Setting up FreeRadius on SLES10/OES2

Similar Messages

• Setting up FreeRADIUS and eDirectory for 802.1X Authentication

  Not sure how many people know about this, but I sure didn't. Novell
  actually has a TID on how to set all of this up. Just thought I share this
  with you guys. Might just help someone out there.
  http://www.novell.com/support/php/se...200%2083136239

  Hcyuan,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• IPrint on SLES10 OES2 with Macintosh clients

  We have just setup a iprint server on OES2.. Are trying to get a handle on accountabililty of who is printing how much..If I turn on secure printing (which I assume I have to do to force authentication) With the windows clients they work just fine since we are using client32 and it reports to the iprint server who the user is. However with the macintosh computers (OSX) when I go to even install the printer from the servername.mtwp.net/ipp it asks for a username and password and it has our TREE name at the bottom of the dialog box..I have tried all variations I know of username/passwords with and without context and cannot get past this screen. AFP is running on the OES server and I can attach to the server from the macintosh computer.. Not sure what Im missing on the MAC side.. We have a lot of mac computers and would like to get a handle on who is the big print volume users..
  Not sure if this matters or not, but this OES iPrint server does not have a replica on it.
  If someone can point me in the direction I should be looking it would be apprecited
  Doug

  In article <[email protected]>, Roehmdo wrote:
  > with and without context
  >
  I don't have any Macs to worry about, but lets be thorough.
  have you tried both commas and periods? It might be an LDAP level login
  also name,ou1,ou2,org vs cn=name,ou=ou1,ou=ou1,o=org
  can the tree name be resolved by IP? A test would be to change the
  tree name for the IP of an appropriate server with at least a R/W
  replica to make sure there aren't any other eDir issues.
  Andy Konecny
  KonecnyConsulting.ca in Toronto
  Andy's Profile: http://forums.novell.com/member.php?userid=75037

• GW to OES2/SLES10

  We are still working on upgrading to GW 7.2 on the servers. I am doing test migrations from NW 6.5 to SLEs10/OES2, and used the GW migration utility to move a GW 7.2 Postoffice and domain to the Sles10/OES2 box.
  When trying to connect to this PO on the SLES10/OES2 with GW 6.5.7 client, it tells me "the version of Groupwise you are using cannot access this postoffice".
  I've looked at all the TID's, tried rebuilding, recovering, validating, recopying the .dc files, etc., and it still does not work. Database version in C1 is 7 for both PO and Domain.
  I thought that you could connect to GW 7.x PO with 6.5x client (we actually have many users doing this currently, actually, and it works fine)
  I'm running out of ideas. Any suggestions?

  Hi, Joe, thanks!
  I had a suspicion about that...that **)(%&$ hotpatch has really given me a bunch of headaches!!!
  I'll go find a "newer" 7.02 (the HP one) for the server and see what happens...thanks!!!
  Originally Posted by Joseph Marton
  On Thu, 08 May 2008 15:26:01 +0000, davy2 wrote:
  > When trying to connect to this PO on the SLES10/OES2 with GW 6.5.7 client,
  > it tells me "the version of Groupwise you are using cannot access this
  > postoffice".
  > I've looked at all the TID's, tried rebuilding, recovering, validating,
  > recopying the .dc files, etc., and it still does not work. Database
  > version in C1 is 7 for both PO and Domain. I thought that you could
  > connect to GW 7.x PO with 6.5x client (we actually have many users doing
  > this currently, actually, and it works fine)
  I'm guessing the problem you're having is the wonderful GW hot patch
  security fix. Here's the story.
  If you are running GroupWise 7 SP2, you can use a GW 7.0 - 7.02 client, or
  6.5.6 Update 1 or newer. However, you *can't* run the GW 702HP or newer
  client, nor can you run the 656U2 or 656U3 client.
  If your server instead is running at least GW702HP or newer (including
  SP3) then any client will work.
  Joe Marton
  Novell Support Forum SysOp
  Novell does not officially monitor these forums!
  http://forums.novell.com/

• EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.

