Share on Facebook

STS125_2009142_VIS_RL

STS125_2009142_GEM

20580_200137_AO_RLBD

20580_2008137_AO_PCID

STS125_2009142_SSTB_Resize

20580_2008137_AO_MFBD_RL

STS125_2009142_SSTB

20580_2008137_RLBD_Knox

Share on Facebook

VPN that use ipsec for a site to site connection encapsulate packets into udp packets.  These udp packets are then sent across the network to the other side where the receiving device unpacks the udp packet and then decrypts it.  Typically the carrier media that connects your two vpn devices is the internet.  But if your media connecting your two devices is a network that also uses a VPN you run into a major problem.  The carrier network will start to unpack your packets meant for the other side and start throwing icmp type 3 (Host Unreachable) errors back to the vpn device.

Now if you are using cisco routers for the carrier network fiber you can actually tell it that traffic from your vpn devices should be excluded from the vpn tunnel and instead be sent in clear.  This way those packets to the other side of the vpn and never get double encrypted, fragmented or any other bad ness.  A great article explaining crypto acls for Cisco routers is http://www.thebryantadvantage.com/CCNPCertificationBCRANExamVPNCryptoAccessLists.htm

Share on Facebook

This is a list of links and tips I discovered to make it easier to do.  By default it shouldn’t be that card in OS X 10.5.6 or higher to get your CAC to work.  In factApple already has support for CAC readers built into the OS.  I have found though that often times you need to flash your CAC reader with the most current firmware version to make it work right.  The worst part about this is that you have to use a windows XP computer to do this.  I found the firmware for my cCAC reader and the flash tool at this site http://www.txsystems.com/cac.html  Once I installed it on a Windows XP machine and flashed it to the most current version I got my cac to start seeing it.

To test if your mac can see you CAC reader plug it into your computer and place you CAC in the reader. Then open terminal and type ‘sudo pcsctool’.  After you input your admin password if will tell you sucess or failure.  THis is the immeditae indicator of weather or not your computer can use your CAC reader.

Once you know your computer will see it you can start configuring certain programs to use it/.  So far I’ve gotten Safari and Firefox working with the CAC reader.  The best instructions you can find for getting Safari to use your CAC is from http://militarycac.com/apple.htm  I’ve included it here for archive puproses.

Step 1: Update your system.  (10.5.6 is the minimum required for Leopard, though 10.5.8 is currently available and recommended)

Step 2: Plug in your CAC Reader to the USB Port

Step 3: Click the Apple Icon in the upper left corner of your desktop and select “About This Mac”

Step 4: Click the “More Info” Button within the window that pops up. (This open System Profiler)

Step 5: Within the “Hardware” Category select the “USB” Section.  On the right hand side of the screen the window will display all hardware plugged into the USB ports on your Mac.  Within this should be a Smart Card Reader.  If the Smart Card reader is present here it is installed on your system, and no further hardware changes are required, i.e. additional drivers / Firmware upgrades.  Unplug the CAC Reader from your system.

Step 6: Open Keychains Access from the Utilities Folder within the Applications folder; Open the “Edit” Menu, and select “Keychain List”, click the “+” button in the lower left of the window opened, navigate to the location: System / Library / Keychains (Select the local hard drive i.e “Macintosh HD” on the left, followed by the System folder, within that the Library folder, and within that the Keychains folder), and select X509Anchors.  Check the Box to the left of the name under “Shared” as well as the System Box.  Click “Ok”.

Step 7: Plug in your CAC Reader and insert your CAC into the CAC Reader.  If in the upper left of the Keychain Access window, under “Keychains” your CAC should show up (CAC XXXX-XXXX-XXXX-XXXX-XXXX), select it. In the right hand side you will see the certificates that are on your CAC. (If your CAC does not appear remove it from the reader, unplug the CAC Reader, close and re-open keychains, plug in the Card Reader, and insert your CAC)

Step 8: Click the “Padlock” icon in the upper left corner of the program window, which will prompt you for your CAC PIN.  Enter your PIN to unlock your CAC.

Step 9: Select the desired certificate, which will show DOD CA-XX or DOD EMAIL CA-XX in the upper window.  Right Click (Control Click) and select “New Identity Preference”

Step 10: Enter the URL for the appropriate website you wish to access, select the appropriate certificate and click “Add”:

Step 11: Close Keychains, remove your CAC, and re-insert it.  Open Safari and begin navigating to your CAC enabled site.  (Air Force Users: remove your CAC card and re-insert it prior to opening Safari.)

If you want to use your CAC with firefox it’s a little more complicated.  This is because the plugin that used to be hosted on the mozilla addons page is nolonger active.  Now the project is hosted under the Department of Defensess forge.mil site.  This site requires a department of defense CAC to get in and download it.  It also has great documentation on how to setup firefox.  It’s all focused on the DOD Certs though.

