System Administration Guide,

Volume II

Sun Microsystems, Inc.

901 San Antonio Road
Palo Alto, CA 94043
U.S.A.
Part No: 805-3728–10
October 1998
Copyright 1998 Sun Microsystems, Inc. 901 San Antonio Road, Palo Alto, California 94303-4900 U.S.A. All rights reserved.
This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and
decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of
Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.
Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered
trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd.
Sun, Sun Microsystems, the Sun logo, SunSoft, SunDocs, SunExpress, Solstice, Solstice AdminSuite, Solstice Disk Suite, Solaris Solve, Java,
JavaStation, DeskSet, OpenWindows and Solaris are trademarks, registered trademarks, or service marks of Sun Microsystems, Inc. in the
U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC
International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun
Microsystems, Inc. DecWriter, LaserWriter, Epson, NEC, Adobe
TM
The OPEN LOOK and Sun Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun
acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the
computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s
licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.
RESTRICTED RIGHTS: Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAR 52.227–14(g)(2)(6/87) and
FAR 52.227–19(6/87), or DFAR 252.227–7015(b)(6/95) and DFAR 227.7202–3(a).
DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,
INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID.

Copyright 1998 Sun Microsystems, Inc. 901 San Antonio Road, Palo Alto, Californie 94303-4900 Etats-Unis. Tous droits réservés.
Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation, la copie, la
distribution, et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque
moyen que ce soit, sans l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a. Le logiciel détenu par des tiers, et
qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licencié par des fournisseurs de Sun.
Des parties de ce produit pourront être dérivées du système Berkeley BSD licenciés par l’Université de Californie. UNIX est une marque
déposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd.
Sun, Sun Microsystems, le logo Sun, SunSoft, SunDocs, SunExpress, Solstice, Solstice AdminSuite, Solstice DiskSuite, Solaris Solve, Java,
JavaStation, DeskSet, OpenWindows et Solaris sont des marques de fabrique ou des marques déposées, ou marques de service, de Sun
Microsystems, Inc. aux Etats-Unis et dans d’autres pays. Toutes les marques SPARC sont utilisées sous licence et sont des marques de
fabrique ou des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d’autres pays. Les produits portant les marques
SPARC sont basés sur une architecture développée par Sun Microsystems, [Link], LaserWriter, Epson, NEC, Adobe
L’interface d’utilisation graphique OPEN LOOK et SunTM a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés.
Sun reconnaît les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d’utilisation visuelle ou
graphique pour l’industrie de l’informatique. Sun détient une licence non exclusive de Xerox sur l’interface d’utilisation graphique Xerox,
cette licence couvrant également les licenciés de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui en outre
se conforment aux licences écrites de Sun.
CETTE PUBLICATION EST FOURNIE “EN L’ETAT” ET AUCUNE GARANTIE, EXPRESSE OU IMPLICITE, N’EST ACCORDEE, Y
COMPRIS DES GARANTIES CONCERNANT LA VALEUR MARCHANDE, L’APTITUDE DE LA PUBLICATION A REPONDRE A UNE
UTILISATION PARTICULIERE, OU LE FAIT QU’ELLE NE SOIT PAS CONTREFAISANTE DE PRODUIT DE TIERS. CE DENI DE
GARANTIE NE S’APPLIQUERAIT PAS, DANS LA MESURE OU IL SERAIT TENU JURIDIQUEMENT NUL ET NON AVENU.

Please
Recycle
 Contents

About This Book xxix

Part I Managing Printing Services

1. Print Management (Overview) 3

The Solaris Print Software 3

Redesign of Print Packages 4

Print Protocol Adaptor 5

Using Print Clients 5

Enhanced Network Printer Support 6

Printing in the Solaris Operating Environment 6

Choosing a Method to Manage Printers 7

The LP Print Service 8

Managing Network Printers 9

Administering Printers 9

Setting Definitions for Printers 9

Administering Character Sets, Filters, Forms, and Fonts 10

Customizing the LP Print Service 10

Using the Print Client Software 10

The Print Client Process 11

Print Clients 11

Contents iii
 Printer Configuration Resources 12

Using Print Servers 15

2. Planning Printers on Your Network (Overview) 17

Distributing Printers on the Network 17

Assigning Print Servers and Print Clients 18

Print Server Requirements and Recommendations 20

Spooling Space 20

Disk Space 20

Memory 21

Swap Space 21

Hard Disk 21

Planning for Printer Setup 21

Setting Definitions for Printers 21

Selecting a Printer Type 25

Selecting a File Content Type 26

3. Setting Up Printers (Tasks) 29

Updating Print Clients to Access Existing Printers 30

Updating Print Clients to Access Existing Printers Task Map 30

Converting Existing Printer Configuration Information 31

H How to Convert Printer Information For a System Running the SunOS 5.5.1
Release or Compatible Versions 32

H How to Convert Printer Information For a System Running the SunOS 4.1
Release 32