  Hello,
  I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).
  The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.
  While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.
  Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.
  What was done:
  - set up freeradius with EAP-TLS configuration, trusting both cisco CA root  and manufacturing root.
  - freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)
  - Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)
  What I can see while running a wireshark trace on freeradius is:
       - both parties negotiate properly that they will engage in EAP-TLS.
       - they  start the TLS handshake
       - Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)
       - Client (phone) never sends its certificate (MIC) to the server.
       - Client restarts EAP-TLS negotiation and goes on and on.
  Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).
  Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.
  Phone firmware is 9.2(3) and callmanager 8.6
  Thanks
  Gustavo Novais

  Found the problem. Apparently ADU can't access certificate store if client is not part of the AD domain

• FreeRADIUS rlm_krb5 seg fault

  I'm having a few problems setting up freeRadius with a kerberos backend on arch and would really appreciate a little help.
  Kernal: Linux 3.11.6-1-ARCH i686
  freeradius 3.0.0-1
  All the configuration changes I have made to the default configs are listed below:
  /etc/raddb/users
  Added the following line at the top of the file:
  DEFAULT Auth-Type = Kerberos
  /etc/raddb/sites-enabled/default and /etc/raddb/sites-enabled/inner-tunnel
  Added the following in the Authenticate section directly after the pap entry
  Auth-Type Kerberos {
  krb5
  I have also copied the file /etc/raddb/mods-available/krb5 to /etc/raddb/mods-enabled/krb5 and edited the entries to point to the keytab and principle im using for radius. The keytab contains two entries one for radius/hostname.domain and one for host/hostname.domain.
  I have verified the keytab is ok by using it with kinit to get a valid ticket for both principles. Additionally im sure my kerberos setup is ok as it works fine with ldap, nslcd and ssh.
  The problem is when I run radiusd -X and then attempt a radtest I get the following:
  (0) files : users: Matched entry DEFAULT at line 1
  (0) [files] = ok
  (0) [expiration] = noop
  (0) [logintime] = noop
  (0) WARNING: pap: No “known good” password found for the user. Not setting Auth-Type.
  (0) WARNING: pap: Authentication will fail unless a “known good” password is available.
  (0) [pap] = noop
  (0) } # authorize = ok
  (0) Found Auth-Type = Kerberos
  (0) # Executing group from file /etc/raddb/sites-enabled/default
  (0) Auth-Type Kerberos {
  at which point the server dies with no further output. Running the server using systemctl start freeradius and then looking at the status after its died shows its failed with Main PID: 21835 (code=dumped, signal=SEGV)
  I have looked all over the internet but the only place I have found someone with the same problem is here:
  http://www.mail-archive.com/freeradius- … 77744.html
  I have also enabled core dumps in the radiusd.conf however I have no idea how to actually view the dump or where it is (and yes I did google it, but all the responses made no sence to me)
  I have also tried the freeradius-git package on the AUR however that throws errors when building, something to do with undefined symbols while making radattr.
  CC src/main/radattr.c
  LINK build/bin/radattr
  UNIT-TEST rfc.txt
  ./build/bin/radattr: symbol lookup error: ./build/bin/radattr: undefined symbol: _fr_cursor_init
  src/tests/unit/all.mk:23: recipe for target 'build/tests/unit/rfc.txt' failed
  make: *** [build/tests/unit/frc.txt] Error 127
  => ERROR: A failure occurred in build().
  Aborting...
  => ERROR: Makepkg was unable to build freeradius-git.
  => Restart building freeradius-git ? [y/N]
  => -----------------------------------------------
  =>
  I don't usually post here as every problem i've had using arch so far, I've solved after reading the wiki/forums or random googling. However i'm at a complete loss this time, i have literally no idea how to solve this...
  Thanks

  Just as a quick update, the rlm_krb module still seems to be causing seg faults, however it is possible to get it working by configuring freeRadius to use PAM and then telling PAM to authenticate with kerberos.

