DSfW Migration – OES 11 SP1 to OES11 SP2
DSfW Migrations can be tricky if you do not follow the documentation carefully. I created two videos that take you through the process of a successful migration. The videos do not cover the pre-migration. For the pre-migration you want to ensure the tree and DSfW server specifically is healthy.
The key is to install and configure eDirectory with the pre-migration pattern on the target server using the Software Management tool provided by the YaST utility. DO NOT Use the OES Install and Configuration utility. This is the key piece most people miss. If you use the OES Install and Configuration utility the DSfW patter will not be able to be installed. Instead the pre-migration pattern will be layed down, the pre-migration wizard will pop up. If you continue through the pre-migration pattern eDir will be installed. You then click… Continue reading
OES 2015 NSS for AD
The big new feature in OES 2015 is NSS for AD. With NSS for AD, AD users can be given file system access to an OES server. Coupled with DSfW a functioning bi-directional trust will be possible.
Currently the limits with a bi-directional trust are with file system access from the AD side to the eDir/DSfW side. The work around has been to add an AD user to a eDir/DSfW group and via the group the user will gain the needed ACLs to access a file system. The problem has been file access via this method is limited to only DSfW servers. This does not work with other OES servers. Now with NSS for AD complete AD user access will be possible.
Watch this video for more information on NSS for AD in OES 2015
supportconfig updated with DSfW information
A great tool to get essential information on a server is supportconfig. It comes with SLES/OES and the latest set of patches has the DSfW information in the tool.
If you have a SR opened with support you can get the supportconfig analyzed by running supportconfig -ur $srnum; where $srnum is your 11 digit service request number. A html report will be given which will list Critical, Warning, and Recommended messages. Some will have TIDs and/or videos to apply to fix the issue. Some will list a rpm to apply.
This will not upload to Novell to have the supportconfig analyzed. It is the ray files to look at.
With this DSfW piece in the new supportconfig, specific to DSfW is exporting… Continue reading
Novell-Cifs CASA Repair Tool @ Coolsolutions
I published my Novell-Cifs CASA Repair Tool to Novell Coolsolutions.
The tool will validate CASA keys are present and the the proxy user can login. If there is a problem, it will fix it. Great tool to fix the following errors:
ERROR: ENTRY: DDCLogin() failed Error: -223
ERROR: ENTRY: DDCLogin() failed Error: -222
ERROR: ENTRY: DDCLogin() failed Error: -197
The tool works with OES2.x and OES11.x. I expect it to work with OES2015 unless there are big changes in that version.
If you are running Novell Cifs this tool is a must. Download it and have it ready, or run it as a preventative measure.
VI Commands posted @ Coolsolutions
You can learn about vic (vi commands) and download the rpm at Novell Coolsolutions.
Start learning vi or use vic as a quick reference to expand your vi reparto.
DSfW Monitor daemon
I just created a demonized version of the DSfW Monitor script. For more information on the script look the DSfW Monitor script post.
Now you don’t have to create a cronjob to continuously run the tool. Simply download and install the dsfwmon.rpm.
The install will create the /etc/init.d/dsfwmon startup script, the /opt/dsfwdude/conf/dsfwmon.conf file to edit the configuration and the dsfwmon daemon. It also has log rotating enabled.
The install will enable the dsfwmon script so that when the server starts, the script will start monitoring the services.
Edit the /opt/dsfwdude/conf/dsfwmon.conf to send an e-mail if a service has to be restarted. Do not adjust the delay time less than 5 minutes. The script could possibly step on itself, trying to check the services while restarting the services.
Common changes are to enable e-mail setting to be sent when the services restart,… Continue reading
CVE-2014-0224 Fixes in eDirectory
The following Hotfixes for NESCM 3.1 and eDirectory (888, 887 & 885) standalones address the OpenSSL security vulnerability described in CVE-2014-0224 can be found below.
For OES11 SP1/SP2 and OES2 SP3 LTSS the updates are in the respective channels.
– eDirectory 8.8 SP8 Patch 2 HotFix 1 (All Platforms)
Download URL: http://download.novell.com/Download?buildid=4A2ah857Bgs~
– eDirectory 8.8 SP7 Patch 6 HotFix 1 (All Platforms)
Download URL: http://download.novell.com/Download?buildid=wldDBGgzzng~
– eDirectory 8.8 SP5 Patch6 Hotfix2 for NetWare
Download URL: http://download.novell.com/Download?buildid=MzoS_HY0LYw~
– Identity Assurance Solution Client 3.1 Hotfix 1
Download URL: http://download.novell.com/Download?buildid=OXteBss0i-k~
Below is the list of patches that have been released addressing openssl security fixes:
1. OpenSSL on 24th June.
2. GnuTLS on 30th June.
3. iPrint Client on 10th July.
