Category: SAN/NAS/Storage

Jun 29

Deleting inaccessible data such as users homedirectories

Users Home Directories are often hardened such that even Domain Administrators have problems migrating them and subsequently deleting them.  A way to deal with that is already documented here so this post is really just about the subsequent cleanup of the stubborn source data.

You can sit in Windows Explorer taking ownership and rattling the new permissions down each users tree if you like, but it’s a laborious process when you have 2000 users.  It doesn’t always work out 100% successful either.

This is my way of clearing out all users home directories that begin with the characters u5 for example.  You can adapt or scale it up it to suit your own requirements easily and save yourself a lot of time and effort.

First, make a list of the directories you want to delete.  Whether you have access to them or not is irrelevant at this stage.

dir /ad /b | findstr ^u5 > mylist.txt

dir /ad /b findstr ^U5 >> mylist.txt

Create an empty folder if you dont have one already.

mkdir empty

Now mirror that empty folder over the top of the users in the list, exploiting the operating backup right in robocopy that conveniently bypasses the NTFS security

for /f %F in (mylist.txt) DO robocopy empty %F /MIR /B /TIMFIX

This will leave empty folders behind but the security on them will have been overwritten with that of your empty folder, giving you the permission to delete it.

for /f %F in (mylist.txt) DO rmdir %F

Done.

Note: Use /TIMFIX with /B to correct non-copying of datestamps on files, resulting in 02/01/1980 datestamps on all files copied with /B Backup rights.

Facebooktwittergoogle_plusredditpinterestlinkedinmail
comment?
Mar 15

Manually set IP, Subnet and Gateway addresses on VNX Control Station

How to change the Control Station IP Address and Subnet Mask

Log in to the Control Station as root.

Change the IP address and network mask by using this command syntax:

Note: /sbin/ifconfig -a revealed eth3 to be my cs0 interface.

 

# /sbin/ifconfig eth3 <ipaddr> netmask <netmask>

e.g. /sbin/ifconfig eth3 172.24.101.100 netmask 255.255.255.0

 

This changes the immediate configuration, but does not persist across restarts.

Edit the network scripts file, /etc/sysconfig/network-scripts/ifcfg-eth3, by using a text editor (that means vi)

DEVICE=eth3

IPADDR=172.24.101.100
NETMASK=255.255.255.0
NETWORK=172.24.101.0
BROADCAST=172.24.101.255
ONBOOT=yes

Edit the local hosts file, /etc/hosts

Look for lines with the old IP address.

Replace the old IP address with your new IP address.

Save the file and exit.

If you are changing the Control Station IP address, but remaining on the same network, then the SP IP addresses for an integrated model need not be modified. However, if you are changing to a different network, the SP IP addresses must be modified to be on the same physical network as the Control Station for the Integrated model. Use the clariion_mgmt -modify -network command to update the IP addresses on the SP, as it will also update the files and Celerra database with the modified IP addresses.

How to change the Control Station default gateway

Log in to the Control Station as root using SSH. Add a default route by typing:

 

# /sbin/route add default gw 172.24.101.254

 

This changes the immediate configuration, but does not persist across restarts.

Edit the network configuration file, /etc/sysconfig/network-scripts/ifcfg-eth3, by using a text editor.

Add the new gateway IP address for the entries similar to:

DEVICE=eth3
IPADDR=172.24.101.25
NETMASK=255.255.255.0
NETWORK=172.24.101.0
BROADCAST=172.24.101.255
ONBOOT=yes
GATEWAY=172.24.101.254

Save the file and exit.

Facebooktwittergoogle_plusredditpinterestlinkedinmail
comment?
Mar 02

Download the full Firefox stand-alone installer

There’s nothing more frustrating than downloading an installer that assumes that you’re going to have internet access on the machine that you subsequently intend to run the installer on (called a stub installer).