• Freeradius & edirectory

  Hi,
  We want to create a wireless network. W'd like to authenticate the
  accounts against a radius server, so we thought setting up a freeradius
  server running on open enterprise server (linux).
  I installed an open enterprise server and deselected all Novell products.
  So NO edirectory, eguide, ifolder, etc.... Also I choose to skip CA
  creation. We already have multiple edirectory 8.7.3.7 servers, where one
  of these servers is the Master CA.
  I assume we can also use this CA server? Anyone for proper documentation
  about this?
  I installed the radius npm on a netware server running Imanager 2.5 and
  tried to extend the schema. This does not go well, because of a
  conflicting class. I get the following error message :
  Schema conflict detected. Conflict details: [ ObjectClass Name(OID):
  rADIUSProfile(2.16.840.1.113719.1.39.42.2.0.10) Conflicts with Freeradius
  Objectclass : radiusprofile(1.3.6.1.4.1.3317.4.3.2.1) ]
  Would you like to continue extending the rest of the class(es) and
  Attribute(s) ?
  I do not want to delete the current 'RADIUS:Profile' class, but I still
  want to use freeradius & eDirectory to integrate. What can be done about
  this? Why is Novell using both classes, knowing that the freeradius schema
  extension always conflicts with a current edirectory/nmas combination?
  I hope someone can help me out. I can not find anything about this,
  besides deleting classes, which we can't in our setup.
  regards,
  Fred Radon

  I could be daft but I'm in the process of setting up freeradius on an
  OES Suse 9 server which I integrated into our tree after a lot of
  research. My impression was that in order for freeradius to authenticate
  into the edirectory tree it needed to be installed on a
  Linux(SuSe/Redhat) server that had eDirectory, OpenSSL and OpenLDAP
  installed.
  http://www.novell.com/documentation/...y.html#btuadmy
  I had previously attempted to find a way to just authenticate against
  NLDAP or integrate a linux box as a BDC into my PDC on my Netware 6.5
  box. However, each of these attempts ended when I found documentation
  saying that neither was possible.
  Novell's site has a lot of documentation on integrating edirectory with
  freeradius. I've listed one main document above but there are TIDs that
  cover other details. If you find that it is possible to set up a Linux
  server without having it integrated into the edirectory tree and
  authenticate users against eidirectory please let me know.
  If you don't need edit authentication take a look at Zeroshell which is
  a bootable radius server based on freeradius with a simple web interface
  for administration.
  Thanks,
  -Nyle
  [email protected] wrote:
  > Hi,
  >
  > We want to create a wireless network. W'd like to authenticate the
  > accounts against a radius server, so we thought setting up a freeradius
  > server running on open enterprise server (linux).
  >
  > I installed an open enterprise server and deselected all Novell products.
  > So NO edirectory, eguide, ifolder, etc.... Also I choose to skip CA
  > creation. We already have multiple edirectory 8.7.3.7 servers, where one
  > of these servers is the Master CA.
  > I assume we can also use this CA server? Anyone for proper documentation
  > about this?
  >
  >
  > I installed the radius npm on a netware server running Imanager 2.5 and
  > tried to extend the schema. This does not go well, because of a
  > conflicting class. I get the following error message :
  >
  > Schema conflict detected. Conflict details: [ ObjectClass Name(OID):
  > rADIUSProfile(2.16.840.1.113719.1.39.42.2.0.10) Conflicts with Freeradius
  > Objectclass : radiusprofile(1.3.6.1.4.1.3317.4.3.2.1) ]
  > Would you like to continue extending the rest of the class(es) and
  > Attribute(s) ?
  >
  > I do not want to delete the current 'RADIUS:Profile' class, but I still
  > want to use freeradius & eDirectory to integrate. What can be done about
  > this? Why is Novell using both classes, knowing that the freeradius schema
  > extension always conflicts with a current edirectory/nmas combination?
  >
  > I hope someone can help me out. I can not find anything about this,
  > besides deleting classes, which we can't in our setup.
  >
  > regards,
  > Fred Radon
  >
  >
  >