4. eDirectory on 10th July.
All these were duplicated across OES2 SP3, OES11 SP1 and OES11 SP2.
New iManager Plug-ins Page
Have trouble accessing iManager plugins from a server? Now there is a single dedicated site were the plugins can be downloaded and later installed on servers.
https://www.netiq.com/support/imanager/plugins/
The columns are sort-able making it easy to find a plugin or plugin version.
The iManager documentation has been updated to reference the new page:
Install Guide: https://www.netiq.com/documentation/imanager/imanager_install/data/bs3h82n.html
Admin Guide: https://www.netiq.com/documentation/imanager/imanager_admin/data/bxak4k8.html
iManager download install instructions: https://www.novell.com/documentation/imanager/esd/ii_imanager_277.html
May 2014 OES11SP2 Scheduled Maintenance for eDirectory 8.8 SP8 patch 2
May 2014 OES11SP2 Scheduled Maintenance for eDirectory 8.8 SP8 patch 2 (9156)
How to apply the patch with zypper. YaST Online Update can also be used.
List repositories to ensure the update the server is registerd and the updated repository is present
zypper lr
Should see the following:
nu_novell_com:OES11-SP2-Updates | OES11-SP2-Updates | Yes | Yes
List patches in the Updates repository
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP2-Updates | oes11sp2-edirectory-888-patch2 | 9156 | security| Needed
Install the maintenance patch
zypper up -t patch oes11sp1-edirectory-887-patch2
Then list the patches again to verify the patch is listed as Installed
zypper pch OES11-SP2-Updates
Should see the following:
OES11-SP2-Updates | oes11sp1-edirectory-888-patch2 | 9156 | security| Installed
To apply all OES11 SPa updates run the following command
zypper up -t patch -r OES11-SP2-Updates
Bugs: 627162, 653702, 782375, 795332, … Continue reading
May 2014 OES11SP1 Scheduled Maintenance for eDirectory 8.8 SP7
May 2014 OES11SP1 Scheduled Maintenance for eDirectory 8.8 SP7
How to apply the patch with zypper. YaST Online Update can also be used.
List repositories to ensure the update the server is registerd and the updated repository is present
zypper lr
Should see the following:
nu_novell_com:OES11-SP1-Updates | OES11-SP1-Updates | Yes | Yes
List patches in the Updates repository
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-edirectory-887-patch2 | 6989| security| Needed
Install the maintenance patch
zypper up -t patch oes11sp1-edirectory-887-patch2
Then list the patches again to verify the patch is listed as Installed
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-edirectory-887-patch2 | 6989| security| Installed
To apply all OES11 SPa updates run the following command
zypper up -t patch -r OES11-SP1-Updates
Patch: oes11sp1-edirectory-887-patch6-9149
Bugs: 612236, 799046, 812295, 812707, 825235,… Continue reading
May 2014 Scheduled Maintenance Patch
May 2014 Scheduled Maintenance Patch
May 2014 Scheduled Maintenance has been released
How to apply the patch with zypper. YaST Online Update can also be used.
List repositories to ensure the update the server is registerd and the updated repository is present
zypper lr
Should see the following:
nu_novell_com:OES11-SP1-Updates | OES11-SP1-Updates | Yes | Yes
nu_novell_com:OES11-SP2-Updates | OES11-SP2-Updates | Yes | Yes
List patches in the Updates repository
OES11SP1
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-May-2014-Scheduled-Maintenance | 9151| recommended | Needed
OES11SP2
zypper pch OES11-SP2-Updates
Should see the following:
OES11-SP2-Updates | oes11sp2-May-2014-Scheduled-Maintenance | 9157| recommended | Needed
Install the maintenance patch
OES11SP1
zypper up -t patch oes11sp1-May-2014-Scheduled-Maintenance
OES11SP2
zypper up -t patch oes11sp2-May-2014-Scheduled-Maintenance
Then list the patches again to verify the patch is listed as Installed
OES11SP1
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-May-2014-Scheduled-Maintenance | 9151
OES11SP2
zypper… Continue reading
March 2014 Scheduled Maintenance Patch
March 2014 Scheduled Maintenance has been released
How to apply the patch with zypper. YaST Online Update can also be used.
