Setting up FreeRadius on SLES10/OES2
Hello,
I'm fairly new to Novell and have been tasked with getting Radius Authentication up and running on our existing SLES10/OES2 servers for wireless clients connecting through a Cisco managed WLAN.
I have the radiusadmin PDF file and have installed FreeRadius from the SLES installation media OK but I'm stuck on "Creating the RADIUS Administrator Object" the doco just refers you to generic page for managing user accounts (http://www.novell.com/documentation/...a/afxkmdi.html).
Can anyone let me know what type of user/object I need to create and possibly an example as I'm fairly new to all of this, sorry for what is probably a silly question!
TIA
Originally Posted by warper2
kjhurni wrote:
>
> nson;2238312 Wrote:
>> Hello,
>>
>> I'm fairly new to Novell and have been tasked with getting Radius
>> Authentication up and running on our existing SLES10/OES2 servers for
>> wireless clients connecting through a Cisco managed WLAN.
>> I have the radiusadmin PDF file and have installed FreeRadius from the
>> SLES installation media OK but I'm stuck on "Creating the RADIUS
>> Administrator Object" the doco just refers you to generic page for
>> managing user accounts
>> (http://www.novell.com/documentation/...a/afxkmdi.html).
>> Can anyone let me know what type of user/object I need to create and
>> possibly an example as I'm fairly new to all of this, sorry for what is
>> probably a silly question!
>>
>> TIA
>
> Yeah, it's not the easiest.
>
> Send me a PM and I'll try to email you my docs that I did, if I can
> scrub the IP's in time.
>
> Note: We don't actually use the RADIUS quite the way the original docs
> did. We basically have an eDir group and if you're in that group, then
> you can auth via radius. If not, no soup for you. The original docs
> have you put an attribute on the individual users, which we found more
> tedious than just doing a group membership
>
>
I will say this though. It is easier to setup on sles10 than sles11.
Oh don't tell me that. I don't want to have to look forward to that when we migrate to OES11. Ack!
Similar Messages
-
Setting up FreeRADIUS and eDirectory for 802.1X Authentication
Not sure how many people know about this, but I sure didn't. Novell
actually has a TID on how to set all of this up. Just thought I share this
with you guys. Might just help someone out there.
http://www.novell.com/support/php/se...200%2083136239Hcyuan,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
IPrint on SLES10 OES2 with Macintosh clients
We have just setup a iprint server on OES2.. Are trying to get a handle on accountabililty of who is printing how much..If I turn on secure printing (which I assume I have to do to force authentication) With the windows clients they work just fine since we are using client32 and it reports to the iprint server who the user is. However with the macintosh computers (OSX) when I go to even install the printer from the servername.mtwp.net/ipp it asks for a username and password and it has our TREE name at the bottom of the dialog box..I have tried all variations I know of username/passwords with and without context and cannot get past this screen. AFP is running on the OES server and I can attach to the server from the macintosh computer.. Not sure what Im missing on the MAC side.. We have a lot of mac computers and would like to get a handle on who is the big print volume users..
Not sure if this matters or not, but this OES iPrint server does not have a replica on it.
If someone can point me in the direction I should be looking it would be apprecited
DougIn article <[email protected]>, Roehmdo wrote:
> with and without context
>
I don't have any Macs to worry about, but lets be thorough.
have you tried both commas and periods? It might be an LDAP level login
also name,ou1,ou2,org vs cn=name,ou=ou1,ou=ou1,o=org
can the tree name be resolved by IP? A test would be to change the
tree name for the IP of an appropriate server with at least a R/W
replica to make sure there aren't any other eDir issues.
Andy Konecny
KonecnyConsulting.ca in Toronto
Andy's Profile: http://forums.novell.com/member.php?userid=75037 -
We are still working on upgrading to GW 7.2 on the servers. I am doing test migrations from NW 6.5 to SLEs10/OES2, and used the GW migration utility to move a GW 7.2 Postoffice and domain to the Sles10/OES2 box.
When trying to connect to this PO on the SLES10/OES2 with GW 6.5.7 client, it tells me "the version of Groupwise you are using cannot access this postoffice".