• NSS/LVMS General concept question

  I have an existing SLES10 OES2 server that's just sitting doing iPrint, DNS, and DHCP. Processor-wise its not working hard, but hard drive-wise its pretty full.
  My question is this: I want a new "Public" directory akin to my old Netware servers. The hard drives I have in the server now are NOT LVMS drives (didn't set it up right when I started).
  So if I'm not worried about the drive failing (after all it will only be a repository for clients and such), can I just add a hard drive and format it using LVMS and then create a pool to make that public directory, or is there an easier way?
  Thanks in advance for your help.
  -Josh

  That is the easiest way of doing it. Add the drive in and then give it to evms so that nss will run on it.
  jgray

• SLP Advice for Multi Site

  Hi
  I did post another SLP query related to this but received no responses. I have been reading up on SLP setup, we have had our existing SLP setup in place for a number of years, however we have had issues where if a site link is off the site cannot log in locally at all - it is obviously trying to locate resources in a container in does not have a replica of.
  When our SLP was setup the resources were placed at the central site under the central site's container. I am wondering if a) it is OK to move the SLP scope container (and DA object?) to root and then place a root replica at each WAN site? (I have read you should not place a local DA at each site though had considered this also) and b) should I place a backup SLPDA somewhere incase there is a problem with the server housing the DA (which has also happened to me - and sites could not log in at all while it was restarting!) Can I point to 2 in my server and client configs?
  We will be moving to OES2 next year but I need to make sure this keeps operational as efficiently as possible until that time.
  Advice from a Novell expert would be much appreciated
  Thanks

  I would be interested in knowing more about this as well if anyone answers....I would not hold my breath. :-)
  We have 10 partitions/containers which are scattered location-wise. We have 1 server in each container and are running slpdas on 2 servers in HQ pointing to a central scope. However, I have found that if a link isolates one of the containers from talking to the HQ container with the scope and slpda, then login is not possible from the local isolated container. I would like to set up slp to mitigate this if possible. We use SLES10/OES2 so this is not as easy as it was with NetWare 6.5....
  --El
  Originally Posted by shazzypoos
  Hi
  I did post another SLP query related to this but received no responses. I have been reading up on SLP setup, we have had our existing SLP setup in place for a number of years, however we have had issues where if a site link is off the site cannot log in locally at all - it is obviously trying to locate resources in a container in does not have a replica of.
  When our SLP was setup the resources were placed at the central site under the central site's container. I am wondering if a) it is OK to move the SLP scope container (and DA object?) to root and then place a root replica at each WAN site? (I have read you should not place a local DA at each site though had considered this also) and b) should I place a backup SLPDA somewhere incase there is a problem with the server housing the DA (which has also happened to me - and sites could not log in at all while it was restarting!) Can I point to 2 in my server and client configs?
  We will be moving to OES2 next year but I need to make sure this keeps operational as efficiently as possible until that time.
  Advice from a Novell expert would be much appreciated
  Thanks

• Change RADIUS Certificate or Reset RADIUS, SERVER 3.2.2

  Hi All,
  I've got an expiring self signed certificate that I was using for the RADIUS service on 10.9, server 3.2.2.
  I can figure out how to replace this certificate with our valid trusted SSL certificate for our domain.  We originally setup the RADIUS server with the instructions at https://www.yesdevnull.net/2013/10/os-x-mavericks-server-setting-up-freeradius/
  If I just try to install new certs using sudo radiusconfig -installcerts command, it just breaks the radius.
  I've also tried blowing away the radius folder inside of /Library/Server in an attempt to reset RADIUS to the factor defaults, but after reinstalling the server app, and going through the process of setting up RADIUS, it's still using the old certificate.
  Any help would be appreciated!
  Thanks

  Thanks to Charles over at Krytped, deleting the Radius folder from /Library/Server/Radius and running this command:
  sudo rm /var/db/.ServerSetupDone
  Allowed me to get Server to recreate a clean Radius set.

