) x1151a
       GBE/PCI(copper)        (Gigaswift v1.0) x1150a
       GBE/PCI(combo)          (Gigaswift v1.0 and FC-AL PCI combo) X2069
GBE/cPCI (Gigaswift v1.0) x1261a
       Dual Fastethernet/cPCI (2 MAC addr) Dual Gigaswift v1.0@100Mb and dual SCSI) x2222a
       VGE/SBus (Gigabit v1.0) x1045a
VGE/PCI (Gigabit v1.0) x1144a
FDDI/S 3.0, 4.0, 5.0 SAS and DAS   For fddi-5.0: x1025a, x1026a
FDDI/P 1.0 x1035a, x1036a
ATM 155 2.0/2.1 Sbus    (2.1 has 16 MAC addr, 2.0 only one) x1060a, x1061a
ATM 622 2.1 SBus        (16 MAC addresses) x1064a
ATM 155/622 3.0 PCI     (16 MAC addresses) x1066a, x1067a, x1068a
+ all NEW Sun network adapters from now on.
The Sun Adapters  with local MAC addresses (machine access code) have
addresses encoded in the Fcode Prom. The local-mac-address property in eeprom
is used to enable this feature.
  ok local-mac-address?
 (Defaults to false = use system defined mac address).

This can be set for true, which allows network drivers to use their own MAC
address, not the system default. This is for use with the QFE (QuadFastEthernet)
or newer ethernet NICs listed above.
To set from the eeprom on the command line:

   # eeprom local-mac-address?=true
Note: Section 3.2.3(4) of the IEEE 802.3 specification defines a reserved bit in the Ethernet
Address that can be used to administer a universally assigned ethernet
addresses. A locally administered address (LAA) can be implemented to ensure
a unique HW address.
Setting the LAA bit can be done by using a 0A hex (second bit set 1010, add 2)
as the first digit instead of 08 (1000). 8:00:20:x:x:x is Sun's universal
assignment. (1010) a:00:20:x:x:x would be a locally administered address.
The first bit is the"individual/group" bit and used by multicasting (1001 = 09,
odd number) and should be avoided.                                                
You could also select a unique address from valid address ranges x00000000001 to x0007FFFFFFF where x can be 4, 5, 6, or 7.
To manually change the ether address, use the ifconfig "ether" option if this is needed
on a NIC that does not implement local-mac-address.
Examples (use for qe, le and hme devices):
ifconfig -a shows that hme0 is 8:0:20:77:dc:7b
 Command to change ether number on additional hme interfaces:
   (using first 3 bytes of 0a:0:20 and last 3 bytes of host-assigned address)
      ifconfig hme1 ether 0a:0:20:77:dc:7b
      ifconfig hme2 ether 0c:0:20:77:dc:7b
 Sequential numbering:     
      ifconfig hme1 ether 0a:0:20:00:00:1
      ifconfig hme2 ether 0a:0:20:00:00:2
 Numbering scheme based on part of IP address:
 (hme1 =192.9.200.2  hme2 = 192.9.200.16;
  using 0a:0:20 for first 3 bytes and last 3 octets of IP number):
      ifconfig hme1 ether 0a:0:20:09:c8:2
      ifconfig hme2 ether 0a:0:20:09:c8:10
This change can be permanently added in /etc/rcS.d/S30network.sh (Solaris 8 and above)
or in /etc/rcS.d/S30rootusr.sh (Solaris 7 and below). You could also create a new script.
The token ring manual provides an example for creating /etc/rcS.d/S20trLAA.                                                           
 To add ifconfig command to inetsvc:

 # vi /etc/rc2.d/S72inetsvc (/etc/init.d/inetsvc startup script in Solaris 8)
 Add line 67:
   66  /usr/sbin/ifconfig -auD4 netmask + broadcast +
   67  /usr/sbin/ifconfig hme1 ether 0a:0:20:09:c8:2
                                                      
 To implement the /etc/rcS.d/S20trLAA script:

 # /sbin/sh
 case "$1" in
     'start')
      echo "Configuring Interface LAA..."
      /sbin/ifconfig tr0 either 0a:00:20:09:c8:02
    ;;
 'stop')
      echo "Stop of LAA is not implemented."
    ;;
  *)
    echo "Usage: $0 { start  stop }"
    ;;
  esac
 To implement /etc/ether.IFACE# method in Solaris 8:

 # vi /etc/rcS.d/S30network.sh  (Add lines 96-99)
   95       /sbin/ifconfig $1 plumb
   96       if [ -f /etc/ether\.$1 ]
   97       then
   98            /sbin/ifconfig $1 ether `cat /etc/ether\.$1`
   99       fi
 # more /etc/ether.hme1
  a:0:20:9:c8:88
            