I've looked at all the TID's, tried rebuilding, recovering, validating, recopying the .dc files, etc., and it still does not work. Database version in C1 is 7 for both PO and Domain.
I thought that you could connect to GW 7.x PO with 6.5x client (we actually have many users doing this currently, actually, and it works fine)
I'm running out of ideas. Any suggestions?Hi, Joe, thanks!
I had a suspicion about that...that **)(%&$ hotpatch has really given me a bunch of headaches!!!
I'll go find a "newer" 7.02 (the HP one) for the server and see what happens...thanks!!!
Originally Posted by Joseph Marton
On Thu, 08 May 2008 15:26:01 +0000, davy2 wrote:
> When trying to connect to this PO on the SLES10/OES2 with GW 6.5.7 client,
> it tells me "the version of Groupwise you are using cannot access this
> postoffice".
> I've looked at all the TID's, tried rebuilding, recovering, validating,
> recopying the .dc files, etc., and it still does not work. Database
> version in C1 is 7 for both PO and Domain. I thought that you could
> connect to GW 7.x PO with 6.5x client (we actually have many users doing
> this currently, actually, and it works fine)
I'm guessing the problem you're having is the wonderful GW hot patch
security fix. Here's the story.
If you are running GroupWise 7 SP2, you can use a GW 7.0 - 7.02 client, or
6.5.6 Update 1 or newer. However, you *can't* run the GW 702HP or newer
client, nor can you run the 656U2 or 656U3 client.
If your server instead is running at least GW702HP or newer (including
SP3) then any client will work.
Joe Marton
Novell Support Forum SysOp
Novell does not officially monitor these forums!
http://forums.novell.com/ -
EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.
Hello,
I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).
The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.
While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.
Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.
What was done:
- set up freeradius with EAP-TLS configuration, trusting both cisco CA root and manufacturing root.
- freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)
- Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)
What I can see while running a wireshark trace on freeradius is:
- both parties negotiate properly that they will engage in EAP-TLS.
- they start the TLS handshake
- Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)
- Client (phone) never sends its certificate (MIC) to the server.
- Client restarts EAP-TLS negotiation and goes on and on.
Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).
Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.
Phone firmware is 9.2(3) and callmanager 8.6
Thanks
Gustavo NovaisFound the problem. Apparently ADU can't access certificate store if client is not part of the AD domain
-
FreeRADIUS rlm_krb5 seg fault
I'm having a few problems setting up freeRadius with a kerberos backend on arch and would really appreciate a little help.
Kernal: Linux 3.11.6-1-ARCH i686
freeradius 3.0.0-1
All the configuration changes I have made to the default configs are listed below:
/etc/raddb/users
Added the following line at the top of the file:
DEFAULT Auth-Type = Kerberos
/etc/raddb/sites-enabled/default and /etc/raddb/sites-enabled/inner-tunnel
Added the following in the Authenticate section directly after the pap entry
Auth-Type Kerberos {
krb5
I have also copied the file /etc/raddb/mods-available/krb5 to /etc/raddb/mods-enabled/krb5 and edited the entries to point to the keytab and principle im using for radius. The keytab contains two entries one for radius/hostname.domain and one for host/hostname.domain.
I have verified the keytab is ok by using it with kinit to get a valid ticket for both principles. Additionally im sure my kerberos setup is ok as it works fine with ldap, nslcd and ssh.
The problem is when I run radiusd -X and then attempt a radtest I get the following:
(0) files : users: Matched entry DEFAULT at line 1
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap: No “known good” password found for the user. Not setting Auth-Type.
(0) WARNING: pap: Authentication will fail unless a “known good” password is available.
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = Kerberos
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Auth-Type Kerberos {
at which point the server dies with no further output. Running the server using systemctl start freeradius and then looking at the status after its died shows its failed with Main PID: 21835 (code=dumped, signal=SEGV)
I have looked all over the internet but the only place I have found someone with the same problem is here:
http://www.mail-archive.com/freeradius- … 77744.html
I have also enabled core dumps in the radiusd.conf however I have no idea how to actually view the dump or where it is (and yes I did google it, but all the responses made no sence to me)
I have also tried the freeradius-git package on the AUR however that throws errors when building, something to do with undefined symbols while making radattr.
