IBM Books

Diagnosis Guide

Diagnostic procedures

This section describes how to check whether the security services component is operating as expected.

See (SECRDL5) for a list of DCE commands that may be helpful. For more information on each command, see IBM DCE for AIX, Version 3.1: Administration Commands Reference.

Find out about your configuration

Perform these steps to determine your current configuration:

  1. Issue splstdata -p to find out the number of partitions and the security methods enabled. See Check enabled security. SP Security Services will use DCE first if enabled and then Kerberos V4. Keep this in mind when performing problem determination.
  2. Check if your SP system is configured for Kerberos V4 use by issuing the lskp command and look for principals similar to hardmon.partition_name, rcmd.partition_name, and root.admin.

    The output of lskp is similar to: 

    hardmon.c166cw  tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
hardmon.c166s   tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
hardmon.c166sp1 tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
hardmon.c166sp2 tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
hardmon.c186cw  tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
rcmd.c186sn04   tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
rcmd.c186sn05   tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
rcmd.c186sn06   tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
rcmd.c186sp1    tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
root            tkt-life: 30d       key-vers: 2 expires: 2037-12-31 23:59
root.SPbgAdm    tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
root.admin      tkt-life: 30d       key-vers: 1 expires: 2037-12-31 23:59
  3. Check if your SP system is configured for DCE use by issuing the dcecp command and looking for principals similar to: cell_name/ssp/hostname/service.

    Issue this command: 

    dcecp -c principal cat | grep ssp

    Output is similar to: 

    /.../c166dcecell/ssp/c166cw.ppd.pok.ibm.com/css
/.../c166dcecell/ssp/c168n01.ppd.pok.ibm.com/css
/.../c166dcecell/ssp/c166cw.ppd.pok.ibm.com/hardmon
/.../c166dcecell/ssp/c166cw.ppd.pok.ibm.com/pmand
/.../c166dcecell/ssp/c166s/sdr
/.../c166dcecell/ssp/c166sp1/sdr
/.../c166dcecell/ssp/c166cw.ppd.pok.ibm.com/sp_configd
/.../c166dcecell/ssp/c168n01.ppd.pok.ibm.com/sp_configd
/.../c166dcecell/ssp/c166cw.ppd.pok.ibm.com/spbgroot
/.../c166dcecell/ssp/c168n01.ppd.pok.ibm.com/spbgroot
/.../c166dcecell/ssp/c166cw.ppd.pok.ibm.com/spmgr
/.../c166dcecell/ssp/c166cw.ppd.pok.ibm.com/switchtbld
/.../c166dcecell/ssp/c168n01.ppd.pok.ibm.com/switchtbld
/.../c166dcecell/ssp/c166cw.ppd.pok.ibm.com/sysctl
/.../c166dcecell/ssp/c168n01.ppd.pok.ibm.com/sysctl
 
/.../c166dcecell/ssp/c166n01.ppd.pok.ibm.com/css
/.../c166dcecell/ssp/c166n13.ppd.pok.ibm.com/css

Verify DCE Security Services configuration

Verify the configuration for DCE or Kerberos V4, depending on which method you are using.

These procedures check installed file sets, daemons, principals, accounts, groups, rpc entries, keytabs, and key files. Note that names of DCE entities shown reflect the use of the default names, with any changes that may have been specified in the spdata/sys1/spsec/spsec_overrides file.

Check that required DCE file sets are installed

Systems using DCE for security services require the core client file sets. Refer to DCE product documentation for the list of expected file sets. Refer to PSSP release documentation for required PTF levels, if any. Compare the list of expected file sets, and those of any PTFs, with those on your system. Issue the command: 

lslpp -l dce*

Output is similar to: 

