aix:marc
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
aix:marc [2022/03/29 11:48] manu |
aix:marc [2025/08/23 23:37] (current) |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| ===== Register a new AD user ===== | ===== Register a new AD user ===== | ||
| - | If the user **-it** still exist, check the UID on a <fc #ff0000>linux server</fc> connected to Active Directory (sssd process will convert Windows SID to an UNIX UID; Else create it first into active directory | + | If the user **-it** still exist, check the UID on a linux server connected to Active Directory (sssd process will convert Windows SID to an UNIX UID; Else create it first into active directory |
| <cli prompt='#'> | <cli prompt='#'> | ||
| [root@LINUX ~]# id user01 | [root@LINUX ~]# id user01 | ||
| Line 11: | Line 11: | ||
| We need uid=1200123421(user01@test.lu) and 1200123456(aix-users@test.lu) | We need uid=1200123421(user01@test.lu) and 1200123456(aix-users@test.lu) | ||
| - | <fc #800080>For AIX users the following field must be fulfill into Active Directory</fc> | + | **For AIX users the following field must be fulfill into Active Directory** |
| ^Parameter^Value^comment^ | ^Parameter^Value^comment^ | ||
| |uid|user01|lowercase| | |uid|user01|lowercase| | ||
| Line 19: | Line 20: | ||
| |uidNumber|1200123421|userID| | |uidNumber|1200123421|userID| | ||
| - | <fc #800080>For AIX groups the following field must be fulfill into Active Directory (For group aix-users)</fc> | + | **For AIX groups the following field must be fulfill into Active Directory (For group aix-users)** |
| ^Parameter^Value^ | ^Parameter^Value^ | ||
| |gidNumber|1200123456| | |gidNumber|1200123456| | ||
| Line 58: | Line 60: | ||
| gsk8capicmd_64 -cert -list -db /etc/security/ldap/ldap.kdb -pw $pwd1 | gsk8capicmd_64 -cert -list -db /etc/security/ldap/ldap.kdb -pw $pwd1 | ||
| gsk8capicmd_64 -cert -details -db /etc/security/ldap/ldap.kdb -pw $pwd1 -label 'AD_LU_ca2.cer' | gsk8capicmd_64 -cert -details -db /etc/security/ldap/ldap.kdb -pw $pwd1 -label 'AD_LU_ca2.cer' | ||
| - | ssh $host "mksecldap -c -h ldap_srv.test.lu -n 636 -k /etc/security/ldap/ldap.kdb -w $pwd1 -j SSL -a 'CN=ldapuser,OU=Users Misc,OU=Users,OU=....,DC=aaa,DC=test,DC=lu' -p $pwd2 -d 'OU=Users,OU=Users & Groups,DC=aaa,DC=test,DC=lu' -A ldap_auth -u NONE | + | mksecldap -c -h ldap_srv.test.lu -n 636 -k /etc/security/ldap/ldap.kdb -w $pwd1 -j SSL -a 'CN=ldapuser,OU=Users Misc,OU=Users,OU=....,DC=aaa,DC=test,DC=lu' -p $pwd2 -d 'OU=Users,OU=Users & Groups,DC=aaa,DC=test,DC=lu' -A ldap_auth -u NONE |
| </code> | </code> | ||
| + | |||
| + | If mksecldap command failed, maybe you are not looking at right tree into AD, change the OU | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| Line 112: | Line 116: | ||
| PAM is more flexible to control access protocols compared to AIX standard authentifications | PAM is more flexible to control access protocols compared to AIX standard authentifications | ||
| + | |||
| + | You can comment unused services | ||
| To use PAM with access control for user and groups | To use PAM with access control for user and groups | ||
| Line 272: | Line 278: | ||
| [root@aixsrv]/etc # chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH | [root@aixsrv]/etc # chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH | ||
| </cli> | </cli> | ||
| + | |||
| + | <code> | ||
| + | check_nimclient.sh | ||
| + | #!/usr/bin/ksh | ||
| + | #set -x | ||
| + | ################################################## | ||
| + | #@(#) Check NIM CPUID | ||
| + | ################################################## | ||
| + | # version: 1.0 2023-02 emmiff4 | ||
| + | ################################################## | ||