 
 To implement /etc/ether.IFACE# method in Solaris 7:

 # vi /etc/rcS.d/S30rootusr.sh  (Add lines 50-53):
   49             /sbin/ifconfig $1 plumb
   50             if [ -f /etc/ether\.$1 ]
   51             then
   52                  /sbin/ifconfig $1 ether `cat /etc/ether\.$1`
   53             fi
 # more /etc/ether.hme1
  a:0:20:9:c8:99
 
                                    
A crude method that is sometimes used to select a address is to ping the broadcast address and
randomly choose a number that is not being used on the network in the form of 8:0:20:XX:XX:XX.
Notes: Do not use an odd number (such as "09:") for the first byte due to the
fact that if you are implementing multicasting, the 1st bit transmitted
("individual/group" bit) of a 1 represents a multicast address.
See INFODOC ID: 15572 SYNOPSIS: Can I configure two Ethernet interfaces on the subnet?
Additional notes: For security and network isolation, you can set ip_forwarding
off and ip_strict_dst_multihoming on, if you are trying to prevent access to
the other interfaces.
"ndd /dev/ip ip_forwarding" determines if the workstation will route packets.
"ndd /dev/ip ip_strict_dst_multihoming" determines whether to use Strict
Destination Multihoming.  If this variable is set to True, and ip_forwarding is
turned off, then the machine will not accept packets destined for a different
interface (RFC1122).
If you need information on determining the actual ethernet address, see:
Infodoc ID 43462 How do I find the ethernet MAC address in OBP or local-mac-address of an individual Network Interface Card?
For a quick method to determine if local-mac-address is implemented on the NIC, use prtconf to examine
local-mac-address value:
(for on-board le or hme = host assigned HW address)
$ prtconf -pv grep idprom
    idprom:
01800800.208d7e88.00000000.8d7e88a9.00000000.00000000.00000000.00000000
   ^^^^^^^^^^^^^
(New NICs have unique addresses as in the following qfe example)
$ prtconf -pv grep local-mac-address
        local-mac-address?:  'true'
            local-mac-address:  0800208d.7828
            local-mac-address:  0800208d.7829
            local-mac-address:  0800208d.782a
            local-mac-address:  0800208d.782b
Caution:  This infodoc only applies to ethernet interfaces.  For token ring, atm, fddi
refer to the documentation for these cards. For example, fddi has a "nf_macid nf " utility to display the
on-board ethernet number.

How to Set 100Full Duplex on an HME device

How to Set 100Full Duplex on an HME device.

The following may prove useful in support of this:

=====
How to force the HME card to work at 100mb (full-duplex).

If the auto negotiate does not work, then the 100-MB full-duplex mode
can be forced to run at 100-MB, Full-Duplex using the following:

Please try (if using /etc/rc2.d/S99...)

ndd -set /dev/hme instance 0
ndd -set /dev/hme adv_100T4_cap 0
ndd -set /dev/hme adv_100fdx_cap 1
ndd -set /dev/hme adv_100hdx_cap 0
ndd -set /dev/hme adv_10fdx_cap 0
ndd -set /dev/hme adv_10hdx_cap 0
ndd -set /dev/hme adv_autoneg_cap 0

or (if using /etc/system)

set hme:hme_adv_autoneg_cap=0
set hme:hme_adv_100T4_cap=0
set hme:hme_adv_100fdx_cap=1
set hme:hme_adv_100hdx_cap=0
set hme:hme_adv_10fdx_cap=0
set hme:hme_adv_10hdx_cap=0

Note that the order does make a difference.
The link is re-negotiated when the interface is
ifconfig'ed up or when ndd ndd adv_autoneg_cap command is executed.

======

How to force the HME card to work at 10mb (full-duplex).

The section "10FDX" includes how to force the HME card to work at 10 MB
(full-duplex). You can either put the commands in the /etc/system file
or in a startup script -- i.e. /etc/rc2.d/S99hme_config. Another way
is to make the changes from the command line -- using the "ndd" command using
the syntax below. But it is better to put the commands in /etc/system or a
startup script to preserve the environment accross reboots.

10FDX only

/etc/system

set hme:hme_adv_autoneg_cap=0
set hme:hme_adv_100T4_cap=0
set hme:hme_adv_100fdx_cap=0
set hme:hme_adv_100hdx_cap=0
set hme:hme_adv_10fdx_cap=1
set hme:hme_adv_10hdx_cap=0

ndd commands

ndd -set /dev/hme instance 0
ndd -set /dev/hme adv_100T4_cap 0
ndd -set /dev/hme adv_100fdx_cap 0
ndd -set /dev/hme adv_100hdx_cap 0
ndd -set /dev/hme adv_10fdx_cap 1
ndd -set /dev/hme adv_10hdx_cap 0
ndd -set /dev/hme adv_autoneg_cap 0

=======
Is the hme interface running at 10BaseT or 100BaseT

How do you tell if the hme interface is actually linked up at 10 Mbps or 100
Mbps?