CC src/main/radattr.c
LINK build/bin/radattr
UNIT-TEST rfc.txt
./build/bin/radattr: symbol lookup error: ./build/bin/radattr: undefined symbol: _fr_cursor_init
src/tests/unit/all.mk:23: recipe for target 'build/tests/unit/rfc.txt' failed
make: *** [build/tests/unit/frc.txt] Error 127
=> ERROR: A failure occurred in build().
Aborting...
=> ERROR: Makepkg was unable to build freeradius-git.
=> Restart building freeradius-git ? [y/N]
=> -----------------------------------------------
=>
I don't usually post here as every problem i've had using arch so far, I've solved after reading the wiki/forums or random googling. However i'm at a complete loss this time, i have literally no idea how to solve this...
ThanksJust as a quick update, the rlm_krb module still seems to be causing seg faults, however it is possible to get it working by configuring freeRadius to use PAM and then telling PAM to authenticate with kerberos.
-
Hi,
We want to create a wireless network. W'd like to authenticate the
accounts against a radius server, so we thought setting up a freeradius
server running on open enterprise server (linux).
I installed an open enterprise server and deselected all Novell products.
So NO edirectory, eguide, ifolder, etc.... Also I choose to skip CA
creation. We already have multiple edirectory 8.7.3.7 servers, where one
of these servers is the Master CA.
I assume we can also use this CA server? Anyone for proper documentation
about this?
I installed the radius npm on a netware server running Imanager 2.5 and
tried to extend the schema. This does not go well, because of a
conflicting class. I get the following error message :
Schema conflict detected. Conflict details: [ ObjectClass Name(OID):
rADIUSProfile(2.16.840.1.113719.1.39.42.2.0.10) Conflicts with Freeradius
Objectclass : radiusprofile(1.3.6.1.4.1.3317.4.3.2.1) ]
Would you like to continue extending the rest of the class(es) and
Attribute(s) ?
I do not want to delete the current 'RADIUS:Profile' class, but I still
want to use freeradius & eDirectory to integrate. What can be done about
this? Why is Novell using both classes, knowing that the freeradius schema
extension always conflicts with a current edirectory/nmas combination?
I hope someone can help me out. I can not find anything about this,
besides deleting classes, which we can't in our setup.
regards,
Fred RadonI could be daft but I'm in the process of setting up freeradius on an
OES Suse 9 server which I integrated into our tree after a lot of
research. My impression was that in order for freeradius to authenticate
into the edirectory tree it needed to be installed on a
Linux(SuSe/Redhat) server that had eDirectory, OpenSSL and OpenLDAP
installed.
http://www.novell.com/documentation/...y.html#btuadmy
I had previously attempted to find a way to just authenticate against
NLDAP or integrate a linux box as a BDC into my PDC on my Netware 6.5
box. However, each of these attempts ended when I found documentation
saying that neither was possible.
Novell's site has a lot of documentation on integrating edirectory with
freeradius. I've listed one main document above but there are TIDs that
cover other details. If you find that it is possible to set up a Linux
server without having it integrated into the edirectory tree and
authenticate users against eidirectory please let me know.
If you don't need edit authentication take a look at Zeroshell which is
a bootable radius server based on freeradius with a simple web interface
for administration.
Thanks,
-Nyle
[email protected] wrote:
> Hi,
>
> We want to create a wireless network. W'd like to authenticate the
> accounts against a radius server, so we thought setting up a freeradius
> server running on open enterprise server (linux).
>
> I installed an open enterprise server and deselected all Novell products.
> So NO edirectory, eguide, ifolder, etc.... Also I choose to skip CA
> creation. We already have multiple edirectory 8.7.3.7 servers, where one
> of these servers is the Master CA.
> I assume we can also use this CA server? Anyone for proper documentation
> about this?
>
>
> I installed the radius npm on a netware server running Imanager 2.5 and
> tried to extend the schema. This does not go well, because of a
> conflicting class. I get the following error message :
>
> Schema conflict detected. Conflict details: [ ObjectClass Name(OID):
> rADIUSProfile(2.16.840.1.113719.1.39.42.2.0.10) Conflicts with Freeradius
> Objectclass : radiusprofile(1.3.6.1.4.1.3317.4.3.2.1) ]
> Would you like to continue extending the rest of the class(es) and
> Attribute(s) ?