For example, downloading firefox so that you can get to your enterprise storage arrays java based admin interface without the agony presented by internet explorer’s tendency to throw its toys out the pram over the certificate and the settings are locked down by IE policy, this policy, that policy and the other policy that all exist to make the environment so much more “secure” but actually just don’t allow anything, anywhere, ever.  It’s secure!, it’s been signed off as being suitably unusable to prevent exposing ourselves to any kind of imaginary threat!  Aren’t we clever?.  No.  Rant over.

It’s secure!, it’s been signed off as being suitably unusable to prevent exposing ourselves to any kind of imaginary threat!

I’ve probably digressed, I can’t tell.  I’m too angry.  And you are too probably, if you’ve ended up here.  Installers that assume an internet connection are completely useless in the enterprise environment (best read in the voice of Clarkson).

Whats even more frustrating is that the stub installer is the only apparent option, judging by mozillas website.  Well it isn’t the only option – you can still download the full-fat, stand-alone installer from their ftp site – but ftp is blocked by your firewall!

No bother, just replace ftp:// with http:// at the beginning of the URL, or even better just click here for the 64 bit version (or here for the 32 bit version).

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail
comment?
Feb 09

Enable NFSv4 on VNX

To enable NFSv4 on your up-to-date (post VNX OE for File v7.1) VNX Unified storage system and configure a datamover to mount a filesystem to allow for NFSv4 access with a MIXED access policy, the following steps serve as a concise guide.  NFSv4 cannot be done via Unisphere.

Log onto control station as nasadmin user via SSH using PuTTY.

START NFSv4 Server on VNX
server_nfs server_2 -v4 -service -start

SET DOMAIN NAME to nfsv4.domain (change as required)
server_param server_2 -facility nfsv4 -modify domain -value nfsv4.domain

LIST NFSv4 DOMAIN INFO
server_param server_2 -facility nfsv4 -info domain

LIST NFSv4 INFO
server_param server_2 -facility nfsv4 -list

MOUNT NFS_TEST_2 on server_2 for NFSv4 access
server_mount server_2 -option accesspolicy=MIXED NFS_TEST_2 /NFS_TEST_2

TRANSLATE existing, mounted NFS filesystem from NATIVE access policy to MIXED access policy
nas_fs -translate NFS_TEST_2 -access_policy start -to MIXED -from NATIVE

DISPLAY NFSv4 CLIENT CONNECTIONS
server_nfs server_2 -v4 -client -list

NFSv4 requires UNICODE enabled on DM. Check…
server_cifs server_2 | grep I18N
I18N mode = UNICODE

DISPLAY NFSv4 STATUS
server_nfs server_2 -v4

It’s highly likely that if you require NFS v4, then you’ll also need to authenticate access, using a UNIX based Kerberos DC.  The following notes cover the configuration steps involved.  Please note that this section below is still a work in progress and you should refer to the official EMC documentation for a complete set of instructions with examples.

SECURE NFS (using UNIX Kerberos Authentication)

CONFIGURE THE KERBEROS REALM
server_kerberos server_2 -add realm=<realm-name>,kdc=<fqdn_kdc_name>,kadmin=<kadmin_server>,domain=<domain_name>,defaultrealm
Note realm,kdc, kadmin,domain should all be entered as fqdn’s

VERIFY THE RESULTS
server_kerberos server_2 -list

SET THE SECURE NFS SERVICE INSTANCE
server_nfs <datamovername> -secnfs
Note server_2 is set already during VNX installation.

CHANGE THE SECURE NFS SERVICE INSTANCE
server_nfs <newdatamovername> -secnfs -principal -delete nfs@server_2
Note This is only required if you change the default datamover hostname from server_2 to e.g. Ingbe245
server_nfs <newdatamovername> -secnfs -principal -create nfs@<server>
Note <server> is type of the realm, and needs to be entered twice, once with short name, e.g. Ingbe245 and once more with fqdn

STOP AND START THE NFS SERVICE
server_nfs server_2 -secnfs -service -stop
server_nfs Ingbe245 -secnfs -service -start

DETERMINE IF KEYTAB FILE EXISTS ON DATAMOVER
Copy /.etc/krb.keytab file (if it exists) to the Kerberos KDC.