• No Multi-User Calendar in WebAccess

  We are using GW 2012 and looking at the possibility of eliminating the client in favor of WebAccess for all users.
  One issue that I've run into is that we cannot view multiple calendars via the multi-user function while in WebAccess. It works perfectly fine in the client.
  When I log into my mailbox and click the calendar button, my only option under the "Calendars" box is "Calendar" which is my own. No others display. I can proxy, via WebAccess, into the other calendar with no issues.
  I've looked through the threads here, and performed a few internet searches with no results. From the documentation it does appear that Multi-User is available, or supposed to be, when in WebAccess.
  Our GW system (MTA, GWIA, WebAccess) is running on SLES10/OES2 with multiple post offices running on SLES10 or 11.
  Thanks for any pointers you may have!
  Michael

  mprosise,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Best Radius or Tacacs+ program?

  Morning everyone,
  I would like to set up either a TACACS or RADIUS solution here. Wondering what other people have found to be the best server for either of these, preferably free if one exists.
  Thanks

  Ok I have freeRADIUS, it is installed and running. I can authenticate the test user. I set up the router with a few basic AAA commands. The router sends requests to the RADIUS server, however, I get a line saying:
  Login incorrect: [testing/N!:\302\362}\204\307\214\337!\003\tc\302L] (from clien
  t private-network-2 port 194 cli 172.16.101.202)
    WARNING: Unprintable characters in the password. ?  Double-check the shared se
  cret on the server and the NAS!
  Login incorrect: [testing/N!:\302\362}\204\307\214\337!\003\tc\302L] (from clien
  t private-network-2 port 194 cli 172.16.101.202)
    WARNING: Unprintable characters in the password. ?  Double-check the shared se
  cret on the server and the NAS!
  The shared secret is just SECRET, password is password for testing purposes. Has anyone on here set up freeRADIUS correctly?

• GWIM 2.0.4 Upgrade Path - Novell Messenger

  Is there an upgrade path from GWIM to Novell Messenger. Perusing the documentation I do not see any specifics.
  I currently run GWIM 2.4 on SLES10-OES2.
  Can I simply copy over the new agents and update the Clients or is Novell Messenger an entirely new product?

  I upgraded from 2.0.4 to 2.1 and I just extended the schema and installed the agents. I see that 2.2 was posted yesterday and I hope I can simply do the same.
  Al
  On 12/9/2010 at 8:36 AM, kbannister<[email protected]> wrote:
  Is there an upgrade path from GWIM to Novell Messenger. Perusing the
  documentation I do not see any specifics.
  I currently run GWIM 2.4 on SLES10-OES2.
  Can I simply copy over the new agents and update the Clients or is
  Novell Messenger an entirely new product?
  kbannister
  kbannister's Profile: http://forums.novell.com/member.php?userid=5375
  View this thread: http://forums.novell.com/showthread.php?t=427806