If you are looking to get your mac to play nicely in a AD envronment then you should look at centrify‘s solution.  I have to be honest, I haven’t tried it but I have read a lot about it and it appears to be the perfect way to authenitcate to an active directory domain via CAC.

Share on Facebook

We start with Solaris. Not much has changed in this OS over the years. Most of the following was stolen from http://timesync.gmu.edu/wordpress/?p=30 It was customized to account for increasing the partition sizes.

Note that in order to garuntee the best results use the

Say the original drive is c1t0d0 and the new drive is c1t4d0

Note that in order to guarantee the best results use the prtvtoc & df commands to look at what the old partition table is. This Will let you know what partitions you need to create and the minimum sizes for each one. When formatting the partitions can be bigger but must be at least the same size.

   prtvtoc /dev/rdsk/c1t0d0s2 > /root/OldPartitionTable
   df -k >> /root/OldPartitionTable

Once you know the current partition sizes use the format command to setup your new drive.

Now, this script will build new file systems on the partitions of the new disk…matching those on the original. Then it will run ufsdump, copying data from the original to the new drive…then unmount the new “clone” drive. Finally it makes the new clone bootable. Note that this jazzy blog format wraps lines on the installboot line of the script…a “man installboot” will give you a clean copy of the syntax.

   #! /bin/ksh
   # script assumes:
   # c1t0d0 is original
   # c1t4d0 is drive we’ll turn into a clone
 
   partlist=$(prtvtoc /dev/rdsk/c1t4d0s2 | awk ‘!/\*/ {print $1}’)
 
   for p in $partlist
   do
   if [ "$p" != "1" -a "$p" != "2" ]
   then
   newfs /dev/rdsk/c1t4d0s$p < /dev/null
   mount /dev/dsk/c1t4d0s$p /mnt
   cd /mnt
   ufsdump 0uf - /dev/dsk/c1t0d0s$p | ufsrestore rf -
   cd /
   umount /mnt
   fi
   done
 
   mount /dev/dsk/c1t4d0s0 /mnt
   installboot /usr/platform/`uname -i`/lib/fs/ufs/bootblk \
   /dev/rdsk/c1t4d0s0
   umount /mnt
 
   exit 0

How to CLONE AN IRIX SYSTEM DISK. I use IRIX-disk cloning as a backup strategy. It is a bit expensive perhaps because I have to keep 2 SCSI disks (cloned copies of my combined user/root disk) in the closet as backups. In the list below I assume you are running your IRIX system on (i.e. booted from) disk #1 and you want to clone it to spare disk #3. The first time (with an uninitialised disk) cloning takes about 10 steps. A second time (when the disk is already prepared), one may start at step 7 to make a backup-clone.

1) BECOME SUPERUSER:

   su

2) FIRST THOROUGHLY TEST THE DRIVE THAT HAS TO BECOME THE CLONE:

   fx -x
    fx: "device-name" = (dksc)                       <enter>
    fx: ctlr# = (0)                                  <enter>
    fx: drive# = (1)                                 3
    fx: lun# = (0)                                   <enter>
     fx>                                             exercise
     fx/exercise>                                    butterfly
  	modifier = (rd-only)                           wr-cmp
  	starting block# = (0)                          <enter>
  	nblocks = (143374744)                          <enter>
  	nscans = (1)                                   <enter>
  	about to destroy data on disk dksc(0,3,0)! ok? yes
     ..
    ..
    label info has changed for disk dksc(0,3,0).
    write out changes?                               yes
   exit

3) ADD SGI LABEL:

   fx -x
   fx: "device-name" = (dksc) 
    fx: ctlr# = (0) 
    fx: drive# = (1) 3
    fx: lun# = (0)
     auto
     about to destroy data on disk dksc(0,3,0)! ok? yes
     (Several tests... may take a long long time, you can
      abort them.)
   exit

It is perhaps easier to do this via the Disk Manager desktop-interface: just initialise the disk. This only takes a few seconds and also puts a SGI label on the disk.

4) MAKE ROOTDRIVE PARTITIONING: List the disk partitioning of the system (root) disk:

   prtvtoc

List the disk partitioning of the option disk that is to be the clone:

   prtvtoc /dev/rdsk/dks0d3vh

Compare the disk partitioning of the two disks. They must have the same layout for the root and (if used) the usr partition. If they are not the same, repartition the option disk to match the system disk. In the easiest case:

   fx "dksc(0,3)"
    repartition
    rootdrive
    type of data partition = (xfs)
    ..
    exit

Then compare the prtvtoc outputs again. 5) ADD STAND-ALONE SHELL (AND OTHER PROGRAMS) TO VOLUME HEADER: If necessary, first copy the appropriate sash (on your systemdisk, SCSI ID=1) to the /stand directory:

   dvhtool /dev/rdsk/dks0d1vh                          (CAREFUL!)
   vd                                                  (volume directory)
   l                                                   (list)
   g sash /stand/sash_Octane
   g ide /stand/ide_Octane
   g IP30prom /stand/IP30prom_Octane
   quit