>
> I do not want to delete the current 'RADIUS:Profile' class, but I still
> want to use freeradius & eDirectory to integrate. What can be done about
> this? Why is Novell using both classes, knowing that the freeradius schema
> extension always conflicts with a current edirectory/nmas combination?
>
> I hope someone can help me out. I can not find anything about this,
> besides deleting classes, which we can't in our setup.
>
> regards,
> Fred Radon
>
>
> -
NSS/LVMS General concept question
I have an existing SLES10 OES2 server that's just sitting doing iPrint, DNS, and DHCP. Processor-wise its not working hard, but hard drive-wise its pretty full.
My question is this: I want a new "Public" directory akin to my old Netware servers. The hard drives I have in the server now are NOT LVMS drives (didn't set it up right when I started).
So if I'm not worried about the drive failing (after all it will only be a repository for clients and such), can I just add a hard drive and format it using LVMS and then create a pool to make that public directory, or is there an easier way?
Thanks in advance for your help.
-JoshThat is the easiest way of doing it. Add the drive in and then give it to evms so that nss will run on it.
jgray -
Hi
I did post another SLP query related to this but received no responses. I have been reading up on SLP setup, we have had our existing SLP setup in place for a number of years, however we have had issues where if a site link is off the site cannot log in locally at all - it is obviously trying to locate resources in a container in does not have a replica of.
When our SLP was setup the resources were placed at the central site under the central site's container. I am wondering if a) it is OK to move the SLP scope container (and DA object?) to root and then place a root replica at each WAN site? (I have read you should not place a local DA at each site though had considered this also) and b) should I place a backup SLPDA somewhere incase there is a problem with the server housing the DA (which has also happened to me - and sites could not log in at all while it was restarting!) Can I point to 2 in my server and client configs?
We will be moving to OES2 next year but I need to make sure this keeps operational as efficiently as possible until that time.
Advice from a Novell expert would be much appreciated
ThanksI would be interested in knowing more about this as well if anyone answers....I would not hold my breath. :-)
We have 10 partitions/containers which are scattered location-wise. We have 1 server in each container and are running slpdas on 2 servers in HQ pointing to a central scope. However, I have found that if a link isolates one of the containers from talking to the HQ container with the scope and slpda, then login is not possible from the local isolated container. I would like to set up slp to mitigate this if possible. We use SLES10/OES2 so this is not as easy as it was with NetWare 6.5....
--El
Originally Posted by shazzypoos
Hi
I did post another SLP query related to this but received no responses. I have been reading up on SLP setup, we have had our existing SLP setup in place for a number of years, however we have had issues where if a site link is off the site cannot log in locally at all - it is obviously trying to locate resources in a container in does not have a replica of.
When our SLP was setup the resources were placed at the central site under the central site's container. I am wondering if a) it is OK to move the SLP scope container (and DA object?) to root and then place a root replica at each WAN site? (I have read you should not place a local DA at each site though had considered this also) and b) should I place a backup SLPDA somewhere incase there is a problem with the server housing the DA (which has also happened to me - and sites could not log in at all while it was restarting!) Can I point to 2 in my server and client configs?
We will be moving to OES2 next year but I need to make sure this keeps operational as efficiently as possible until that time.
Advice from a Novell expert would be much appreciated
Thanks -
Change RADIUS Certificate or Reset RADIUS, SERVER 3.2.2
Hi All,
I've got an expiring self signed certificate that I was using for the RADIUS service on 10.9, server 3.2.2.
I can figure out how to replace this certificate with our valid trusted SSL certificate for our domain. We originally setup the RADIUS server with the instructions at https://www.yesdevnull.net/2013/10/os-x-mavericks-server-setting-up-freeradius/
If I just try to install new certs using sudo radiusconfig -installcerts command, it just breaks the radius.
I've also tried blowing away the radius folder inside of /Library/Server in an attempt to reset RADIUS to the factor defaults, but after reinstalling the server app, and going through the process of setting up RADIUS, it's still using the old certificate.