CREATE NFS KERBEROS SERVICE PRINCIPALS
Note. The kadmin steps are performed on the Kerberos KDC, not the VNX
kadmin: addprinc=randkey nfs/Ingbe245
kadmin: addprinc=randkey nfs/Ingbe245.fqdn.local

VERIFY THAT THE PRINCPALS HAVE BEEN ADDED
kadmin: listprincs

GENERATE SECURITY KEYS
kadmin: ktadd -k <keytab_file_path> nfs/ <name>
<keytab_file_path> = location of key file
<name>=name of previously created service principal e.g. nfs/Ingbe245

COPY KEYTAB FILE
Copy the krb5.keytab file from Kerberos KDC to the Data Mover by using FTP and the server_file command.
Note. EMC Common Anti-Virus Agent (CAVA) is also configured using the server_file command to place and displace the viruschecker.conf file.  There are notes on that here but to save you the trouble, the command for your convenience is…

server_file server_2 -get krb5.keytab krb5.keytab

server_file server_2 -put krb5.keytab krb5.keytab
VIEW THE KEYTAB FILE
server_kerberos Inbe245 -keytab

MAP USER PRINCPAL NAMES TO UIDs
VERIFY THE TYPE OF MAPPING SERVICE USED BY SECURE NFS
server_nfs <datamovername> -secnfs -mapper -info

USE AUTOMATIC MAPPING
server_nfs <datamover_name> -secnfs -mapper -set -source auto

MONITOR INBOUND CONNECTIONS FROM NFSV4 CLIENTS
server_nfs server_2 -v4 -client -list

Facebooktwittergoogle_plusredditpinterestlinkedinmail
comment?
Jan 30

Obtaining disk serial numbers from VNX

Most things VNX can be exported using Unisphere’s little export icon in the top right hand corner of most if not all dialogs.  Disk information would be found under System, Hardware, Disks.  You’ll see there is a part number column, but no serial number column in Unisphere for the disks.

To obtain the serial number of the HDD’s in your array, download and install naviseccli on your laptop/storage management server and use the following command…

naviseccli –h <sp-ip-address> -User sysadmin –Password ********* -Scope 0 getdisk –serial

If a security file containing the credentials is already present on the storage management server, then you won’t need to specify the username and password in plain text as shown above.

 

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail
comment?
Nov 28

Change Cisco MDS Admin password

Step 1 Use the show user-accounts command to verify that your user name has network-admin privileges.

switch# show user-account
user:admin
this user account has no expiry date
roles:network-admin

Step 2 If your user name has network-admin privileges, issue the username command to assign a new administrator password.

switch# config t
switch(config)# username admin password <new password>
switch(config)# exit
switch#
 

Step 3 Save the software configuration.

switch# copy running-config startup-config
Full cisco documentation here (includes password recovery for lost passwords)
Facebooktwittergoogle_plusredditpinterestlinkedinmail
comment?
Nov 25

How to cable up VNX SP Ports (Dual Fabric topology)

So your VNX has two SP’s and you have two fabric switches.  You already know you have to connect each SP to each fabric for resilience, but you’re still a bit confused.  Fear not.  Use this as a guide.  It can be used no matter how many front-end port modules and SFP’s you have so that you get it right first time for all your designated Storage Ports, Mirrorview Ports, Sancopy Ports required for your project.  The FC Switch Ports you choose are not set in stone, but keep it the same on each side at least.

 What’s important is that the correct SP port, goes to the correct switch.

When you know you’ve got it right, you can get verify the WWN in Unisphere corresponds with the WWN logged in on the FLOGI database on the switch to check before you create the requisite fcaliases etc.

cablingvnx

It’s much easier to build it right first time than sort it out afterwards.

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail
comment?
Sep 07

Inject Administrators/Full Control permissions into inaccessible folders.