List repositories to ensure the update the server is registerd and the updated repository is present
zypper lr
Should see the following:
nu_novell_com:OES11-SP1-Updates | OES11-SP1-Updates | Yes | Yes
List patches in the Updates repository
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-March-2014-Scheduled-Maintenance | 8935| recommended | Needed
Install the maintenance patch
zypper up -t patch oes11sp1-March-2014-Scheduled-Maintenance
Then list the patches again to verify the patch is listed as Installed
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-March-2014-Scheduled-Maintenance | 8935
To apply all OES11 SPa updates run the following command
zypper up -t patch -r OES11-SP1-Updates
To apply all SLES 11 SP2 updates run the following command
zypper up -t patch -r SLES11-SP2-Updates
Key DSfW specific bugs fixed with this… Continue reading
I/OTest script to check if the disk I/O is causing slow performance
Slow VM Performacne, use IOTest to see if the disk IO is the culprit
This script will test the disk IO by copying 500Mb of data using the same block size as eDir uses and with the same api eDir uses “fdatasync”.
This writes 500 Mb of data each iteration to the iotest.log in the dib directory, usually the /var/opt/novell/eDirectory/data/dib/
It will overwrite the previous data in the iotest.log each time it runs. Anything under 100 MB/s is a concern and will cause slowness for eDirectory and possible memory build up. IO causes a bottleneck for events to be written to disk. A build up of memory by ndsd can cause a ndsd to take all available memory (both virtual and resident) causing ndsd to core.
If slow IO writes are seen with the iotest script begin the process of adding hard drives and reducing the… Continue reading
New Patch for eDir 8.8.7.5
Patch 8.8.7.5 was released and immediately pulled after seeing ndsd cores due to ldap search filters of (guid=). A new patch is now available. To view if the new patch has been applied run the command:
zypper list-patches –bugzilla=864542
To apply the patch run the command:
zypper up -t patch oes11sp1-edirectory-887-patch5-8910
The following packages will be upgraded:
novell-NDSbase novell-NDSbase-32bit novell-NDScommon novell-NDSimon
novell-NDSrepair novell-NDSserv novell-NOVLembox novell-NOVLice
novell-NOVLsnmp novell-NOVLsubag novell-dclient novell-dclient-32bit
novell-edirectory-jclnt novell-edirectory-tsands
novell-edirectory-tsands-32bit novell-nmas novell-nmas-libnmasext
novell-nmas-libspmclnt novell-nmas-libspmclnt-32bit novell-nmasclient
novell-nmasclient-32bit novell-npkiapi novell-npkiapi-32bit novell-npkiserver
novell-npkit novell-npkit-32bit novell-sss
To downlowd the stand alone eDirectory patch and to learn more about the patch see eDirectory 8.8 SP7 Patch 5 HotFix 1 (All Platforms)
New Features in DSfW OES11SP2
There is a great article on Novell CoolSoltutions about the New Features in DSfW OES11SP2.
It gives great information on the new features with screenshots and explanations. Take a look and learn more about the new features of DSfW.
January 2014 Scheduled Maintenance Ptach
January 2014 Scheduled Maintenance has been released
How to apply the patch with zypper. YaST Online Update can also be used.
List repositories to ensure the update the server is registerd and the updated repository is present
zypper lr
Should see the following:
nu_novell_com:OES11-SP1-Updates | OES11-SP1-Updates | Yes | Yes
List patches in the Updates repository
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-January-2014-Scheduled-Maintenance | 8685| recommended | Needed
Install the maintenance patch
zypper up -t patch oes11sp1-January-2014-Scheduled-Maintenance
Then list the patches again to verify the patch is listed as Installed
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-January-2014-Scheduled-Maintenance | 8685
To apply all OES11 SPa updates run the following command
zypper up -t patch -r OES11-SP1-Updates
To apply all SLES 11 SP2 updates run the following command
zypper up -t patch -r SLES11-SP2-Updates
Key DSfW specific bugs fixed with this… Continue reading
OES11SP2 is Available for Download
OES11sp2 is now available for download.
SCA Appliance
Ever wonder what happens when you run a supportconfig -ur SR#? The support config gets uploaded and analyzed by a Support Config Analysis server that runs potentially over 900 support patterns to analyze the support configs contents. The report is then posted to the SR listing critical issues than when fixed have been found to fix roughly 50% of the issues an SR was created for.
The Support Config Analysis server is available for download as an appliance than can be ran on premises. The appliance stores analysis results in a MariaDB database and uses PHP to read the database and generate the report. It has a FTP server allowing for support configs to be uploaded, archived, processed, and analyzed. With this it is possible to modify the supportconfig script to gather more information for other applications running on the server and… Continue reading
November 2013 Scheduled Maintenance
November 2013 Scheduled Maintenance has been released
How to apply the patch with zypper. YaST Online Update can also be used.