Answer:

# ndd -get /dev/hme link_status
# ndd -get /dev/hme link_speed
# ndd -get /dev/hme link_mode

link_status (read only)
0 for Link Down
1 for Link up

link_speed (read only)
0 for 10 Mbps
1 for 100 Mbps

link_mode (read only)
0 for Half-Duplex mode
1 for Full-Duplex mode

PGP and GnuPG Notes

PGP (Pretty Good Privacy) and GnuPG (GNU Privacy Guard) notes

About PGP and GnuPG

PGP software provides for highly-secure encryption and decryption of data, and for creating and verifying digital signatures.

A secure encrypted channel permits people to communicate with considerable confidence that others (including big unnamed government agencies) cannot eavesdrop, even if the encrypted traffic is intercepted (as anything that traverses the Internet can be, with the right tools, and either clandestine access or suitable privileges).

Digital signatures are useful for verifying that all parties see the same file contents, and that any tampering with those contents can be detected.

The GNU Privacy Guard (GnuPG) package is a ``complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.''

The short reading list at the end of this document leads to important comprehensive books on this subject.

E-mail encryption

Some e-mail clients implement support for sending and receiving encrypted messages. While that is certainly convenient, it leaves users in a (usually) undesirable state of ignorance about what is going on. This section tells how you can do each step yourself.

To exchange secret messages with me, proceed as follows:

Fetch my public key from my Web site. The key file looks exactly like this (all lines should be flush left):

Save it in a temporary file, say foo.pubkey.

Add it to your pgp public key ring:
```
% pgp -ka foo.pubkey 
```
You only need to do this, and the preceding, step once.
Create a file, say foo.msg, with your secret message, and encrypt it with my public key:
```
% pgp -eats foo.msg 
```
PGP will ask for your secret key in order to be able to unlock your key ring. Then it will ask for my public key's user ID to encrypt your message. It will end with:
```
Transport armor file: foo.msg.asc 
```
Mail that `transport armor' file to me:
```
Mail -s "Secret message" < foo.msg.asc beebe@math.utah.edu 
```
That is the simplest way in Unix to mail a text file to someone. However, any decent mail client supports insertion of files into outgoing messages, so you could just insert foo.msg.asc into a message that way using your favorite mail program, possibly prefixing the insertion with some explanatory comments.

If you give me a copy of your public key, which you can extract into a file that PGP will prompt you for, like this:
```
% pgp -kxa 
```
or
```
% pgp -kxa your-username@your-host 
```
then I can add it to my public key ring, and use it to encrypt messages to send back to you that only you can read.

Your ability to read such a message from me to you that was encrypted with your public key is proof that your public key was not compromised during transmission to me, such as via e-mail, or a Web connection. On the other hand, if you cannot read my message, then we'd both better duck, because someone nasty is attacking us.

E-mail decryption

When you receive a message that has been encrypted with your public key, save it in a file, say secret.asc, and then decrypt it like this:

% pgp secret.asc Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc.  Export of this software may be restricted by the U.S. government.  File is encrypted.  Secret key is required to read it.  Key for user ID: 1024-bit DSS key, Key ID 0x........, created ..../../.. Key can sign.  You need a pass phrase to unlock your secret key.  Enter pass phrase: Good signature from user "...". Signature made 2005/04/07 14:25 GMT  Plaintext filename: secret

The resulting output file secret contains the plaintext of the encrypted message.

If the plaintext is really secret, then it is a bad idea to save it in a disk file, where it could possibly be read by others, and be recorded in long-term filesystem backups. The solution is to display it on the screen with the more pager:

% pgp -m secret.asc ...as before... Enter pass phrase: Good signature from user "...". Signature made 2005/04/07 14:25 GMT ...plaintext appears on the screen here...

Here is the decryption procedure using GnuPG:

% gpg secret.asc You need a passphrase to unlock the secret key for user: "...." 2048-bit ELG-E key, ID ........, created 2003-01-30 (main key ID ........)  gpg: encrypted with 2048-bit ELG-E key, ID ...., created ....-..-..       "...." gpg: Signature made Thu Apr 07 08:38:51 2005 MDT using DSA key ID ........ gpg: Good signature from "...."

There does not appear to be a way with GnuPG to send the plaintext directly to a screen pager utility.

