Active Directory : User account repeatedly locked for no reason ?

There are few situations that can lead to a user account being locked out in an Active Directory environment. The following two situations are worth mentionning, because at first sight, it might have seemed like the user account was locked out “for no reason”.

Continue reading Active Directory : User account repeatedly locked for no reason ?

NetApp : SNMP request timeout ?

If you try to make an SNMP request and get a time out like this :
% snmpwalk -v 1 -c public netapp-name
Timeout: No Response from netapp-name

Check that SNMP is enabled (options snmp.enable) and that your host is allowed to perform SNMP queries to the netapp (options snmp.access).

By the way, do use -v 1 ( protocol version 1) : I had timeouts while using -v 2c as well…

Debian network configuration

Network configuration, on a Debian System, is stored in /etc/network.

In this directory you’ll find :

  • interfaces : this file describe your NICs according to interfaces(5) (check this man page to see how to setup the interface, fixed IP or DHCP, gateway, netmask, and so on)
  • if-pre-up.d : directory with scripts which will get run before bringing up an interface
  • if-up.d : directory with scripts which will get run right after bringing up an interface
  • if-down.d : directory with scripts which will get run before bringing down an interface
  • if-post-down.d : directory with scripts which will get run after bringing down an interface
  • run/ifstate : the current state of the NICs

You’ll mostly want to tweak with the interfaces file, and probably put some scripts in the various hook directories. For example the /etc/network/if-pre-up.d is great to put the script which will setup your firewall (with iptables commands and ruleset).

Be sure to read the Debian Reference, which covers this and much more in great details.

Keeping track of changes with cfengine and SubVersioN

Cfengine is a tool which purpose is to describe what is a healthy system and how to bring it back to normal when something fails.

I won’t go into an explanation about how cfengine works, because the project webpage already has a neat tutorial and complete reference. Instead of that, I’ll explain how I used cfengine to build a fool proof Linux firewall.

Continue reading Keeping track of changes with cfengine and SubVersioN

Active Directory : PDC Emulator FSMO role

In an Active Directory Domain, there is a special Domain Controller which holds the FSMO Role “PDC Emulator”.

As its name suggests, it is there to ease migration from NT 4 domains to Active Directory 2000 and up domains by letting this PDC Emulator DC behave like a NT4 Primary Domain Controller. This allows to keep running NT4 BDC (Backup Domain Controllers) and NT4 Clients while you migrate core DCs to Windows 2000 and up.

However, if you think the PDC Emulator is useless if you have no NT4 component in your infrastructure… you’re wrong !

It serves many other different purposes :

  • When you use GPMC to modify a GPO (Global Policy Object), GPMC will by default perform the modification on the DC holding the PDC Emulator role. This prevents two administrators making conflicting modifications on the same GPO
  • The PDC Emulator is responsible of keeping the time synchronized on all the DCs
  • When a password is changed on a DC, this is immediately replicated to the DC holding the PDC Emulator role, and then according to the normal replication scheduling, on the other DCs. When a user fails to authenticate on a DC, this DC will immediately check with the PDC Emulator to know if this failure is due to a password change not yet replicated if it is the case, and the authentication matches the new one, then the authentication succeeds. This reduces the latency for a password change to take effect.

To make it short, even in a full Windows 2000 and up Domain, the PDC Emulator role is one of the most important ones …

Solaris 10: managing services with SMF

In Solaris 10, services are managed by SMF. The scripts in /etc/rcX.d are only there for legacy (and so is inetd).
To manage the services, you mainly use 2 commands : svcadm and svcs. Below are the most useful commands.

disable services :
# svcadm disable network/finger

enable services :
# svcadm enable network/finger

list all enabled services :
# svcs

list all services:
#svcs -a

list error conditions for services:
#svcs -x

These are the only options I’ve use so far … for the other ones, check the manual !