Skip to Main Content

Oracle Database Discussions

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

virtualization or no-virtualization

chijarJan 23 2014 — edited Jan 23 2014

Dear all.

We must to install 2 databases (10.2.0.1 and 10.2.0.5) : Test and production. Both OLTP and no more than 200 Gb each one. Obviusly Prod environment will be configured in archive log, and test in noarchive log.

But we have a doubt about this:

- We will receive a server with the following resources:

  • 16 gb RAM
  • Xeon Processor 2.66 GHZ Quad Core
  • 500 Gb storage.

In order to get the most reliable configuration what option do you recommend?

  1. Install Solaris 10 OS, next install the Oracle Software and the 2 databases. or
  2. Install Solaris 10 OS, virtualization software, create two virtual machines, two oracle SW installations and finally each database in each VM ??

I would like to get a configuration where the production environment performance cannot be affected by the test environment.

What do you think ??

thank you for your responses.

This post has been answered by JustinCave on Jan 23 2014
Jump to Answer

Comments

807559
Not a lot of consolation but we too get something very much akin to that using Solaris 9 and PAM pointing to ldap (with an Active Directory holding the account info). Instead of kerberos (which we can't use) we have tls.

Sun inform us it's a configuration issue (hence we'd need to pay for professional services and not get any 'free' support via our Gold plus support contract).
807559
i dug up my old notes and saw:

this seems to be related to ldap+tls...
PAM: do_pam_account pam_acct_mgmt = 13 (No account present for user)

i have been switching systems over to ldap for nss, krb5 for auth. made things much nicer. AD is ldap/krb5 and users can use the quest putty for passwordless logins. my pam.conf is overly simplified...

other auth sufficient pam_krb5.so.1 (this being the only change i made)
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1
807559
Thanks for the replies so far.

That block in /etc/pam.conf doesn't solve my problem.

With a bit of playing, I seem to have tracked the problem down to this line:

other account required pam_unix_account.so.1 debug

If I change that to 'optional' OR comment it out entirely, I get the following error:

sshd[908]: [ID 430221 auth.error] load_modules: no module present
sshd[908]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[4] while authorizing: System error

If I change it back to 'required' (or uncomment it to make it live again) the error changes to the one I reported in the original post:

sshd[913]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
sshd[913]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authorizing: No account present for user

Of course, the man page for pam_unix_account reads like something written by a 1st year English as a Second Language student and is extremely terse at that.

I've opened a Sun Support ticket on this. We'll see how far I get...
807559
my solaris 9 pam.conf in that section

other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1

are you using tls+ldap, if so can you turn that off?
807559
No TLS in use (nothing in LDAP to protect yet). No passwords anywhere except in Kerberos.

That's exactly what I have for 'other account' too.

Would you mind emailing me your entire pam.conf and nsswitch.conf that works for you? jblaine AT kickflop.net
807559
here is what i have in terms of changes from the defaults...

nsswitch.conf:
passwd: files ldap
group: files ldap
hosts: files dns

pam.conf:
login auth sufficient pam_krb5.so.1
other auth sufficient pam_krb5.so.1

everything else is from the orig pam.conf. i can still send exactly what i have though. i did do something diff with ldap though, now that i think about it. im using padl nss_ldap. the ldapclient provided by solaris i havent really liked so i build openldap libs + sasl + ssl, and then padls nss_ldap.
807559
Silly me.

I made the assumption that since I am doing auth via Kerberos there is no reason to make accounts belong to objectClass 'shadowAccount' and also have a userPassword attribute.

I have zero desire to have these, but apparently they are required by one of the Solaris PAM modules in order to 'officially' have an account.

SMIRK

Problem solved. Note, however, that I am not sure if BOTH are required or just maybe 1 of the 2 items. If I bother to figure that out I will reply here.

Again, thanks for all of the replies!
807559
i would have both. is your ldap server openldap/ad/sunone/etc?
807559
OpenLDAP

As far as I'm concerned, it's a bug.
807559
Confirmed: objectClass shadowAccount is all that is required.

userPassword is not required.
807559
userpasswd is an attribute though (part of quite a few objectclasses, as an optional attrib), and agree it isnt required to be set, unless auth was via ldap.

so i thought both was in relation to posixaccount+shadowaccount objectclasses, not userpassword+shadowaccount.

what ver of openldap do you run? nice to see others using it.
807559
2.4.9 is what we're starting with. The admin guide is a bit overwhelming, but I have LDAP System Administration and "Understanding and Deploying LDAP" to help me along some.

We had to alter the default nis.schema to allow RFC2307bis-compatible nisNetgroupTriple objects so that underscores are valid (they're not valid in RFC2307's definition of nisNetgroupTriple).
807559
Some interesting comments which I may try and play with (if I am allowed to do so!).

We are stuck with ldap/tls as the ldapclient points to an W2K box with AD and the extensions for Unix. It is further complicated by the fact that the usernames are all numeric.
807559
cjblaine4,

It's possible I'm stuck where you were. I'm attempting ldap/kerberos with solaris 9 client. I'm certain kerberos is setup correctly. I can kinit just fine, I have a valid keytab etc. But I still cannot get logged in as a valid user yet. I get a message now and then that says "no account present for user". Also, "getent passwd user" works great, su - user works fine too.

FYI, we are authenticating to active directory, and the nss bit is on fedora directory server.

Please help :) If you want to email directly please do so here: phlite at gmail.com . Thanks a bunch!
807559
Hi phlite,

Well, my problem was immediately solved when I added 'objectClass: shadowAccount' to my entries. Do you have that?
807559
Hi, thanks for the reply ...

I'm not sure if I'm understanding correctly. Are you saying that /etc/ldap.conf needs extra NS_LDAP_OBJECTCLASSMAP for shadow? Or are you saying that in the ldap directory you need to add the object class shadow account to the user? Thanks.
807559
Each user entry needs to have 'objectClass: shadowAccount' in the directory.
807559
ok, i'll look into adding this, thanks alot!
807559
I did add the shadowAccount object class to the user but it still doesn't work. I wonder if I could get a hold of a pam.conf that is setup correctly for kerberos? Also I wonder if its possible to use a debug mode to see more information .. thanks.
807559
I figured it out .. thanks.
807559
Glad to hear it. Was it something embarassing, or was it something worth sharing for others who find this thread down the road?
807559
The shadowAccount object class was key. Also, I needed to do some schema changes on my ldap server (fedora-ds) . Had to do some tweaks to /var/ldap/ldap_client_file too. This document was extremely helpful for me : http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm .
1 - 22
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Feb 20 2014
Added on Jan 23 2014
7 comments
250 views