Digital signature creation and verification

Digital signatures can be created as part of a document, in the form of a short wrapper, or in separate files. Both forms are useful: e-mail messages would normally use the first way, while software distributions would use the second approach.

To create an integrated digital signature for a file, say, foo.msg:

% echo "This is a message." >  foo.msg  % cat foo.msg This is a message.  % pgp -sta foo.msg ... Enter pass phrase: XXXX Pass phrase is good. Key for user ID: Nelson H. F. Beebe <beebe@math.utah.edu> 1024-bit key, Key ID B85F1941, created 1998/06/12 Just a moment.... Clear signature file: foo.msg.asc

This produced a signed wrapper that I can give to someone.

% cat foo.msg.asc -----BEGIN PGP SIGNED MESSAGE-----  This is a message.  -----BEGIN PGP SIGNATURE----- Version: 2.6.2  iQCVAwUBPjlRxWfhK324XxlBAQFdhgP/bdHMqstLCvXG8pGIfc7OzgUySzjewx1T GU+zi7aJzcj4WWrOxsSqceNyroIMTXpwBOwb1OP8kbBzGr+TW9Kzb+1P/UdMmnHH qgsZbXAcf3dVUwEPhrgn5XhxXk6mPocAvL0/7VhwHClbGPAefvrcKhkAyrSfxIP2 i697b7szCeU= =5oN9 -----END PGP SIGNATURE-----

PGP makes this file readable only by its creator, but in this case, we want it to be readable by anyone:

% chmod a+r foo.msg.asc

At a remote site, the validity of the digital signature can be checked, and the wrapper removed, by someone else like this:

% pgp foo.msg.asc ... File has signature.  Public key is required to check signature. . Good signature from user "Nelson H. F. Beebe <beebe@math.utah.edu>". Signature made 2003/01/30 16:25 GMT  Plaintext filename: foo.msg

You can also use GnuPG for signature verification:

% gpg foo.msg.asc gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Thu Jan 30 09:24:37 2003 MST using RSA key ID B85F1941 gpg: Good signature from "Nelson H. F. Beebe <beebe@math.utah.edu>" gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg:          There is no indication that the signature belongs to the owner. Primary key fingerprint: 7C18 7199 BC82 5EAB 06EB  9B96 FD9E 0E97 A93C 57C2

Suppose someone had tampered with the message, changing, say, a message, to an altered message. We can duplicate that tampering like this:

% sed -e "s/a message/an altered message/" foo.msg.asc > foo2.msg.asc

Signature verification now fails:

% pgp foo2.msg.asc ... File has signature.  Public key is required to check signature. . WARNING: Bad signature, doesn't match file contents!  Bad signature from user "Nelson H. F. Beebe <beebe@math.utah.edu>". Signature made 2003/01/30 16:25 GMT  Plaintext filename: foo2.msg

To create an ASCII signature in a separate .asc file:

% pgp -stab foo.msg ... Enter pass phrase: XXXX Pass phrase is good. Key for user ID: Nelson H. F. Beebe <beebe@math.utah.edu> 1024-bit key, Key ID B85F1941, created 1998/06/12 Just a moment.... Transport armor file: foo.msg.asc

Here is what the signature file looks like:

% cat foo.msg.asc -----BEGIN PGP MESSAGE----- Version: 2.6.2  iQCVAwUBPjlTkWfhK324XxlBAQEhyAQAo5XdKEeOpClpCmiSRfc+D/SL5xg21QRy wNOXEEZKEMhDeE7CWTWJIWyh9nbI6MUF93aLcEwdAHgv0+B2fdm7Fefe1+p+P6HU Ts54zBEoMdj10NiLTRdtES37V/0wj/HXkJW3T6WU9EeULv3Mk0133Q16OsIi1xsv Cy2Ky9VtCiA= =bnlu -----END PGP MESSAGE-----

To create a binary signature in a separate .sig file:

% pgp -sb foo.msg ... Signature file: foo.xxx.sig

To verify the signature at some other site, you can specify either the base filename, or the signature filename.

% pgp foo.msg ... File 'foo.msg.asc' has signature, but with no text. Text is assumed to be in file 'foo.msg'. Good signature from user "Nelson H. F. Beebe <beebe@math.utah.edu>". Signature made 2003/01/30 16:32 GMT  Signature and text are separate.  No output file produced.

If the basename is used, and both .asc and .sig files exist, the .asc file is used for the signature.

The GNU Project archives and the ftp://ftp.math.utah.edu/pub/ archives use binary .sig signature files.

At various places in our local FTP and Web filesystems, you can find files named MD5SUM.asc. They contain MD5 checksums of files in the directory, plus an embedded signature. These were made like this:

% md5sum * > MD5SUM % pgp -sta MD5SUM ...