Any help would be appreciated!
ThanksThanks to Charles over at Krytped, deleting the Radius folder from /Library/Server/Radius and running this command:
sudo rm /var/db/.ServerSetupDone
Allowed me to get Server to recreate a clean Radius set. -
No Multi-User Calendar in WebAccess
We are using GW 2012 and looking at the possibility of eliminating the client in favor of WebAccess for all users.
One issue that I've run into is that we cannot view multiple calendars via the multi-user function while in WebAccess. It works perfectly fine in the client.
When I log into my mailbox and click the calendar button, my only option under the "Calendars" box is "Calendar" which is my own. No others display. I can proxy, via WebAccess, into the other calendar with no issues.
I've looked through the threads here, and performed a few internet searches with no results. From the documentation it does appear that Multi-User is available, or supposed to be, when in WebAccess.
Our GW system (MTA, GWIA, WebAccess) is running on SLES10/OES2 with multiple post offices running on SLES10 or 11.
Thanks for any pointers you may have!
Michaelmprosise,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/ -
Best Radius or Tacacs+ program?
Morning everyone,
I would like to set up either a TACACS or RADIUS solution here. Wondering what other people have found to be the best server for either of these, preferably free if one exists.
ThanksOk I have freeRADIUS, it is installed and running. I can authenticate the test user. I set up the router with a few basic AAA commands. The router sends requests to the RADIUS server, however, I get a line saying:
Login incorrect: [testing/N!:\302\362}\204\307\214\337!\003\tc\302L] (from clien
t private-network-2 port 194 cli 172.16.101.202)
WARNING: Unprintable characters in the password. ? Double-check the shared se
cret on the server and the NAS!
Login incorrect: [testing/N!:\302\362}\204\307\214\337!\003\tc\302L] (from clien
t private-network-2 port 194 cli 172.16.101.202)
WARNING: Unprintable characters in the password. ? Double-check the shared se
cret on the server and the NAS!
The shared secret is just SECRET, password is password for testing purposes. Has anyone on here set up freeRADIUS correctly? -
GWIM 2.0.4 Upgrade Path - Novell Messenger
Is there an upgrade path from GWIM to Novell Messenger. Perusing the documentation I do not see any specifics.
I currently run GWIM 2.4 on SLES10-OES2.
Can I simply copy over the new agents and update the Clients or is Novell Messenger an entirely new product?I upgraded from 2.0.4 to 2.1 and I just extended the schema and installed the agents. I see that 2.2 was posted yesterday and I hope I can simply do the same.
Al
On 12/9/2010 at 8:36 AM, kbannister<[email protected]> wrote:
Is there an upgrade path from GWIM to Novell Messenger. Perusing the
documentation I do not see any specifics.
I currently run GWIM 2.4 on SLES10-OES2.
Can I simply copy over the new agents and update the Clients or is
Novell Messenger an entirely new product?
kbannister
kbannister's Profile: http://forums.novell.com/member.php?userid=5375
View this thread: http://forums.novell.com/showthread.php?t=427806 -
SLES10 SP4/OES2 SP3 32 bit Clean Install - Basic Questions
Hi everyone.
I am now an expert in installing the above software and ending up with a server which does not work as we require. Must be something I am doing wrong. Hope someone can spot it.
Have installed and supported Netware servers for 25 years without major problems. Decided now to move to SLES because Novell say we should and we need Groupwise 12 to replace GroupWise 8.
The operational environment we are targeting is an 80 user edirectory/NDS based single tree, single context containing two Netware 6.5 SP8 HP Proliant servers running uncomplicated file and print services , NSS volumes, Groupwise 8, DHCP, ifolder, Quickfinder and the like, spread across the two servers. It all works a treat. Client PCs are are all XP Pro with Novell client software.
The idea would be to replace one of the two Netware servers first with a SLES/OES server and then the second Netware server with a second SLES/OES server and move GroupWise functionality to one of the SLES/OES servers. Ideally users would continue to log on using their eDirectory accounts without noticing anything was going on in the background.