Fileset                      Level   State      Description
----------------------------------------------------------------
Path: /usr/lib/objrepos
dce.cds.rte                3.1.0.0 COMMITTED DCE Cell Directory Services
dce.client.core.rte        3.1.0.0 COMMITTED DCE Client Services
dce.client.core.rte.admin  3.1.0.0 COMMITTED DCE Client Administrative Tools
dce.client.core.rte.cds    3.1.0.0 COMMITTED DCE Client CDS Tools
dce.client.core.rte.config 3.1.0.0 COMMITTED DCE Client Configuration Tools
dce.client.core.rte.rpc    3.1.0.0 COMMITTED DCE Client RPC Tools
dce.client.core.rte.security
                           3.1.0.0 COMMITTED DCE Client Security Tools
dce.client.core.rte.time   3.1.0.0 COMMITTED DCE Client Time Tools
dce.client.core.rte.zones  3.1.0.0 COMMITTED DCE Client Time Zones
dce.compat.cds.smit
                        3.1.0.0 COMMITTED DCE SMIT Cell Directory Services
dce.compat.client.core.smit
                        3.1.0.0 COMMITTED DCE SMIT Client Tools
dce.compat.security.smit   3.1.0.0 COMMITTED DCE SMIT Security Services
dce.pthreads.rte
                        3.1.0.0 COMMITTED DCE Threads Compatibility Library
dce.security.rte           3.1.0.0 COMMITTED DCE Security Services

Check that the DCE client daemons are running

This example shows how to display the status of the DCE daemons on a node or workstation. This command should also be run on the workstation where the DCE servers are located. Issue the command: 

lsdce -r

Output is similar to: 

Gathering component state information... 
                 Component Summary for Host: c58n03 
           Component           Configuration State   Running State 
Security client                     Configured           Running
RPC                                 Configured           Running
Directory client                    Configured           Running

Good results are indicated by the three components, Security client, RPC, and Directory client having a Configuration State of Configured and Running State of Running.

Error results are indicated if one or more of the three components are missing, or they have different values for Configuration State or Running State.

Check SP-unique principals, accounts, and keytabs

Each service defined in configuration file /usr/lpp/ssp/config/spsec_defaults should have an instance defined with a DCE principal, account, and keytab for each host configured to use DCE authentication. Exceptions are those services defined as having one instance for each system partition. These values may be overridden if you have made changes to the spsec_overrides file.

This example shows the subset of DCE registry information for PSSP and RSCT services on a control workstation. Here, the DCE hostname is sp5cw, and there are two system partitions named sp5p1 and sp5p2. Issue the command: 

dcecp -c acc cat -s | egrep "^ssp/|^rsct/" | egrep "sp5cw|sp5p1|sp5p2"

Output is similar to: 

rsct/sp5cw/rsct
ssp/sp5cw/css
ssp/sp5cw/hardmon
ssp/sp5cw/pmandssp/sp5cw/sp_configd
ssp/sp5cw/spbgroot
ssp/sp5cw/spmgr
ssp/sp5cw/switchtbld
ssp/sp5cw/sysctl
rsct/sp5p1/hats
ssp/sp5p1/sdr
rsct/sp5p2/hats
ssp/sp5p2/sdr

Verify that there are keytab objects with the same names by issuing: 

dcecp -c key cat -s | egrep "^ssp/|^rsct/" | egrep "sp5cw|sp5p1|sp5p2"

The key files for these services have the same names also. Find them by issuing the following: 

( cd /spdata/sys1/keyfiles; find ssp -type f; find rsct -type f )

Check the existence and membership of SP access groups

Access to SP trusted services is generally granted through group membership, when using DCE for security. The groups are named as shown in the /usr/lpp/ssp/config/spsec_defaults file, unless you have specified alternate names in the spsec_overrides file. The following example shows how to check that the SP security administration group exists and has the cell administrator as a member. Issue the command: 

dcecp -c group list $(spgrpname spsec-admin)

Output is similar to: 

/.../cellname/cell_admin

Check the DCE CDS information required by SP ACL managers

The DCE ACL managers in the Hardware Monitor and Sysctl servers must have rpcentry objects defined in the CDS (Cell Directory Services), so that the ACL editor can locate the servers.

This example shows how to verify that the required entries exists and that their ACLs allow write access by the service principals. A control workstation must have entries for hardmon and sysctl. Other hosts have only sysctl entries. The following shell script is for a control workstation whose DCE hostname is sp5cw: 

for rpcentry in $(dcecp -c dir list /.:/subsys/ssp/sp5cw)
do
dcecp -c acl show $rpcentry -entry | grep ${rpcentry##*/}
done{user ssp/sp5cw/hardmon rwdtc}
{user ssp/sp5cw/sysctl rwdtc}

Verify configuration of Kerberos V4

These procedures check the Kerberos V4 configuration files, Kerberos V4 authentication database, Kerberos V4 database administration ACL files, server key (srvtab) files, and Kerberos V4 daemons.