• SLES10 SP4/OES2 SP3 32 bit Clean Install - Basic Questions

  Hi everyone.
  I am now an expert in installing the above software and ending up with a server which does not work as we require. Must be something I am doing wrong. Hope someone can spot it.
  Have installed and supported Netware servers for 25 years without major problems. Decided now to move to SLES because Novell say we should and we need Groupwise 12 to replace GroupWise 8.
  The operational environment we are targeting is an 80 user edirectory/NDS based single tree, single context containing two Netware 6.5 SP8 HP Proliant servers running uncomplicated file and print services , NSS volumes, Groupwise 8, DHCP, ifolder, Quickfinder and the like, spread across the two servers. It all works a treat. Client PCs are are all XP Pro with Novell client software.
  The idea would be to replace one of the two Netware servers first with a SLES/OES server and then the second Netware server with a second SLES/OES server and move GroupWise functionality to one of the SLES/OES servers. Ideally users would continue to log on using their eDirectory accounts without noticing anything was going on in the background.
  The test environment we have set up is a 5 user NDS/eDirectory single tree, single context already containing a single Netware 6.5 SP8 Proliant server running file and print, NSS volumes etc and Groupwise 8. Into this tree we are trying to install a 32 bit server with a empty 36 GB SCSI disc running SLES 10 SP4 with OES2 DP3 as an add in, with NSS data volumes.
  Because it only takes a few hours to do we have repeatedly run the SLES 10/OES2 install (probably about 9 times!) with minor variations to see whether we can end up with a properly configured SLES/OES server but there is always one problem or another.
  The major problem we have is how to configure NSS data volumes on the SLES server and how to allow users to be validated against their eDirectory entries and knowing whether the test server is 'good to go'.
  The process we followed for each test install, after checking edirectory was clean and removing any entries placed in the tree by earlier attempts to install the SLES server in the same tree were:
  1. Boot the SLES 10 SP4 32 DVD (downloaded ISO and burnt DVD) and selected Installation.
  2. Followed the prompts on time zone and language etc and selected i386 OES CD (also downloaded ISO and burnt) as the Software Add-In.
  3. Loaded SLES DVD and OES CD as and when requested
  4. At the Partitioning stage we selected the EVMS proposal, and at the Software selection stage selected the base software, file server Role, Documentation, DHCP, eDirectory, iFolder, iPrint, Quickfinder, NSS and LDAP.
  5. Miscellaneous errors would appear or not appear during the eDirectory stage (eg LUM error, or iFolder error) but the eDirectory stage would still seem to complete OK and get ticked.
  6. The system would then reboot and appear to come up OK.
  HOWEVER, we are not convinced we have created a fully working reliable server.
  and
  SPECIFICALLY we are unable to create NSS volumes and we cannot logon users via their eDirectory accounts.
  NSSMU shows a single device sda (33.92 Gb) and three partitions sda1 (70Mb), sda2 (31.91GB), and sda3 (1.94GB). sda2 seems to contain all the 'spare' space on the disk (type Linux LVM) but says there is no spare space to create our NSS partitions.
  iManager cannot see any devices to configure NSS data volumes on the SLES server but it connects OK
  NSSCON status seems to show NSS to be running
  EVMSGUI shows /dev/evms/lvm2/system/ro at 10 Gb, /dev/evms/lvm2/system/sw at 2GB and /dev/evms/sda1 at 70 Mb
  So my questions are:
  Does the above look right?
  Why cannot we get at the spare disk space to set up NSS volumes? Did the EVMS proposal grab it all and if so how do we get it back?
  Did not selecting the EVMS partitioning proposal do everything needed to run NSS?
  [There seems to be some suggestion in the several hundred pages of SLES, OES and NSS Guides, Installation manuals, Configuration manuals etc that we have studied over several days, that we now have to edit a fstab file to make it work properly (Really? in this day and age where clicking on Setup.Exe will configure a fully working Windows server) Is that so? Is there anything else we need to do?]
  How do we get the users to access their NDS accounts to log into SLES and Netware?
  How do we know the server is OK for operaational use and 'works' ?
  HELP!!!
  ADB