The test environment we have set up is a 5 user NDS/eDirectory single tree, single context already containing a single Netware 6.5 SP8 Proliant server running file and print, NSS volumes etc and Groupwise 8. Into this tree we are trying to install a 32 bit server with a empty 36 GB SCSI disc running SLES 10 SP4 with OES2 DP3 as an add in, with NSS data volumes.
Because it only takes a few hours to do we have repeatedly run the SLES 10/OES2 install (probably about 9 times!) with minor variations to see whether we can end up with a properly configured SLES/OES server but there is always one problem or another.
The major problem we have is how to configure NSS data volumes on the SLES server and how to allow users to be validated against their eDirectory entries and knowing whether the test server is 'good to go'.
The process we followed for each test install, after checking edirectory was clean and removing any entries placed in the tree by earlier attempts to install the SLES server in the same tree were:
1. Boot the SLES 10 SP4 32 DVD (downloaded ISO and burnt DVD) and selected Installation.
2. Followed the prompts on time zone and language etc and selected i386 OES CD (also downloaded ISO and burnt) as the Software Add-In.
3. Loaded SLES DVD and OES CD as and when requested
4. At the Partitioning stage we selected the EVMS proposal, and at the Software selection stage selected the base software, file server Role, Documentation, DHCP, eDirectory, iFolder, iPrint, Quickfinder, NSS and LDAP.
5. Miscellaneous errors would appear or not appear during the eDirectory stage (eg LUM error, or iFolder error) but the eDirectory stage would still seem to complete OK and get ticked.
6. The system would then reboot and appear to come up OK.
HOWEVER, we are not convinced we have created a fully working reliable server.
and
SPECIFICALLY we are unable to create NSS volumes and we cannot logon users via their eDirectory accounts.
NSSMU shows a single device sda (33.92 Gb) and three partitions sda1 (70Mb), sda2 (31.91GB), and sda3 (1.94GB). sda2 seems to contain all the 'spare' space on the disk (type Linux LVM) but says there is no spare space to create our NSS partitions.
iManager cannot see any devices to configure NSS data volumes on the SLES server but it connects OK
NSSCON status seems to show NSS to be running
EVMSGUI shows /dev/evms/lvm2/system/ro at 10 Gb, /dev/evms/lvm2/system/sw at 2GB and /dev/evms/sda1 at 70 Mb
So my questions are:
Does the above look right?
Why cannot we get at the spare disk space to set up NSS volumes? Did the EVMS proposal grab it all and if so how do we get it back?
Did not selecting the EVMS partitioning proposal do everything needed to run NSS?
[There seems to be some suggestion in the several hundred pages of SLES, OES and NSS Guides, Installation manuals, Configuration manuals etc that we have studied over several days, that we now have to edit a fstab file to make it work properly (Really? in this day and age where clicking on Setup.Exe will configure a fully working Windows server) Is that so? Is there anything else we need to do?]
How do we get the users to access their NDS accounts to log into SLES and Netware?
How do we know the server is OK for operaational use and 'works' ?
HELP!!!
ADBalandbond wrote:
> I
> have already trawled the self help Forums believing that before SLES
> 11 came along everyone must have been setting up NSS volumes on SLES
> 10/OES2 as a matter of course as they moved from Netware and so me
> trying to do it now should not be akin to rocket science.
You are partially correct. Admins who used NSS on NetWare likely did
install NSS on OES Linux but I suspect they used a separate drive for
NSS either by installing an additional drive, by carving out a chunk of
space on their RAID array and assigning it to a separate LUN, or by
running OES in a VM where storage space on a single disk/array can
appear as separate drives.
> If Novell say in that guide as they do
> (just as do you and ab and Simon in responses to my post) that the
> IDEAL way to include NSS is to have a separate disk for Suse and NSS
> volumes, BUT as long as you use EVMS to manage the volumes it IS
> SUPPORTED, then I consider it should be possible without grief to do
> this and not considered as me putting round pegs in square holes.
Semantics!
IDEAL = Recommended; EVMS != IDEAL; EVMS != Recommended;
IMO, Novell recognised that they had to provide a way for customers to
install NSS on a system that only had a single disk and provided this
procedure as a workaround. By the way, they also support 2-node
clusters but they aren't recommended either. I have also seen cases
where a supported configuration was deemed no longer to be supported as
NTS became aware of additional complications.