Check the Kerberos V4 configuration files

The configuration files are /etc/krb.conf and /etc/krb.realms. If you did not supply them, default files were created when you set up your primary authentication server. The default krb.conf file contains the realm name, derived from the domain part of the server's hostname. The default realms file is empty, unless hosts in the realm have network interfaces with different domain names.

When you create your own krb.conf file, you may have multiple entries per server, specifying different network interfaces. You would typically need to do this if your primary and secondary servers are connected by a different network than that which connects the primary server to the SP nodes. For example: 

cat /etc/krb.conf
ABC.ORG
ABC.ORG sp5en0.abc.org admin server
ABC.ORG sp5en1.abc.org admin server
ABC.ORG bk5en1.abc.org

Check the Kerberos V4 authentication database

Use the lskp command to display information about Kerberos V4 principals. Specify the -p flag to inspect the principals predefined by Kerberos V4, including one named default, that supplies the default expiration date and maximum ticket lifetime values for new user principals: 

lskp -p
krbtgt.ABC.ORG    tkt-life: 30d   key-vers: 1  expires: 2037-12-31 23:59
K.M               tkt-life: 30d   key-vers: 1  expires: 2037-12-31 23:59
changepw.kerberos tkt-life: 30d   key-vers: 1  expires: 2037-12-31 23:59
default           tkt-life: 30d   key-vers: 1  expires: 2037-12-31 23:59

Specify the -s flag to inspect the service principals used by SP servers: 

lskp -s
hardmon.sp5cw  tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
hardmon.sp5en  tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
rcmd.sp5cw     tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
rcmd.sp5en     tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
rcmd.node1en   tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
rcmd.node1sw   tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
rcmd.node1tr   tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 23:59
rcmd.node2en   tkt-life: Unlimited key-vers: 2 expires: 2037-12-31 23:59
rcmd.node2sw   tkt-life: Unlimited key-vers: 2 expires: 2037-12-31 23:59
rcmd.node2tr   tkt-life: Unlimited key-vers: 2 expires: 2037-12-31 23:59

Check the Kerberos V4 administration ACL files

There are three ACL files that control access to the Kerberos V4 database through the kadmin command and through the Sysctl procedures mkkp, chkp, lskp, and rmkp. When you set up Kerberos V4, each ACL file was created with an entry for the administrators you defined. You may want to have different ACL entries, for example, authorizing the use of lskp and the get subcommand of kadmin: 

cat /var/kerberos/database/admin_acl.getroot.admin
frank.admin
lucy.admin

Check the Kerberos V4 srvtab files

The /etc/krb-srvtab file should exist on each host, and contain keys that match those in the Kerberos V4 database. On the control workstation, file /etc/spa-srvtab should also exist, containing only the key for principal root.SPbgAdm. Use the ksrvutil command to show these files. 

ksrvutil list 
Version    Principal
1     rcmd.sp5cw@ABC.ORG
1     hardmon.sp5cw@ABC.ORG
1     rcmd.sp5en@ABC.ORG
1     hardmon.sp5en@ABC.ORG
1     root.SPbgAdm@ABC.ORG

Check that the Kerberos V4 daemons are running

This example shows how to display the status of the Kerberos V4 authentication daemon. If the status is shown as inoperative, check the daemon's log file for error information. See Kerberos V4 daemon logs. Normally the subsystem is started when setup_authent is run during PSSP installation, and automatically on reboot. An example of normal output is:

  1. lssrc -s kerberos

    Output is similar to: 

    Subsystem          Group             PID      Status
 kerberos                            16256    active
  2. tail /var/adm/SPlogs/kerberos/kerberos.log

    Output is similar to: 

     3-Jun-1999 14:16:58 Kerberos started, PID=20910
10-Jun-1999 13:56:02 Kerberos started, PID=18874
19-Jun-1999 21:04:56 Kerberos started, PID=16256

Check enabled security

You must have at least one security method in common enabled on the control workstation and on a node, for remote communication and for SP services using authentication to function properly.

