1 Reply Latest reply: Feb 6, 2012 11:20 AM by user11350009 RSS

    Solaris9 branded zone (p2v): User's unable to login

    896372
      I recently created 2 new solaris9 branded whole root zones for the purpose of moving 2 existing servers off old hardware (new hardware is T5120). Due to some restrictions of the legacy software I cannot upgrade to S10/11. Being new to zones, I closely followed the Oracles docs for p2v migration and solaris9 branded zones (http://docs.oracle.com/cd/E22645_01/html/820-4490/toc.html) and this guide: http://unixprompt.blogspot.com/2010/11/zones-physical-to-virtual-p2v-migration.html.

      The creation seemed to go very well with no noticeable errors. The machines were installed using the flash archive and able to be booted. However, I have several issues. First, users cannot login to the new virtual machines either via the console (zlogin -C/zlogin -l [USER]) or SSH, but root can login locally and su to other user accounts.

      Local logins (zlogin -l [USER]) results in:
      -----
      # zlogin -l username zonename
      [Connected to zone 'zonename' pts/3]
      Login incorrect

      [Connection to zone 'zonename' pts/3 closed]
      -----

      SSH connections are prompted for a password, but passwords are never accepted resulting in failure due to too many failed login attempts. One the server side I see messages such as this:
      -----
      Jan 12 12:28:58 zonename sshd[7493]: [ID 800047 auth.notice] Failed keyboard-interactive for username from xxx.xxx.xxx.xxx port 51131 ssh2
      Jan 12 12:28:59 zonename sshd[7493]: [ID 621659 auth.debug] pam_login_limit(auth): option 'debug'
      Jan 12 12:28:59 zonename sshd[7493]: [ID 804812 auth.debug] pam_login_limit(auth): option 'count' (4)
      Jan 12 12:28:59 zonename sshd[7493]: [ID 621659 auth.debug] pam_login_limit(auth): option 'lock_account'
      Jan 12 12:28:59 zonename sshd[7493]: [ID 550452 auth.crit] pam_login_limit(auth): control file cannot contain ACL entries
      Jan 12 12:28:59 zonename sshd[7493]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[3] while authenticating: Error in underlying service module
      Jan 12 12:28:59 zonename sshd[7493]: [ID 800047 auth.notice] Failed keyboard-interactive for username from xxx.xxx.xxx.xxx port 51131 ssh2
      Jan 12 12:28:59 zonename sshd[7493]: [ID 800047 auth.info] Disconnecting: Too many authentication failures for username
      -----

      I attempted to troubleshoot the issue further using 'snoop' but, even though ifconfig shows the available interfaces (e1000g0:1 and e1000g1:1) and I can ping the gateways, snoop complains that there are no network devices on which to snoop.

      My gut instinct tells me that there is an issue with the network settings of the virtual machines, the host machine, or both in addition to permissions issues with /etc on the virtual machine.

      Insight and help would be appreciated.

      In addition to login issues, various applications are having issues, most notably 'audit' and the webserver (Sun One 6.1). Audit keeps report the inability to read/write:
      -----
      Jan 12 15:07:29 zonename root: [ID 702911 daemon.alert] audit failed to start because it cannot read or write the system's audit state. This may be due to a configuration error. Must reboot to start auditing!
      -----

      The webserver simply coredumps shortly after starting and I have been unable to glean anything useful from the coredump files other than it goes down on a signal 15 or a signal 18.

      Below is the config for the zone:
      -----
      create -b
      set zonepath=/zones/zonename
      set brand=solaris9
      set autoboot=true
      set ip-type=shared
      add net
      set address=xxx.xxx.xxx.xxx
      set physical=e1000g0
      end
      add net
      set address=xxx.xxx.xxx.xxx
      set physical=e1000g1
      end
      add attr
      set name=hostid
      set type=string
      set value=xxxxxxxx
      end
      add attr
      set name=machine
      set type=string
      set value=sun4u
      end
        • 1. Re: Solaris9 branded zone (p2v): User's unable to login
          user11350009
          I've done a little difference than you during the zone configuration and it work for me.

          # zonecfg -z some_non_global_zone_name
          some_non_global_zone_name: No such zone configured
          Use 'create' to begin configuring a new zone.

          zonecfg:some_non_global_zone_name> create -t SUNWsolaris9 <== use the "-t" option

          set zonepath=/zones/zonename
          set brand=solaris9
          set autoboot=true
          set ip-type=shared
          add net
          set address=xxx.xxx.xxx.xxx
          set physical=e1000g0
          end
          add net
          set address=xxx.xxx.xxx.xxx
          set physical=e1000g1
          end
          add attr
          set name=hostid
          set type=string
          set value=xxxxxxxx
          end
          add attr
          set name=machine
          set type=string
          set value=sun4u
          end