My point (and Simon's and ab/Aaron's) is this: Just because it is
supported doesn't mean you should do it. If we can agree on this point,
I'll try to help you to get it working. The last thing I want to do is
give others the impression that by helping you find a solution we think
this is a good idea!!!
> This latest release of software even goes as far as including an EVMS
> Partitioning proposal which can be selected (as I did) within the
> clean install process.
>
> This is what it says:
Okay! I'm only looking at the information you provided. Let's analyse
it!
>
> A.2.1 Understanding the EVMSBased Partitioning Scheme
> Using EVMS to manage the system device allows you to later add NSS
> pools and volumes
Yes, NSS requires the volume manager to be EVMS and not LVM!
> on any *unpartitioned* free space on it.
But you have not left *any* unpartitioned free space!
> You must modify the partitioning scheme to use EVMS during the
> install. It is not possible to change the volume manager for the
> system device after the install.
True.
> Beginning in OES 2 SP3, the Partitioner in the YaST Install offers the
> Create EVMS Based Proposal option to automatically create an EVMS
> solution for the system device.
> For unpartitioned devices over 20 GB in size,
This is what you have...
> this option creates a boot partition
> and a container for the swap and / (root) volumes
> in up to the first 20 GB,
> and leaves the remainder of the space on the device
> as unpartitioned free space.
But it didn't (or you didn't)!
> Table A-1 shows the default proposed setup
> for a machine with 768 MB RAM.
> The default swap size is 1 GB or larger,
> depending on the size of the RAM on your machine.
> The remainder of the device is left as unpartitioned free space.
Let's look at the default proposal. This is *not* what you have.
> Table A-1 Default EVMS Proposal for Devices over 20 GB in Size
>
> Device Size Type Mount Point
> /dev/sda1 70.5 MB Ext2 /boot
> /dev/sda2 14.9 GB Linux LVM
> /dev/evms/lvm2/system 14.9 GB EVMS lvm2/system
> /dev/evms/lvm2/system/root 10.0 GB EVMS /
> /dev/evms/lvm2/system/swap 1.1 GB EVMS swap
A single (SATA/SAS/SCSI) drive will be known as sda (/dev/sda).
/dev/sda1 is the first partition. In the example and in your
configuration this is the /boot partition. In both cases it is 70.5 MB.
/dev/sda2 is the second partition. The partition uses LVM so logical
volumes of various sizes can be created within the partition. The total
size of all logical volumes cannot be larger than the size of the
partition.
In the above example:
/root is 10.0 GB and swap is 1.1 GB. This leaves: 14.9 - (10.0 + 1.1) =
3.8 GB of additional space within /sda2 which can be used to create
additional logical volumes. Furthermore sda1 + sda2 use only ~ 15 GB.
Only 15 GB of the disk has been allocated. The remainder of the disk is
*unallocated* and *unpartitioned*. Presumably, it was left that way so
that the space could be used for NSS.
In your case: sda2 is 31.91 GB
This does not follow the Default EVMS Proposal for Devices over 20 GB
in Size. Either YaST did not allocate space according to the default
proposal or you changed it. Either way, sda2 (+sda3) consume *all* of
the available disk space. It is no wonder that there is no space
available for NSS!
> What do you reckon???
I reckon that something went wrong along the way. If you did not
specifically change the default allocation yourself, then consider this
one example of kinds the things that can happen when one tries to
exploit seldom used, but supported, features!
It looks like it is time for yet another installation. This time, make
sure you leave enough unpartitioned space on the drive for NSS and let
me know how you make out.
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below... -
[SOLVED] Upgrade from SLES10 SP3 & OES2 SP2 to SP4/SP3 breaks NCS
Hi folks,
(This post was originally meant to be a rant and a request for help, but
while writing the final paragraph i found the solution. It's still a
rant, but i figured i'd post my solution here in case someone else runs
into the same issue.)
I've just spent several hours banging my head against a broken cluster
node. My system is a 32-bit SLES 10 VM running on VMware ESX 3.5.x.