These steps show a properly configured system:

  1. Issue the command splstdata -p. Output is similar to: 
    List System Partition Information
System Partitions:
------------------
c166s
c166sp1
c166sp2
 
Syspar: c166s
-----------------------------------------------------------------------
syspar_name     c166s
ip_address      9.114.10.166
install_image   default
syspar_dir      /spdata/sys1/syspar_configs/3nsb0isb/config.4_4_40/layout.
 3syspar-coex/syspar.3.c166s
code_version    PSSP-2.4
haem_cdb_version 939568157,265012085,0
 
auth_install    dce:k4
auth_root_rcmd  dce:k4
ts_auth_methods dce:compat
auth_methods    k5:k4:std
Syspar: c166sp1
-------------------------------------------------------------------------
syspar_name     c166sp1
ip_address      9.114.10.220
install_image   default
syspar_dir      /spdata/sys1/syspar_configs/3nsb0isb/config.4_4_40/layout.
 3syspar-coex/syspar.1.c166sp1
code_version    PSSP-2.4
haem_cdb_version 939568026,670463251,0
 
auth_install    k4
auth_root_rcmd  k4
ts_auth_methods compat
auth_methods    k4:std
 
Syspar: c166sp2
-------------------------------------------------------------------------
syspar_name     c166sp2
ip_address      9.114.10.233
install_image   bos.obj.ssp.433
syspar_dir      /spdata/sys1/syspar_configs/3nsb0isb/config.4_4_40/layout.
 3syspar-coex/syspar.2.c166sp2
code_version    PSSP-3.2
haem_cdb_version 939568100,243454795,0
 
auth_install    dce
auth_root_rcmd  dce:std
ts_auth_methods dce
auth_methods    k5:std
  2. Issue the command export SP_NAME=c166s.
  3. Issue the command dsh -w c166n01 lsauthent. Output is similar to: 
    c166n01: Kerberos 5
c166n01: Kerberos 4
c166n01: Standard Aix
  4. Issue the command dsh -w c166n01 lsauthts. Output is similar to: 
    c166n01: DCE
c166n01: Compatibility
  5. Issue the command export SP_NAME=c166sp1.
  6. Issue the command dsh -w c168n03 lsauthent. Output is similar to: 
    168n03: Kerberos 4
c168n03: Standard Aix
c168n03: kerberos: Couldn't get credentials for the server: Server
 not found in Kerberos database.
  7. Issue the command dsh -w c168n03 lsauthts. Output is similar to: 
    168n03: Compatibility
c168n03: kerberos: Couldn't get credentials for the server: Server
 not found in Kerberos database.
  8. Issue the command export SP_NAME=c166sp2.
  9. Issue the command dsh -w c166n03 lsauthent. Output is similar to: 
    166n03: Kerberos 5
c166n03: Standard Aix
  10. Issue the command dsh -w c166n03 lsauthts. Output is similar to: 
    166n03: DCE

Check authentication

These sections verify that you have the proper credentials to perform the required functions.

Check DCE authentication and authorization

These steps obtain DCE authentication tickets, display them, use them to perform a trivial Sysctl task, destroy them, and verify their destruction.

  1. dce_login operator 
    Enter Password:
DCE LOGIN SUCCESSFUL
  2. klist

    Expected output is similar to: 

    DCE Identity Information:
          Warning: Identity information is not certified
          Global Principal: /.../abc.org/operator
          Cell:   005741da-98d4-1eae-b63d-02608c2d0159 /.../abc.org
          Principal: 000017bc-2e20-2f5b-8a00-02608c2d0159 operator
          Group:     000403ef-db41-63cf-5802-00000018595c staff
          Local Groups:
                   000403ef-db41-63cf-5802-00000018595c staff
                   0000ac71-8883-21d0-a501-00000018595c hm-monitor
Identity Info Expires: 1999/09/25:19:11:50
Account Expires:       never
Passwd Expires:        1999/10/22:10:41:12
Kerberos Ticket Information:
Ticket cache: /opt/dcelocal/var/security/creds/dcecred_67e4a7f7
Default principal: operator@abc.org
Server: krbtgt/abc.org@abc.org
      valid 1999/09/24:13:11:50 to 1999/09/25:19:11:50
Server: dce-rgy@abc.org
          valid 1999/09/24:13:11:51 to 1999/09/25:19:11:50
Server: dce-ptgt@abc.org
          valid 1999/09/24:13:11:51 to 1999/09/25:01:11:51
Client: dce-ptgt@abc.org      Server: krbtgt/abc.org@abc.org
          valid 1999/09/24:13:11:51 to 1999/09/25:01:11:51
Client: dce-ptgt@abc.org      Server: dce-rgy@abc.org
      valid 1999/09/24:13:11:52 to 1999/09/25:01:11:51

    The Local Groups section shows which groups are checked for authorization access. The Identity Info Expires section shows when your credentials will expire.