| + | |||
| + | dir=`dirname $0` | ||
| + | . $dir/.env | ||
| + | |||
| + | |||
| + | ########################################################################### | ||
| + | # usage () | ||
| + | # | ||
| + | # Display usage message and exit | ||
| + | # | ||
| + | # Parameters: | ||
| + | # - none | ||
| + | ########################################################################### | ||
| + | usage() | ||
| + | { | ||
| + | echo "Usage:" | ||
| + | echo "no parameter, will check CPUID on master and client, and change if not OK" | ||
| + | echo "-c reset -l <client_name> : will delete the nim client and recreate" | ||
| + | exit 0 | ||
| + | } | ||
| + | |||
| + | #------------------------------------------------ | ||
| + | reset_cpuid () { | ||
| + | |||
| + | MASTERCPUID=$(uname -m) | ||
| + | for lpar in $(lsnim -t standalone | awk '{print $1}' | grep -v vio) | ||
| + | do | ||
| + | CPUID=$(ssh -o ConnectTimeout=10 $lpar 'uname -m' 2>/dev/null) | ||
| + | lenght=${#CPUID} | ||
| + | if [ "$lenght" -ne "12" ] | ||
| + | then | ||
| + | echo "$lpar: no CPUID $CPUID $lenght" | ||
| + | else | ||
| + | NIMCPUID=$(lsnim -l $lpar | grep cpuid | rev | awk '{print $1}' | rev) | ||
| + | CLIENTCPUID=$(ssh $lpar "grep NIM_MASTERID /etc/niminfo" | sed 's/=/\ /g' | rev | awk '{print $1}' | rev) | ||
| + | cmd=$(echo sed "'s/"${CLIENTCPUID}"/"${MASTERCPUID}"/'") | ||
| + | if [ "$NIMCPUID" == "$CPUID" ] | ||
| + | then | ||
| + | #echo "$CPUID $CLIENTCPUID $NIMCPUID" | tr ' ' '\n' | sort -u | ||
| + | if [ "$MASTERCPUID" == "$CLIENTCPUID" ] | ||
| + | then | ||
| + | echo "$lpar: MASTERCPUID OK" | ||
| + | else | ||
| + | echo "$lpar: client $CPUID /etc/niminfo ERROR" | ||
| + | echo "$lpar: changed" | ||
| + | ssh $lpar "cp /etc/niminfo /etc/niminfo.old ; cat /etc/niminfo | $cmd > /etc/niminfo.new ; mv /etc/niminfo.new /etc/niminfo ; stopsrc -s nimsh ; startsrc -s nimsh" | ||
| + | fi | ||
| + | else | ||
| + | echo "$lpar: nimserver $CPUID $NIMCPUID ERROR" | ||
| + | nim -o change -a cpuid=${CPUID} $lpar | ||
| + | if [ "$MASTERCPUID" != "$CLIENTCPUID" ] | ||
| + | then | ||
| + | echo "$lpar: client $CPUID /etc/niminfo ERROR" | ||
| + | echo "$lpar: changed" | ||
| + | ssh $lpar "cp /etc/niminfo /etc/niminfo.old ; cat /etc/niminfo | $cmd > /etc/niminfo.new ; mv /etc/niminfo.new /etc/niminfo ; stopsrc -s nimsh ; startsrc -s nimsh" | ||
| + | fi | ||
| + | fi | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | } | ||
| + | |||
| + | #------------------------------------------------ | ||
| + | recreate_client () { | ||
| + | echo $lpar $COMMAND | ||
| + | echo "nim -o remove $lpar" | ||
| + | echo "ssh $lpar ""'"rm /etc/niminfo"'" | ||
| + | echo "ssh $lpar ""'"stopsrc -s nimsh"'" | ||
| + | echo "ssh $lpar ""'"niminit -a name=$lpar -a pif_name=en0 -a master=$master -a platform=chrp -a connect=nimsh -a cable_type='"'N/A'"'"'" | ||
| + | } | ||
| + | |||
| + | |||
| + | |||
| + | ############################################# | ||
| + | # main | ||
| + | ############################################# | ||
| + | main() | ||
| + | { | ||
| + | master=$(hostname -s) | ||
| + | |||
| + | if [ -z "$1" ] | ||
| + | then | ||
| + | echo "OK" | ||
| + | reset_cpuid | ||
| + | else | ||
| + | while (( "$#" )); do | ||
| + | case $1 in | ||
| + | help|-h|-help) usage ;; | ||
| + | -c) shift && COMMAND="$1" ;; | ||
| + | -l) shift && lpar="$1" | ||
| + | recreate_client ;; | ||
| + | esac | ||
| + | shift | ||
| + | done | ||
| + | fi | ||
| + | } | ||
| + | |||
| + | main $* | tee $logname 2>&1 | ||
| + | </code> | ||
| + | |||
aix/marc.1648547296.txt.gz · Last modified: 2022/03/29 11:48 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