I upgraded from SLES10 SP3 and OES2 SP2 to the next service packs for
each (using the move-to-oes-sp3 script in yast2 online_update).
Everything went well for the first few update/reboot sequences, then
after the final reboot on SLES10 SP4 & OES2 SP3, cluster services would
not load or join the cluster on restart.
I checked dmesg and found errors about "Loading module compiled for
kernel version 2.6.16.60-0.54.5-vmi" into a previous kernel version, so
i tried downgrading to that kernel version, only to find that it was
older than the one i had just upgraded from (it's the original SLES10
SP3 kernel). So i tried upgrading back to the same kernel which is
running on the other cluster node (2.6.16.60-0.77.1-vmi), but that did
not work any better.
<preaching>
I have to say that i'm not impressed that OES2 SP3 isn't even compiled
against the appropriate kernel, and because of SUSE's kernel RPM
overwrite policy there's no way i can select to boot from a previous
kernel to see if that fixes things. Note to SUSE and other distro
builders: if you're not doing kernel package upgrades like Red Hat or
Ubuntu (so that we can select to boot from the previous kernel from the
boot menu), you're doing it *WRONG*.
</preaching>
I then upgraded again to the latest recommended kernel for SLES10 SP4,
and still no joy. Dmesg shows this error before the rot starts:
allocation failed: out of vmalloc space - use vmalloc=<size> to increase
size.
When searching for this error i stumbled across
http://ubuntuforums.org/showthread.php?t=1613132
which pointed me to
http://www.mythtv.org/wiki/Common_Pr...lloc_too_small
Adding vmalloc=192M to /boot/grub/menu.lst and rebooting solved the
problem for me.
Regards,
PaulOriginally Posted by Paul Gear
On 13/10/11 07:36, magic31 wrote:
> ...
> Not sure if it's related to the issue you've hit, but along the lines
> of what Kevin already mentioned, there are issues that can arries when
> using the VMI kernel (that I've seen) if having multiple flavors of the
> kernel installed along with it (as in having both kernel-vmi as also
> kernel-smp packages installed) ...
> Curious, is that also the case with your setup?
The system in question has kernel-bigsmp and kernel-vmi installed. We
only ever boot from kernel-vmi.
> I've moved to only using the smp kernel on VMware (along with the
> clock=pit boot option to avoid time drift issues, or pmtr I think in
> your case when also running NCS services in the vm).
When we installed the system (on OES2 SP1, i believe) it was a while
ago, and kernel-vmi with clocksource=acpi_pm on the kernel command line
was the only solution we could find to get reliable time. If there are
updated best-practice documents, i'd be happy to hear about them.
However, this is a production cluster and my boss is (rightly) rather
reticent to make major changes.
Paul
the official Vmware paper on time is that IF you're using SLES 10.x 32-bit you will use VMI and NO kernel params (ie, get rid of the clockpit and clocksource=blah).
But if 64-bit then you're okay.
The easiest, IMO (especially with vmware) is to use the miggui (migration utility). That's how I'm converting all my 32-bit servers in vmware to 64-bit. Works quite well.
--Kevin
Maybe you are looking for
-
On iphoto can you delete one than one photo at a time?
i would like to delete loads of photos from my Iphoto can i do this by selecting them all or do i have to delete the one by one?
-
Transfering music from pc to mac using iPod as a hard disk drive
I just got MacBook Pro and iPod which I have formatted for a mac, however, I want to get the songs from my IBM thinkpad to my mac. I transfered a bunch of them with a friends external hard drive, but forgot about all my purchused songs from the music
-
Reporting Services (SSRS)
This SQL Server Reporting Services (SSRS) functionality is not supported. Use Central Administration to verify and fix one or more of the following issues: A report server URL is not configured. Use the SSRS Integration page to set it. The SSRS servi
-
Cannot release inventory allocated as Sales Order Stock
Hi All, I'm very new to SAP and am somewhat unfamiliar with the SD process. We created a Sales Order (from a customer purchase order), everything was okay until we tried to do an ATF; a change was made to the strategy group (from 20 - MTO to 40 - M
-
Hi Can we make 'next payment date' in F110 as default with 'Posting date +1' & non editable. Thanks.