A line in one such file looks something like this:

f6a8f9fa5d8d9872824d929db192405e  hoc-7.0.6.beta.tar.gz

By verifying the digital signature on MD5SUM.asc with pgp MD5SUM.asc, you can be sure that the MD5SUM file matches what I created here. If you now fetch the indicated .tar.gz file, you can reproduce the checksum line at your site like this:

% md5sum hoc-7.0.6.beta.tar.gz f6a8f9fa5d8d9872824d929db192405e  hoc-7.0.6.beta.tar.gz

The checksum match verifies that the .tar.gz file was not corrupted during transmission, and your copy matches mine exactly.

Many of the archives also contain separate .sig detached signature files, such as the hoc-7.0.6.beta.tar.gz.sig file for the above example.

Key servers for public keys

How do you know that someone's public key hasn't been tampered with? An attacker who managed to do this would been able to decrypt messages sent to your intended recipient, but that person would be unable to do so.

The solution to this problem is for users who create a new public key to immediately register it with one or more neutral third parties, called public key servers, who act as (presumably incorruptible) escrow agents.

There is a small network of such servers for PGP keys distributed across several countries. Registration with just one is sufficient, since they exchange their public key archives, although it may take several days for a newly-registered key to propagate widely. Here is a short list of some public key servers:

Key servers allow you to lookup keys by email addresses and by personal name. For example, at one of them, a search for beebe@math.utah.edu produces:

Public Key Server -- Index ``beebe@math.utah.edu '' Type bits /keyID Date User ID pub 1024D/A93C57C2 2003/01/30 Nelson H. F. Beebe <beebe@math.utah.edu> pub 1024R/B85F1941 1998/06/12 Nelson H. F. Beebe <beebe@math.utah.edu>

As shown in this example, the keyID values are hyperlinked: selecting one of them leads to a page with the public key block for that person. The email addresses are also hyperlinked: they lead to a list of keys registered by the person with that address.

A search for just Beebe turns up dozens of keys registered by people with that name, along with their email addresses. A search for the more common name Nelson turns up hundreds of keys. A search for Nelson Utah turned up only three keys when this experiment was made: the above two, plus a third one. Thus, you can usually find a key, even when you don't know the person's exact name or email address, but you do know part of their name or location.

You can also search for keyIDs at some key servers, but you need to make sure that the keyID is prefixed with 0x (for hexadecimal). For example, in my case, search for 0xA93C57C2 instead of A93C57C2. Search by keyID is useful because signature verification may report just the keyID, without an associated human name or email address.

gpg can search for keys at keyservers specified in your $HOME/.gnupg/gpg.conf file:

% gpg --search 0xA93C57C2 ... gpg: searching for "0xA93C57C2" from HKP server wwwkeys.pgp.net Keys 1-1 of 1 for "0xA93C57C2" (1)     Nelson H. F. Beebe <beebe@math.utah.edu>           1024 bit DSA key A93C57C2, created 2003-01-30 Enter number(s), N)ext, or Q)uit > q

You can also specify a keyserver on the command line:

% gpg --keyserver http://pgp.mit.edu/ --search 0xA93C57C2 ... gpg: searching for "0xA93C57C2" from HKP server pgp.mit.edu Keys 1-1 of 1 for "0xA93C57C2" (1)     Nelson H. F. Beebe <beebe@math.utah.edu>           1024 bit DSA key A93C57C2, created 2003-01-30 Enter number(s), N)ext, or Q)uit > q

If you select a key by number from the displayed list, gpg automatically adds it to your GnuPG keyring (but not to your PGP keyring). PGP does not appear to have a similar key-search facility.

Once a public key is registered with a key server, it cannot be revoked without knowledge of the original passphrase that led to its construction. This makes it very hard for an attacker to delete a registered public key, and replace it with a bogus one, adding to the confidence that one can have in registered public keys. Of course, if you forget your own pass phrase, you cannot revoke your own public key either! Similarly, someone who manages to crack your computer account could impersonate you, and create and register a key whose encryptions you cannot decipher. Nothing is for certain, sigh...