  alandbond wrote:
  > I
  > have already trawled the self help Forums believing that before SLES
  > 11 came along everyone must have been setting up NSS volumes on SLES
  > 10/OES2 as a matter of course as they moved from Netware and so me
  > trying to do it now should not be akin to rocket science.
  You are partially correct. Admins who used NSS on NetWare likely did
  install NSS on OES Linux but I suspect they used a separate drive for
  NSS either by installing an additional drive, by carving out a chunk of
  space on their RAID array and assigning it to a separate LUN, or by
  running OES in a VM where storage space on a single disk/array can
  appear as separate drives.
  > If Novell say in that guide as they do
  > (just as do you and ab and Simon in responses to my post) that the
  > IDEAL way to include NSS is to have a separate disk for Suse and NSS
  > volumes, BUT as long as you use EVMS to manage the volumes it IS
  > SUPPORTED, then I consider it should be possible without grief to do
  > this and not considered as me putting round pegs in square holes.
  Semantics!
  IDEAL = Recommended; EVMS != IDEAL; EVMS != Recommended;
  IMO, Novell recognised that they had to provide a way for customers to
  install NSS on a system that only had a single disk and provided this
  procedure as a workaround. By the way, they also support 2-node
  clusters but they aren't recommended either. I have also seen cases
  where a supported configuration was deemed no longer to be supported as
  NTS became aware of additional complications.
  My point (and Simon's and ab/Aaron's) is this: Just because it is
  supported doesn't mean you should do it. If we can agree on this point,
  I'll try to help you to get it working. The last thing I want to do is
  give others the impression that by helping you find a solution we think
  this is a good idea!!!
  > This latest release of software even goes as far as including an EVMS
  > Partitioning proposal which can be selected (as I did) within the
  > clean install process.
  >
  > This is what it says:
  Okay! I'm only looking at the information you provided. Let's analyse
  it!
  >
  > A.2.1 Understanding the EVMSBased Partitioning Scheme
  > Using EVMS to manage the system device allows you to later add NSS
  > pools and volumes
  Yes, NSS requires the volume manager to be EVMS and not LVM!
  > on any *unpartitioned* free space on it.
  But you have not left *any* unpartitioned free space!
  > You must modify the partitioning scheme to use EVMS during the
  > install. It is not possible to change the volume manager for the
  > system device after the install.
  True.
  > Beginning in OES 2 SP3, the Partitioner in the YaST Install offers the
  > Create EVMS Based Proposal option to automatically create an EVMS
  > solution for the system device.
  > For unpartitioned devices over 20 GB in size,
  This is what you have...
  > this option creates a boot partition
  > and a container for the swap and / (root) volumes
  > in up to the first 20 GB,
  > and leaves the remainder of the space on the device
  > as unpartitioned free space.
  But it didn't (or you didn't)!
  > Table A-1 shows the default proposed setup
  > for a machine with 768 MB RAM.
  > The default swap size is 1 GB or larger,
  > depending on the size of the RAM on your machine.
  > The remainder of the device is left as unpartitioned free space.
  Let's look at the default proposal. This is *not* what you have.
  > Table A-1 Default EVMS Proposal for Devices over 20 GB in Size
  >
  > Device Size Type Mount Point
  > /dev/sda1 70.5 MB Ext2 /boot
  > /dev/sda2 14.9 GB Linux LVM
  > /dev/evms/lvm2/system 14.9 GB EVMS lvm2/system
  > /dev/evms/lvm2/system/root 10.0 GB EVMS /
  > /dev/evms/lvm2/system/swap 1.1 GB EVMS swap
  A single (SATA/SAS/SCSI) drive will be known as sda (/dev/sda).
  /dev/sda1 is the first partition. In the example and in your
  configuration this is the /boot partition. In both cases it is 70.5 MB.
  /dev/sda2 is the second partition. The partition uses LVM so logical
  volumes of various sizes can be created within the partition. The total
  size of all logical volumes cannot be larger than the size of the
  partition.
  In the above example:
  /root is 10.0 GB and swap is 1.1 GB. This leaves: 14.9 - (10.0 + 1.1) =
  3.8 GB of additional space within /sda2 which can be used to create
  additional logical volumes. Furthermore sda1 + sda2 use only ~ 15 GB.
  Only 15 GB of the disk has been allocated. The remainder of the disk is
  *unallocated* and *unpartitioned*. Presumably, it was left that way so
  that the space could be used for NSS.
  In your case: sda2 is 31.91 GB
  This does not follow the Default EVMS Proposal for Devices over 20 GB
  in Size. Either YaST did not allocate space according to the default
  proposal or you changed it. Either way, sda2 (+sda3) consume *all* of
  the available disk space. It is no wonder that there is no space
  available for NSS!
  > What do you reckon???
  I reckon that something went wrong along the way. If you did not
  specifically change the default allocation yourself, then consider this
  one example of kinds the things that can happen when one tries to
  exploit seldom used, but supported, features!
  It looks like it is time for yet another installation. This time, make
  sure you leave enough unpartitioned space on the drive for NSS and let
  me know how you make out.
  Kevin Boyle - Knowledge Partner
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• [SOLVED] Upgrade from SLES10 SP3 & OES2 SP2 to SP4/SP3 breaks NCS