List repositories to ensure the update the server is registerd and the updated repository is present
zypper lr
Should see the following:
nu_novell_com:OES11-SP1-Updates | OES11-SP1-Updates | Yes | Yes
List patches in the Updates repository
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-November-2013-Scheduled-Maintenance | 8483| recommended | Needed
Install the maintenance patch
zypper up -t patch oes11sp1-November-2013-Scheduled-Maintenance
Then list the patches again to verify the patch is listed as Installed
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-November-2013-Scheduled-Maintenance | 8483
To apply all OES11 SPa updates run the following command
zypper up -t patch -r OES11-SP1-Updates
To apply all SLES 11 SP2 updates run the following command
zypper up -t patch -r SLES11-SP2-Updates
Key DSfW specific bugs fixed with this… Continue reading
DNS CASA Repair Script
A common reason for Novell DNS to fail to update records or even fail to load is do to CASA credentials for the DNS proxy user.
When troubleshooting Novell DNS issues start with the /var/opt/novell/log/named/named.run log.
If novell-named fails to start or update records and CASA Error has occured, error:No credential is retrived from CASA is seen in the log, it is almost a guarantee the reason is the dns-ldap key is missing, the password is incorrect for the proxy user, or the user name is incorrect.
Below is a sample of a named.run log demonstrating what is seen when CASA credentials in invalid or missing.
Look for the starting of named and the CASA Error
19-Nov-2013 15:30:13.489 general: main: notice: starting BIND 9.3.2 -u named
19-Nov-2013 15:30:13.490 general: server: info: found 4 CPUs, using 4 worker threads
19-Nov-2013 15:30:13.500 general: dns/message: error: Credential Not found
19-Nov-2013… Continue reading
New DSfW Monitor Script
I previously created two scripts, dsfw_processcheck.sh and dsfw_portchk.sh, one to monitor pids and one to monitor ports. With the two script they are helpful to ensure the DSfW services are up. A new script combines the two and adds additional options. The script not only checks for pids and ports, but it can be used to create a cron job to run the script every 10 minutes by adding the “add” switch. To remove the cron job use the “rm” switch.
If a DSfW server running DNS (or not) has a DSfW specific process stop or crash a quick stop gap measure is to monitor the DSfW processes and restart them if one or more of the DSfW processes stop.
If the DSfW server is an Additional Domain Controller (ADC) DNS might not be configured on the server. If DNS is not running on the… Continue reading
September 2013 Scheduled Maintenance
July2013 Scheduled Maintenance has been released
How to apply the patch with zypper. YaST Online Update can also be used.
List repositories to ensure the update the server is registerd and the updated repository is present
zypper lr
Should see the following:
nu_novell_com:OES11-SP1-Updates | OES11-SP1-Updates | Yes | Yes
List patches in the Updates repository
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-September-2013-Scheduled-Maintenance | 8284| recommended | Needed
Install the maintenance patch
zypper up -t patch oes11sp1-September-2013-Scheduled-Maintenance
Then list the patches again to verify the patch is listed as Installed
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-September-2013-Scheduled-Maintenance | 8284| recommended | Installed
September 2013 Scheduled Maintenance for OES11SP1 (8284)
Key DSfW specific bugs fixed with this maintenance patch for OES11SP1
- 816488 – DSfW: Migration does not retain sysvol facls
- 828484 – OES11 SP2: eDirectory cored… Continue reading
How To Register OES and SLES Servers Using Command Line and a Script
It is important to keep your servers at the current patch level. Usually there are many bugs fixed and if you come across a new issue it helps Novell Support the the Developers.
I like to use the command line to register my servers. It is easy and relatively fast compared to the GUI. Even easier is to use a script. Just copy the script to the server, modify the e-mail account and registration codes and run the script. If something happens to the update services and repositories just run the script to clean up the old and re-register.
Below is a video demonstrating the register.sh script
TID 3030847 goes over the command line process.
Note: do not include < > for email or regcodes in the examples below
The command to register a OES server is
suse_register -a email=<user@email.com> -a regcode-sles=<your sles code>… Continue reading
July 2013 Scheduled Maintenance
July2013 Scheduled Maintenance has been released
How to apply the patch with zypperList repositories
zypper lr
Should see the following:
nu_novell_com:OES11-SP1-Updates | OES11-SP1-Updates | Yes | Yes
List patches in the Updates repository
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-July-2013-Scheduled-Maintenance | 7889 | recommended | Needed
Install the maintenance patch
zypper up -t patch oes11sp1-July-2013-Scheduled-Maintenance
Then list the patches again to make sure it is installed
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-July-2013-Scheduled-Maintenance | 7889 | recommended | Installed
July 2013 Scheduled Maintenance for OES11SP1
Key DSfW specific bugs fixed with this maintenance patch for OES11SP1
- 806538 – MS cluster support in DSfW
- 816741 – DSFW: ldapsearch fails when the entryDN specified in search filter contains spaces before or after comma.