Adding a public key to your keyring

Once you have found a public key for the desired user, save the public key block in a temporary file, say tempfile. This file will be 50 to 1000 lines long, and look something like this:

% cat tempfile        Public Key Server -- Get ``0xA93C57C2 ''  -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP Key Server 0.9.6  mQGiBD45JvoRBADB2wXsvcr0GkSy7ESDhND/7TSeDt/K8xGTiaZXs5weCGvdbngC 2cdjtGAJEVtNMnXfXBigKnrrN6ozpjBl7HFyOz+bXxrpCt2yQ/TGjQKpooXryaNM ...      uhbqgAAKCRD9ng6XqTxXwoz/AJ4xC9UlipWFMXEYvQco8GRA7ZgXpwCePBwSbhAw 2fkncUHdprzxMorL3dE= =Oqpu -----END PGP PUBLIC KEY BLOCK-----

To add that key to your keyring, do this:

% pgp -ka tempfile Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government.   Looking for new keys... DSS  2048/1024 0xA93C57C2 2003/01/30 Nelson H. F. Beebe <beebe@math.utah.edu> sig?           0xA93C57C2             (Unknown signator, can't be checked)  keyfile contains 1 new keys. Add these keys to keyring ? (Y/n) y   New userid: "Nelson H. F. Beebe <beebe@math.utah.edu>". New signature from keyID 0xA93C57C2 on userid Nelson H. F. Beebe <beebe@math.utah.edu>  Keyfile contains:    1 new key(s)    1 new signatures(s)    1 new user ID(s)   Summary of changes :  New userid: "Nelson H. F. Beebe <beebe@math.utah.edu>". New signature from keyID 0xA93C57C2 on userid Nelson H. F. Beebe <beebe@math.utah.edu>  Added :    1 new key(s)    1 new signatures(s)    1 new user ID(s)

During the key addition, pgp will update about five files in your $HOME/.pgp directory.

You can also use the same key file to add the key to the separate keyring maintained gpg:

% gpg --import tempfile gpg: /u/class/b/c-bnhf/.gnupg/trustdb.gpg: trustdb created gpg: key A93C57C2: public key "Nelson H. F. Beebe <beebe@math.utah.edu>" imported gpg: Total number processed: 1 gpg:               imported: 1

GnuPG also has a PGP-like interface that takes the same command-line options as pgp; use it like this:

% pgpgpg -ka tempfile gpg: key A93C57C2: "Nelson H. F. Beebe <beebe@math.utah.edu>" not changed gpg: Total number processed: 1 gpg:              unchanged: 1

Either of these key additions will cause GnuPG to update two files in your $HOME/.gnupg directory.

Although GnuPG has an option to automatically import a key from a keyserver, PGP does not:

% gpg --recv-keys 0xE707FDA5 gpg: key E707FDA5: public key "Werner Lemberg <wl@gnu.org>" imported gpg: Total number processed: 1 gpg:               imported: 1

If you wish to use both GnuPG and PGP, then it is better to fetch keys into temporary files, and then import them manually. The Unix shell script getpubkey.sh provides a convenient way to do this:

% getpubkey.sh 0xE707FDA5 -rw-rw-r--  1 jones devel 1439 Sep 24 11:38 /tmp/pgp-0xE707FDA5.tmp.13306 Try:    pgp -ka /tmp/pgp-0xE707FDA5.tmp.13306         pgpgpg -ka /tmp/pgp-0xE707FDA5.tmp.13306         rm -f /tmp/pgp-0xE707FDA5.tmp.13306

Verifying a file signature

Besides their use for decrypting messages, public keys can be used to verify digital signatures on files. To allow detection of tampering, some Internet file archives provide digital signature files. For example, at the GnuPG archive, you might find, and fetch, files like this:

% ncftp ftp://ftp.gnupg.org/GnuPG/gnupg/ ncftp /GnuPG/gnupg > dir gnupg-1.2.2* -rw-r--r--   1 103      65534      2225034 May  3 11:58 gnupg-1.2.2.tar.bz2 -rw-r--r--   1 103      65534           65 May  3 11:58 gnupg-1.2.2.tar.bz2.sig -rw-r--r--   1 103      65534      3183869 May  1 18:00 gnupg-1.2.2.tar.gz -rw-r--r--   1 103      65534           65 May  1 18:00 gnupg-1.2.2.tar.gz.sig ncftp /GnuPG/gnupg > get gnupg-1.2.2.tar.gz* gnupg-1.2.2.tar.gz.sig:                                 65.00 B  714.05 B/s gnupg-1.2.2.tar.gz:                                      3.04 MB  160.10 kB/s ncftp /GnuPG/gnupg > quit

You can then verify the integrity of the archive file with PGP like this:

% pgp gnupg-1.2.2.tar.gz.sig Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government.  File 'gnupg-1.2.2.tar.gz.sig' has signature, but with no text. Text is assumed to be in file 'gnupg-1.2.2.tar.gz'. signature not checked. Signature made 2003/05/01 15:10 GMT key does not meet validity threshold.  WARNING:  Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "(KeyID: 0x57548DCD)".