Then add the required programs to a volume header:

   dvhtool /dev/rdsk/dks0d3vh                      (SCSI ID=3)
   vd                                              (volume directory)
   l                                               (list)
   a /stand/sash_Octane sash                       (add to volume header)
   a /stand/ide_Octane ide
   a /stand/IP30prom_Octane IP30prom
   l
   quit
   write
   quit

6) MAKE FILESYSTEM: To make an XFS root filesystem with a 4 KB block size and a 1000 block internal log (the default values), give this command:

   mkfs /dev/dsk/dks0d3s0

7) SWITCH TO SINGLE USER MODE AND MOUNT:

   single
 
   mkdir /clone
   mount /dev/dsk/dks0d3s0 /clone
   cd /clone

XFSDUMP:

   xfsdump -l 0 - / | xfsrestore - .

Notice the 0, it is a NULL character, not an O!

9) UNMOUNT AND SHUTDOWN:

   cd ..
   umount /clone 
   rmdir /clone 
   shutdown

10) TEST Swap drives (in an Octane) and try if your clone is really bootable.

Share on Facebook

From what I’ve discovered about nscd this issue is a design flaw in nscd. Several people have just recommended disabling nscd. While this is a solution, it isn’t an acceptable solution in an enterprise environment. Especially if you are using oracle. Several oracle tools and apps will freeze or crash if they can’t talk to the nscd socket. Lame I know, but I’ve observed this in at least Oracle 10i.

Solutions

Now there are tow ways to get around this. One is to make your LDAP service load balanced and highly available. You can do replication in OpenLDAP with slurpd and then use something like balance to make the service highly available. Another option though is to fix nscd so it doesn’t bomb your machine when it dies.

In this article we are going to go over the fix nscd solution.  nscd comes with a config file located in ‘/etc/nscd.conf’ This file tells the nscd daemon how long to cache which name service.  See the man page to understand what each option means. The quick way to fix nscd is to tell the service here not to cache passwd and group info.  This will make nscd not go to LDAP and freak out if LDAP is not available.  Randomly I also came across a drop in replacement for nscd that dosen’t suffer from this issue. unscd-033.c The compile instructions are in the file. I can’t guarantee this safe, but I’ve used it for a while in an enterprise environment and seem haven’t had any nscd issues since

Refferences:

• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248271

Share on Facebook

Linux Name Services
Name Server Switch is the engine that really enables Linux to harness LDAP. In linux you have two different ldap.conf files that the modules and services use to configure their ldap communications ‘/etc/ldap.conf’ and ‘/etc/openldap/ldap.com’. The first gives the dn’s for passwd, group and sudoers. You can also specify the server and communication protocol. One really cool bonus is that you get to enable the host_acl based of users with this config file

host    ldap.analogrithems.com
base    dc=analogrithems,dc=com,dc=us
ldap_version    3
#Validate cert
tls_checkpeer no
ssl     start_tls
#ssl on
nss_map_attribute       uniqueMember member
pam_password_prohibit_message Please visit http://enterprise.company.com/password_policy.html.
pam_groupdn cn=ldap.analogrithems.com,ou=Computers,dc=analogrithems,dc=com,dc=us
pam_member_attribute uniquemember
pam_filter accountStatus=active
nss_base_passwd         ou=People,dc=analogrithems,dc=com,dc=us?one
nss_base_shadow         ou=People,dc=analogrithems,dc=com,dc=us?one
nss_base_group          ou=Groups,dc=analogrithems,dc=com,dc=us?one
sudoers_base    ou=SUDOers,dc=analogrithems,dc=com,dc=us
#This options is VERY helpful for debugging sudo ldap extension
#sudoers_debug 2

PAM
PAM is an authentication and accounting module that allows Linux services to use different methods for authenticating users (MySQL, LDAP, NIS, etc..). Their are two different pam config versions. You should look up the version your gnu/linux vedor uses for exact details on ldap setup, for SuSE you modify “/etc/security/pam_unix2.conf” to include the following. This system makes it so you don’t have to modify every pam service to use ldap, you just let them all use the standard unix2 module which then handles the ldap lookup.

auth:   use_ldap
account:        use_ldap
password:       use_ldap
session:        none

NSS
Edit your ‘/etc/nsswitch.conf’ place the word ldap before files for the passwd and group name service. You can also add it to sudoers if you want to store your sudo configs in ldap also

passwd: compat
shadow: compat
group: compat
sudoers: files ldap

passwd_compat: files ldap
shadow_compat: files ldap
group_compat: files ldap

Share on Facebook