- 818366 – xadsd crashes in rpc__naf_addr_free ()
- 819547 – DSFW: No results for ldapsearch with… Continue reading
DSfW: Provisioning using python script
Need to do the DSfW install via a putty session/ no gui. Look at this coolsolution article DSfW: Provisioning using python script. It provides a python script to do the provisioning portion of the install with out the need of X Server. It is also reported to be faster. Great for scripted installs.
Adding displayName to DSfW user accounts
BES10 requires AD authentication so DSfW is being deployed to accomplish this in eDirectory environments.
The displayName attribute is one attribute that must be populated.
displayName
All but two are automatically populated on DSfW users.
displayName and mail are not. Hopefully mail is already populated since this is for an e-mail application. displayName most likely is not.
This video will go over a script that can be used populate displayName with the value used in samAccountName. It will also show you how to modify the script if the value from another attribute is desired to be used for displayName.
The script does the following search to find users and generate a ldif file
ldapsearch -Y EXTERNAL -LLL -Q -b “$DEFAULTNAMINGCONTEXT” -s sub ‘(&(objectclass=user)(samAccountName=*)(!(|(objectClass=Computer)(displayName=*)(cn:dn:=users)(ou:dn:=oessystemobjects))))’ dn: samAccountName |sed s[samAccountName[‘changetype:modify\nadd: displayName\ndisplayname'[g | grep -v ^# >/tmp/add_displayname.ldif
As… Continue reading
May 2013 Scheduled Maintenance
May 2013 Scheduled Maintenance has been released
How to apply the patch with zypperList repositories
zypper lr
Should see the following:
nu_novell_com:OES11-SP1-Updates | OES11-SP1-Updates | Yes | Yes
List patches in the Updates repository
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-May-2013-Scheduled-Maintenance | 7715 | security | Needed
Install the maintenance patch
zypper up -t patch oes11sp1-May-2013-Scheduled-Maintenance
Then list the patches again to make sure it is installed
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-May-2013-Scheduled-Maintenance | 7715 | security | Installed
May 2013 Scheduled Maintenance for OES11SP1 7715
Key DSfW specific bugs fixed with this maintenance patch for OES11SP1
- – 769530: OES11SP1LH: DSfW provisioning task “Assign Rights” – rerun fails with error -614 (entry already exists)
- – 783005: DSFW: AD Ping doesn’t… Continue reading
April 2013 Scheduled Maintenance
April2013 Scheduled Maintenance has been released
How to apply the patch with zypperList repositories
zypper lr
Should see the following:
nu_novell_com:OES11-SP1-Updates | OES11-SP1-Updates | Yes | Yes
List patches in the Updates repository
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-April-2013-Scheduled-Maintenance | 7421 | security | Needed
Install the maintenance patch
zypper up -t patch oes11sp1-April-2013-Scheduled-Maintenance
Then list the patches again to make sure it is installed
zypper pch OES11-SP1-Updates
Should see the following:
OES11-SP1-Updates | oes11sp1-April-2013-Scheduled-Maintenance | 7421 | security | Installed
April 2013 Scheduled Maintenance for OES11SP1 (7421)
Key DSfW specific bugs fixed with this maintenance patch for OES11SP1
- – 770208: OES11SP1LH: DSfW provisioning of DNS generates duplicate forward and reverse lookup zones if they already exists
- – 785697: Provsioning pre healthCheck fails in ADC.
- – 791640: DSFW FTU1:During ADC Provosioning PreCheck, the… Continue reading
NDSD Health Check Script
I’ve received a great deal of feed back on the DSfW Health Check Script and applied some changes. One of the suggestions was to do only a ndsd (eDirectory) script. The DSfW Health Check Script works for both DSfW and eDirectory servers, but if all you want to do is check eDirectory health on a DSfW server or want a script only for ndsd that is smaller and simple this is an option.
I am always looking for suggestions. I’ve created a video for the ndsd_heaclthchk script. Watch to to learn about configuring it for your specific needs.
For for NDSD Health Check in the download section.
The configuration options are as follows
# Set emailsetting to 1 to send e-mail log when finished. Set to 0 or remove the 1 to disable
emailsetting=0
# Set emailonerror to 1 to send e-mail log if an error is returned. Set to… Continue reading