Alternatively, you can use GnuPG like this:

% gpg gnupg-1.2.2.tar.gz.sig gpg: Signature made Thu 01 May 2003 09:10:15 AM MDT using DSA key ID 57548DCD gpg: Can't check signature: public key not found

Both programs complained that they could not verify the signature because the signer's key was not found on the keyring.

To remedy that problem, fetch the signer's public key from a trusted key server as described earlier, and add it to your PGP and GnuPG keyrings:

% pgp -ka tempkoch Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government.   Looking for new keys... DSS  1024      0x57548DCD 1998/07/07 Werner Koch (gnupg sig) <dd9jn@gnu.org> ...  % gpg --import tempkoch gpg: key 57548DCD: public key "Werner Koch (gnupg sig) <dd9jn@gnu.org>" imported gpg: Total number processed: 1 gpg:               imported: 1

Now verify the file signatures again:

% pgp gnupg-1.2.2.tar.gz.sig Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government.  File 'gnupg-1.2.2.tar.gz.sig' has signature, but with no text. Text is assumed to be in file 'gnupg-1.2.2.tar.gz'. Good signature from user "Werner Koch (gnupg sig) <dd9jn@gnu.org>". Signature made 2003/05/01 15:10 GMT  WARNING:  Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "Werner Koch (gnupg sig) <dd9jn@gnu.org>".   % gpg gnupg-1.2.2.tar.gz.sig gpg: Signature made Thu 01 May 2003 09:10:15 AM MDT using DSA key ID 57548DCD gpg: Good signature from "Werner Koch (gnupg sig) <dd9jn@gnu.org>" gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg:          There is no indication that the signature belongs to the owner. Primary key fingerprint: 6BD9 050F D8FC 941B 4341  2DCC 68B7 AB89 5754 8DCD

Both PGP and GnuPG confirm that the digital signature on the file is good, so we can be confident that the archive file gnupg-1.2.2.tar.gz has contents that are identical with the file that Werner Koch signed at his site.

Both programs warn that Werner Koch's public key is not certified by a trusted authority; consult their documentation to find out more about how to key certification works. In practice, you may be satisfied to know just that the digital signature was verified, and that it matches the expected user's public key that you downloaded from a public key server. The next section describes how you might increase trust in a public key.

Verifying a public key

Once you have someone's public key, perhaps obtained from a keyserver or an FTP or Web site, you still don't know that the key is genuine: you have to trust the source.

If you can contact the key owner by FAX, telephone, or e-mail, you can request a key fingerprint, which is a sequence of hexadecimal characters that represent a checksum of the public key. You can then compare it with the fingerprint extracted from the purportedly-identical public key on your keyring with either PGP or GnuPG:

% pgp -kvc 0xA93C57C2 ... Looking for user ID "0xA93C57C2". Type bits      keyID      Date       User ID DSS  2048/1024 0xA93C57C2 2003/01/30 expires 2102/01/05                                       Nelson H. F. Beebe <beebe@math.utah.edu>           Key fingerprint =  7C 18 71 99 BC 82 5E AB  06 EB 9B 96 FD 9E 0E 97  A9 3C 57 C2 1 matching key found.  % pgpgpg -kvc 0xA93C57C2 pub  1024D/A93C57C2 2003-01-30 Nelson H. F. Beebe <beebe@math.utah.edu>      Key fingerprint = 7C18 7199 BC82 5EAB 06EB  9B96 FD9E 0E97 A93C 57C2 sub  2048g/88DE0889 2003-01-30 [expires: ????-??-??]  % gpg --fingerprint 0xA93C57C2 pub  1024D/A93C57C2 2003-01-30 Nelson H. F. Beebe <beebe@math.utah.edu>      Key fingerprint = 7C18 7199 BC82 5EAB 06EB  9B96 FD9E 0E97 A93C 57C2 sub  2048g/88DE0889 2003-01-30 [expires: ????-??-??]

If they match, and if you have reason to believe that the person who sent you the key was indeed the key owner, then the public key has more trust that it had before.

Monday, November 27, 2006

SCSI Sense Keys

Solaris Tips and Tricks

Solaris 10 allows you to lockout accounts after a certain number of failed logins.

Solaris 10 has new features to manage non-login accounts and locked accounts which is no longer dainbread.

How can I correct the device paths when replacing a FCAL boot disk after ufsrestoring? (CC)

How can I use fssnap to take file-system snapshots of active UFS file-systems? There was also a Sys Admin article on the subject.

One technique for poor man's disk mirroring using ufsdump/ufsrestore.

Another technique for poor man's disk mirroring that allows the 2nd disk to be usable (read hands off as in no messing with vfstab).