  3. sysctl whoami -v

    Expected output is similar to: 

    DCE: /.../abc.org/operator
K4:  operator@ABC.ORG
AIX: joseph
  4. kdestroy
  5. klist

    Expected output is similar to: 

    No DCE identity available: No currently established
   network identity for this context exists (dce / sec)
 
Kerberos Ticket Information:
 
klist: No credentials cache file found (dce / krb) 
(ticket cache /opt/dcelocal/var/security/creds/dcecred_67e4a7f7

Check DCE authentication for an SP service principal

These steps are used to check whether an SP service principal can login to DCE. If the login fails, it may indicate DCE server problems or key file problems for the SP service principal used. The following example shows results similar to what the command will return when there are no problems. Be sure to destroy the credentials obtained, as illustrated in the example.

  1. dsrvtgt

    Output is similar to: 

     dsrvtgt ssp/css
 FILE:/opt/dcelocal/var/security/creds/dcecred_7aa04600
  2. kdestroy -c FILE:/opt/dcelocal/var/security/creds/dcecred_7aa04600

Check Kerberos V4 authentication

These steps obtain Kerberos V4 authentication tickets, use them to perform a trivial task using Sysctl, display them, destroy them, and verify their destruction.

  1. k4init operator

    Output is similar to: 

    Kerberos Initialization for "operator"
Password:
  2. k4list

    Output is similar to: 

    Ticket file:     /tmp/tkt1890
Principal:       operator@ABC.ORG
  Issued          Expires          Principal
Sep 22 13:55:32  Oct 22 13:55:32   krbtgt.ABC.ORG@ABC.ORG
  3. sysctl whoami -v

    Output is similar to: 

    CE:
K4:  operator@ABC.ORG
AIX: joseph
  4. k4destroy

    Output is similar to: 

    Tickets destroyed.
  5. k4list

    Output is similar to: 

    Ticket file:     /tmp/tkt1890
k4list: 2504-076 Kerberos ticket file was not found

Check authorization

These sections verify that you have the proper authorization files to perform the required functions.

Check DCE ACL authorization

These steps check on authorization to perform a trivial Hardware Monitor task based on a DCE ACL granting access to a group.

  1. dce_login operator

    Output is similar to: 

    Enter Password:
DCE LOGIN SUCCESSFUL
  2. klist

    Output is similar to: 

    DCE Identity Information:
   Warning: Identity information is not certified
   Global Principal: /.../abc.org/operator
   Cell:      005741da-98d4-1eae-b63d-02608c2d0159 /.../abc.org
   Principal: 000017bc-2e20-2f5b-8a00-02608c2d0159 operator
   Group:     000403ef-db41-63cf-5802-00000018595c staff
   Local Groups:
              000403ef-db41-63cf-5802-00000018595c staff
              0000ac71-8883-21d0-a501-00000018595c hm-monitor
Identity Info Expires: 1999/09/25:19:11:50
Account Expires:       never
Passwd Expires:        1999/10/22:10:41:12
Kerberos Ticket Information:
Ticket cache: /opt/dcelocal/var/security/creds/dcecred_67e4a7f7
Default principal: operator@abc.org
Server: krbtgt/abc.org@abc.org
          valid 1999/09/24:13:11:50 to 1999/09/25:19:11:50
Server: dce-rgy@abc.org
          valid 1999/09/24:13:11:51 to 1999/09/25:19:11:50
Server: dce-ptgt@abc.org
          valid 1999/09/24:13:11:51 to 1999/09/25:01:11:51
Client: dce-ptgt@abc.org      Server: krbtgt/abc.org@abc.org
          valid 1999/09/24:13:11:51 to 1999/09/25:01:11:51
Client: dce-ptgt@abc.org      Server: dce-rgy@abc.org
          valid 1999/09/24:13:11:52 to 1999/09/25:01:11:51
    The Local Groups section shows which groups are checked for authorization access. The Identity Info Expires section shows when your credentials will expire.
  3. dcecp -c acl show /.:/subsys/ssp/sp5cw/hardmon/system

    Output is similar to: 

    {group spsec-admin -c-----}
{group hm-control --vsmu-}
{group hm-control-services --vsmu-}
{group hm-monitor ----m--}
{group hm-monitor-services ----m--}
  4. hmdceobj -q

    Output is similar to: 

    system
 hardmon
  5. kdestroy

Check DCE group authorization

These steps allow you to check whether an id is located in a DCE group. Normally, you would add a group to a DCE ACL file and add DCE principals to the groups for access to SP services.