Note:  This can also be used to inject Everyone/Full Control, or a specific user, using the username or SID.  The Administrators Group SID is always S-1-5-32-544.  Other well-known SIDs are listed here.

Download the command line version of SetACL.exe from here.  Like all the best things in life, it’s free.

Open a command prompt as Adminstrator (right click cmd.exe, run as admin)

setacl -on “C:\Private No Entry” -ot file -actn ace -ace “n:Administrators;p:full” -rec cont_obj -ignoreerr

The “Private No Entry” folder should now have Administrators, Full Control Permissions.  If not, don’t fret, read on…

The following command gives Administrators the “dream ticket” to accessing all data by setting ownership to Administrators on all folders and files and forcing subdirectories to re-inherit inheritable Administrators:Full Control permissions from the parent.

setacl -on “C:\Private No Entry” -ot file -actn setprot -op “dacl:np;sacl:nc” -rec cont_obj -actn setowner -ownr “n:S-1-5-32-544”

If you still receive “Operating System Message:Access Denied” or similar, then you’ll need to take a robocopy of the “inaccessible” data using the /B switch to exploit OS Backup Right, leaving permissions behind using /COPY:DAT (instead of /COPY:DATSOU or /COPYALL) then repeat the process above on the copied data instead.

robocopy “C:\Private No Entry” “T:\Cracked Data” /B /COPY:DAT /E /NP /R:1 /W:1

Now view the Inherited permissions on the copied data…  You’ll see it has a whole bunch of new, open permissions that it’s got from the parent folder T:.

cacls “T:\Cracked Data”

The cracked data could be robocopied back over the original inaccessible source data using /MIR /COPYALL /SEC /SECFIX switches if required.  If it doesn’t allow it, then note that I have successfully robocopied an empty folder over the top of an inaccessible folder before using just /MIR  (in order to delete it), then robocopied the cracked data back into place, e.g.

robocopy “T:\Empty Folder” “C:\Private No Entry” /MIR /B

robocopy “T:\Cracked Data” “C:\Private No Entry” /MIR /SEC /B

Finally, if you want to re-harden the folder whilst retaining the access you’ve granted Administrators, then use the following commands…

Presently, access has been attained via inherited permissions so before removing inheritance, first inject a non-inherited ACE that allows administrators access, i.e.

setacl -on “C:\Private No Entry” -ot file -actn ace -ace “n:S-1-5-32-544;p:full” -rec cont_obj

Verify the Administrators:Full Control permissions are present on the folder

cacls “C:\Private No Entry”

Finally it is safe to remove inheritance without losing access (strictly speaking, you are “protecting the child object from inherited permissions on the parent object”)

setacl -on u567149 -ot file -actn setprot -op “dacl:p_nc;sacl:p_nc”

This sequence of commands can be used to copy users home directories that are typically hardened to only permit the user themselves access to the data contained within.  If you are using it to migrate home dierctories, there is a loop to re-apply user-specific permissions to each homedirectory afterwards here

Facebooktwittergoogle_plusredditpinterestlinkedinmail
comment?
Jun 22

RecoverPoint Journal LUN sizing

The Journal size is a question of the required protection window (a Business requirement) and the incoming write rate of the production application.  Whilst the Recovery Point Objective might be known, the incoming write rate of a newly deployed app may not be, making sizing of journal LUNs a bit “finger in the air”.  EMC provide a guideline value of 20% in this instance, but it has no real foundation.

The basic calculation is ( protection window in seconds * write rate in seconds ) / 0.7
The division by 0.7 is because roughly 70% of the journal is used for replication images.

For example, if the business requires 1 day of images and the average write rate by the application is 1MB/s you will need a minimum of about 125GB journal to support it.  RecoverPoint supports automatic journal LUN creation during configuration of a Consistency Group if you don’t have enough information to manually size the journal LUN up front.

During a recent deployment of RecoverPoint to support replication of LUNs to remote storage, solely for the purposes of failover, EMCs response was as follows.  Please note that in this scenario, there was no requirement for the “killer functionality” of RecoverPoint, namely point in time recovery using the journaled changes in Consistency Groups.  That’s not to say it won’t become a requirement later on however.