Solaris 10 has a new feature boot -m verbose which allows you to customize boot console output.

Common boot errors and their workarounds. (CC)

In case you ever wanted to know what the heck is going on during the boot process. (CC)

The basics of the boot command.

If you haven't sat down and figured out what all those scripts do, here is an analysis of Solaris 8 Startup Files.

Ever wonder what the box is doing before the banner and OBP prompt is displayed?

Internal DVD-ROM/CD-ROM SD-C2732 May Return Incorrect Data (CC)

What is the CD-ROM called on this box?

How can I create a bootable CD-ROM for Solaris? Another method.

How to burn things to a CD-R with Solaris 8.

How can I allow/prevent users from giving files away to someone else?

Want to do something to multiple machines at once? Use the Sun Cluster Console Tool. NOTE: you also need the scripts.jar.

Need help with disk contention problems in a "shared" storage configuration?

Peter Baer Galvin has some Cool Commands to help you get your job done faster and easier.

wgrep is a windowing grep that is useful for grabbing X number of lines before and after a match.

Here are some great resources for the Sun Fire CoolThreads servers such as kernel params, FAQ, app tuning settings, etc.

Sun Fire T2000 Disk Volume Management Guide shows you how to setup and maintain your hardware RAID 0 and RAID 1 configurations.

Here are the required kernel params for the T2000 server.

The CoolThreads Selection Tool allows you to see if your software will be a good candidate for the T1000/T2000.

If you are planning on using the T1000/T2000 to consolidate several other servers, the Consolidation Tool will help simplify Solaris Zone creation, Resource Pools and Psets.

Sun has written several Blueprints articles on the T1000/T2000

The CoolThreads servers come bundled with a FREE cryptographic accelerator.

The CoolThreads FAQ has lots of good info.

You can try a CoolThreads server (T1000/T2000) at no risk for 60days so you can play around with it to see how well it will handle your workloads.

You can now download Sun Studio 11 for FREE!

Lost your uninstall file and need to uninstall your old version of Sun Workshop?

Can't remember what field is what? Just add this header to your crontab.

Want to see if your cronjob is running without errors?

How can I get the current date/time for yesterday?

Solaris Modular Debugger (mdb) cheatsheet (PDF)

Why doesn't my hostname get set when using DHCP?

Sun's Best Practices Guide (PDF)

Solaris Admininstror's Quick Reference (PDF)

Scripts

Lots of DTrace tools/scripts Articles

Solaris DTrace Guide (PDF)

Introduction to DTrace (PDF)

Internal DVD-ROM/CD-ROM SD-C2732 May Return Incorrect Data (CC)

Having problems booting from your DVD drive in Solaris?

How can I prevent my mail server from being used as a third-party relay?

Why doesn't my .forward file work?

How can I remove a file with a wierd character in the name?

If you are having some problems like cannot determine current directory even if the perms look ok...there is a fix.

How many inodes are being used in a particular filesystem?

Is there a way to quickly determine which filesystems are over 90% full?

NOTE: Flash requires at least Solaris 8 4/01 and does not work well with DiskSuite/softpartitions.

How to exclude multiple directories and filesystems without using the "-x" option for Web Start Flash Archives.

Example of installing Web Start Flash Archives with the Solaris 8 interactive installation program. (CC)

How to install Web Start Flash Archives on a Boot Environment using Live Upgrade (Command-Line) (CC)

Infodoc on how to run Jumpstart with a "separate" boot and install server and utilizing a Flash Archive. (CC)

Solaris 8 software Jumpstart with a Boot Server only utilizing Flash Archive (CC)

How to install a Flash Archive from a CD-ROM. (CC)

Autogenerate your /etc/ftpusers file so you don't have to remember to modify it.

NcFTP and ProFTPD are some handy, secure, configurable FTP servers. Article on configuring NcFTP.

How do I setup an anonymous FTP server the long way or the Sun script way?

How can I create an account that only allows FTP access?

How can I change the ftp daemon's banner?

Why can't I ftp to the box if I can telnet to it?

Sun now has a utility to store your Chassis Serial Number in EEPROM with a utility called Sneep. Ok, so it isn't perfect...but is a step in the right direction.

Sun System Handbook Systems List Components List

Article on Solaris device mappings.

suntype is a script to help determine what model of Sun box you have.

Some info about Sun Hardware Diagnostics. (CC)

prtdiag is helpful in checking out what state your system is in. (CC)

SunBlade 100 FAQ's and pictures.

How can you replace your nvram chip or change your hostid?

How can I log all telnet/ftp connections?

Solaris 10 has a new Reduced Networking Software Group that you can build up to have exactly what you want in it.

Lots of DTrace tools/scripts

Articles