  Hi folks,
  (This post was originally meant to be a rant and a request for help, but
  while writing the final paragraph i found the solution. It's still a
  rant, but i figured i'd post my solution here in case someone else runs
  into the same issue.)
  I've just spent several hours banging my head against a broken cluster
  node. My system is a 32-bit SLES 10 VM running on VMware ESX 3.5.x.
  I upgraded from SLES10 SP3 and OES2 SP2 to the next service packs for
  each (using the move-to-oes-sp3 script in yast2 online_update).
  Everything went well for the first few update/reboot sequences, then
  after the final reboot on SLES10 SP4 & OES2 SP3, cluster services would
  not load or join the cluster on restart.
  I checked dmesg and found errors about "Loading module compiled for
  kernel version 2.6.16.60-0.54.5-vmi" into a previous kernel version, so
  i tried downgrading to that kernel version, only to find that it was
  older than the one i had just upgraded from (it's the original SLES10
  SP3 kernel). So i tried upgrading back to the same kernel which is
  running on the other cluster node (2.6.16.60-0.77.1-vmi), but that did
  not work any better.
  <preaching>
  I have to say that i'm not impressed that OES2 SP3 isn't even compiled
  against the appropriate kernel, and because of SUSE's kernel RPM
  overwrite policy there's no way i can select to boot from a previous
  kernel to see if that fixes things. Note to SUSE and other distro
  builders: if you're not doing kernel package upgrades like Red Hat or
  Ubuntu (so that we can select to boot from the previous kernel from the
  boot menu), you're doing it *WRONG*.
  </preaching>
  I then upgraded again to the latest recommended kernel for SLES10 SP4,
  and still no joy. Dmesg shows this error before the rot starts:
  allocation failed: out of vmalloc space - use vmalloc=<size> to increase
  size.
  When searching for this error i stumbled across
  http://ubuntuforums.org/showthread.php?t=1613132
  which pointed me to
  http://www.mythtv.org/wiki/Common_Pr...lloc_too_small
  Adding vmalloc=192M to /boot/grub/menu.lst and rebooting solved the
  problem for me.
  Regards,
  Paul

  Originally Posted by Paul Gear
  On 13/10/11 07:36, magic31 wrote:
  > ...
  > Not sure if it's related to the issue you've hit, but along the lines
  > of what Kevin already mentioned, there are issues that can arries when
  > using the VMI kernel (that I've seen) if having multiple flavors of the
  > kernel installed along with it (as in having both kernel-vmi as also
  > kernel-smp packages installed) ...
  > Curious, is that also the case with your setup?
  The system in question has kernel-bigsmp and kernel-vmi installed. We
  only ever boot from kernel-vmi.
  > I've moved to only using the smp kernel on VMware (along with the
  > clock=pit boot option to avoid time drift issues, or pmtr I think in
  > your case when also running NCS services in the vm).
  When we installed the system (on OES2 SP1, i believe) it was a while
  ago, and kernel-vmi with clocksource=acpi_pm on the kernel command line
  was the only solution we could find to get reliable time. If there are
  updated best-practice documents, i'd be happy to hear about them.
  However, this is a production cluster and my boss is (rightly) rather
  reticent to make major changes.
  Paul
  the official Vmware paper on time is that IF you're using SLES 10.x 32-bit you will use VMI and NO kernel params (ie, get rid of the clockpit and clocksource=blah).
  But if 64-bit then you're okay.
  The easiest, IMO (especially with vmware) is to use the miggui (migration utility). That's how I'm converting all my 32-bit servers in vmware to 64-bit. Works quite well.
  --Kevin