The Raid group in question would definitely be adequate to start replication, but whether it is enough to meet the business requirements, we cannot say.

Sizing aside, remember that it is very important to use a dedicated Storage Pool/RAID Group of physical disks that is entirely separate to ones used for your data LUNs and RecoverPoint Repository LUN.

Facebooktwittergoogle_plusredditpinterestlinkedinmail
comment?
Jan 13

Cisco MDS Cheat Sheet

A more complete set of commands for use on MDS switches, with a useful set of commands at the top for exporting useful information (by logging session output of PuTTY terminal).  Note that using a ? after any command will show possible commands.

Export useful information

show switchname (display hostname on network)

show flogi database (shows wwn of fc connected hosts logged in to the switch ports)

—————————————————————————
INTERFACE VSAN FCID PORT NAME NODE NAME
—————————————————————————
fc1/1      60      0xad04d1       50:05:07:61:13:61:a6:33 51:01:07:63:11:20:a6:33
fc1/2      60     0xad0012       50:05:07:63:12:13:51:37 50:01:07:61:12:03:55:37

show interface description (shows description field for each physical port)

show interface brief (shows ports in errDisabled state)

——————————————————————————-
Interface Description
——————————————————————————-
fc1/1         L5500_CyberfellaTD1_1_A
fc1/2        L5500_CyberfellaTD2_1_A

show vsan (display vsans configured)

show zone vsan 10 (display zones in vsan)

show zoneset vsan 10 (display zoneset, zonenames and wwns in zones)

show fcalias vsan 10 (display human friendly alias for each wwn in all zones in vsan 10)

ENABLE A NEW PORT

Before you can create your zones, the device connected to the fc switch will need to flog in so you can see its wwn.  Before it can do that, the port itself will need to be opened/enabled.

conf t

interface fc1/21       (where 21 is the port number)

no shutdown           (obviously!)

exit

more here

ZONING

If you have to do some CISCO zoning at the command line here are a few of my favorite commands;

original cisco doc here

To create an alias:

conf t
fcalias name {alias_name} vsan {vsan number}
member pwwn {wwid}
exit

To create a zone:
conf t
zone name {zone _name} vsan {vsan_number}
member {alias_name}
member {alias_name}
.
.
exit

To add it to the zoneset:
conf t
zoneset name {zoneset_name} vsan {vsan_number}
member {zone_name}
.
.
exit

To activate the zone/zoneset:
conf t
zoneset activate name {zoneset_name} vsan {vsan_number}
exit

Save the configuration
copy running-config startup-config

Displaying Zone Information

You can view any zone information by using the show command. If you request information for a specific object (for example, a specific zone, zone set, VSAN, alias, or even a keyword like brief or active), only information for the specified object is displayed. If you do not request specific information, all available information is displayed. Table 4-1 lists the show commands and the information they display.

Table 4-1 show zone and show zoneset Commands

show Command
Description
show zone

Displays zone information for all VSANs.

show zone vsan 1

Displays zone information for a specific VSAN.

show zoneset vsan 1

Displays information for the configured zone set.

show zoneset vsan 2-3

Displays configured zone set information for a range of VSANs.

show zone name Zone1

Displays members of a zone.

show fcalias vsan 1

Displays fcalias configuration.

show zone member pwwn 21:00:00:20:37:9c:48:e5

Displays membership status.

show zone statistics

Displays zone statistics.

show zone statistics read-only-zoning

Displays read-only zoning statistics.

show zoneset active

Displays active zone sets.

show zoneset brief

Displays brief descriptions of zone sets.

show zone active

Displays active zones.

show zone status

Displays zone status.

show zone

Displays zone statistics.

show running

Displays the interface-based zones.

Facebooktwittergoogle_plusredditpinterestlinkedinmail
comment?
Social Media Auto Publish Powered By : XYZScripts.com