  1. To check groups for your logged in DCE principal, issue this command: 
    klist

    Output is similar to: 

    DCE Identity Information:
   Warning: Identity information is not certified
   Global Principal: /.../abc.org/operator
   Cell:      005741da-98d4-1eae-b63d-02608c2d0159 /.../abc.org
   Principal: 000017bc-2e20-2f5b-8a00-02608c2d0159 operator
   Group:     000403ef-db41-63cf-5802-00000018595c staff
   Local Groups:
              000403ef-db41-63cf-5802-00000018595c staff
              0000ac71-8883-21d0-a501-00000018595c hm-monitor
Identity Info Expires: 1999/09/25:19:11:50
Account Expires:       never
Passwd Expires:        1999/10/22:10:41:12
Kerberos Ticket Information:
Ticket cache: /opt/dcelocal/var/security/creds/dcecred_67e4a7f7
Default principal: operator@abc.org
Server: krbtgt/abc.org@abc.org
          valid 1999/09/24:13:11:50 to 1999/09/25:19:11:50
Server: dce-rgy@abc.org
          valid 1999/09/24:13:11:51 to 1999/09/25:19:11:50
Server: dce-ptgt@abc.org
          valid 1999/09/24:13:11:51 to 1999/09/25:01:11:51
Client: dce-ptgt@abc.org      Server: krbtgt/abc.org@abc.org
          valid 1999/09/24:13:11:51 to 1999/09/25:01:11:51
Client: dce-ptgt@abc.org      Server: dce-rgy@abc.org
          valid 1999/09/24:13:11:52 to 1999/09/25:01:11:51
  2. To find out what groups are defined in DCE, issue this command: 
    dcecp -c group cat

    Output is similar to: 

    /.../c166dcecell/sdr-system-class-admin-services
/.../c166dcecell/sdr-system-class-write
/.../c166dcecell/sdr-system-class-write-services
/.../c166dcecell/sdr-write
/.../c166dcecell/sdr-write-services
/.../c166dcecell/switchtbld-clean
/.../c166dcecell/switchtbld-load
/.../c166dcecell/switchtbld-status
/.../c166dcecell/sysctl-cwsroot
/.../c166dcecell/sysctl-logmgt
/.../c166dcecell/sysctl-logmgt-services
/.../c166dcecell/sysctl-master
/.../c166dcecell/sysctl-mmcmd
/.../c166dcecell/sysctl-mmcmd-services
/.../c166dcecell/sysctl-pman
/.../c166dcecell/sysctl-vsd
/.../c166dcecell/sysctl-vsd-services
  3. To find out members of a group, issue this command: 
    dcecp -c group list group_name

    Output is similar to: 

    /.../c166dcecell/joseph
/.../c166dcecell/mary

Check Kerberos V4 ACL authorization

These steps check on authorization to perform trivial tasks, one based on Sysctl ACL permissions, the other based on hardmon ACL permissions.

  1. k4init operator

    Output is similar to: 

    Kerberos Initialization for "operator"
Password:
  2. cat /etc/sysctl.acl

    Output is similar to: 

    acl
_PRINCIPAL root.admin@ABC.ORG
_PRINCIPAL operator@ABC.ORG
  3. sysctl puts {This is a test message}

    Output is similar to: 

    This is a test message
  4. cat /spdata/sys1/spmon/hmacls

    Output is similar to: 

    sp5cw.abc.org root.admin a
sp5cw.abc.org root.SPbgAdm a
1 root.admin vsm
1 root.SPbgAdm vsm
1 hardmon.sp5cw vsm
1 operator m
  5. spmon -d

    Output is similar to: 

    1.  Checking server process
    Process 71054 has accumulated 25 minutes and 14 seconds.
    Check successful
2.  Opening connection to server
    Connection opened
    Check successful
3.  Querying frame(s)
    1 frame
    Check successful
4.  Checking frames
    This step was skipped because the -G flag was omitted.
5.  Checking nodes
---------------------------------- Frame 1 ----------------------------
                     Host     Switch   Key    Env   Front Panel LCD/LED
Slot Node Type Power Responds Responds Switch Error LCD/LED     Flashes
---- ---- ---- ----- -------- -------- ------ ----- ----------- -------
  1    1  wide  on    yes      no      N/A    no   LCDs are blank  no
.
.
.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]