Setting Up Printing 33

Setting Up Printing Task Map 33

Starting Admintool 35

H How to Start Admintool 35

Setting Up a Print Server 36

H How to Add a Local Printer Using Admintool 36

iv System Administration Guide, Volume II ♦ October 1998

 H How to Add a Local Printer Using LP Commands 38

Setting Up a Print Client 41

H How to Add Printer Access on the Print Client Using Admintool 42

H How to Add Access on the Print Client using LP Commands 43

Adding Access to a Remote Printer Using a Name Service 44

H How to Add Domain-Wide Access to a Printer using NIS 44

H How to Add Domain-Wide Access to a Printer using NIS+ 45

Enabling Print Clients to Access Existing Printers 46

H How to Use the /etc/[Link] File to Load NIS 46

H How to Use the /etc/[Link] File to Load NIS+ 47

Setting Up a .printers File 47

(Optional) How to Set Up a .printers File 48

Adding a Network Printer 48

Printer Vendor Supplied Software for Network Printers 50

Sun Support for Network Printers 50

Invoking the Network Printer Support 50

Selecting the Protocol 50

Selecting the Printer Node Name 51

Selecting the Network Printer Access Name 51

Setting the Timeout Value 52

Managing Network Printer Access 52

H How to Add a Network Printer Using Printer Vendor Supplied Tools 53

H How To Add A Network Printer Using LP Commands 54

4. Administering Printers (Tasks) 59

Managing Printers and the Print Scheduler 60

Deleting Printers and Printer Access 60

H How to Delete a Printer and Remote Printer Access 60

Checking Printer Status 63

Contents v
 H How to Check the Status of Printers 63

Restarting the Print Scheduler 65

H How to Stop the Print Scheduler 65

H How to Restart the Print Scheduler 66

Setting or Resetting Miscellaneous Printer Definitions 66

H How to Add a Printer Description 66

Setting Up a Default Printer Destination 67

H How to Set a System’s Default Printer 68

Printing Banner Pages 68

H How to Make Banner Pages Optional 69

H How to Turn Off Banner Pages 70

Setting Up Printer Classes 70

H How to Define a Class of Printers 71

Setting Up Printer Fault Alerts 71

H How to Set Fault Alerts for a Printer 72

Setting Up Printer Fault Recovery 73

H How to Set Printer Fault Recovery 75

Limiting User Access to a Printer 75

H How to Limit User Access to a Printer 77

Managing Print Requests 78

H How to Check the Status of Print Requests 79

Processing or Stopping Printing 81

H How to Accept or Reject Print Requests for a Printer 81

Accepting or Rejecting Print Requests 82

H How to Enable or Disable a Printer 84

Canceling a Print Request 85

H How to Cancel a Print Request 85

H How to Cancel a Print Request From a Specific User 86

vi System Administration Guide, Volume II ♦ October 1998

 Moving a Print Request 87

H How to Move Print Requests to Another Printer 88

Changing the Priority of Print Requests 89

H How to Change the Priority of a Print Request 89

5. Managing Character Sets, Filters, Forms, and Fonts (Tasks) 91

Managing Character Sets 92

Selectable Character Sets 92

Hardware-Mounted Character Sets 93

Tracking Print Wheels 94

Alerts for Mounting Print Wheels or Cartridges 94

H How to Define a Print Wheel or Font Cartridge 94

H How to Unmount and Mount a Print Wheel or Font Cartridge 95

H How to Set an Alert to Mount a Print Wheel or Font Cartridge 96

H How to Set Up an Alias for a Selectable Character Set 98

Managing Print Filters 100

Creating Print Filters 100

Adding, Changing, Removing, and Restoring Print Filters 101

H How to Add a Print Filter 102

H How to Delete a Print Filter 103

H How to View Information About a Print Filter 103

Managing Forms 105

Adding, Changing, or Deleting Forms 105

Mounting Forms 106

Tracking Forms 106

Defining Alerts for Mounting Forms 106

Checking Forms 106

Limiting Access to Forms 107

H How to Add a Form 107

Contents vii
 H How to Delete a Form 108

H How to Unmount and Mount a Form 108

H How to Set an Alert to Mount a Form 110

H How to View Information About a Form 112

H How to View the Current Status of a Form 113

H How to Limit User Access to a Form 113

H How to Limit Printer Access to a Form 114

Managing Fonts 115

Managing Printer-Resident Fonts 116

Downloading Host-Resident Fonts 117

Installing and Maintaining Host-Resident Fonts 117

H How to Install Downloaded PostScript Fonts 118

H How to Install Host-Resident PostScript Fonts 118

6. Customizing the LP Print Service (Tasks) 121

Adjusting Printer Port Characteristics 121

H How to Adjust the Printer Port Characteristics 123

Adding a terminfo Entry for an Unsupported Printer 124

H How to Add a terminfo Entry for an Unsupported Printer 127

Customizing the Printer Interface Program 128

The Standard Printer Interface Program 129

Customizing stty Modes 129

Exit Codes 130

Fault Messages 131

Using a Customized Printer Interface Program 131

H How to Set Up a Custom Printer Interface Program 131

Creating a New Print Filter 133

Writing a Print Filter Program 133

Creating a Print Filter Definition 136

viii System Administration Guide, Volume II ♦ October 1998

 H How to Create a New Print Filter 142

Creating a New Printer Form 144

H How to Create a New Form Definition 147

7. LP Print Service Reference Information 149

The LP Print Service 149

The Structure of the LP Print Service 150

LP Print Service Commands 158

Functions of the LP Print Service 160

How LP Administers Files and Schedules Local Print Requests 160

Scheduling Network Print Requests 162

Filtering Print Files 162

What the Printer Interface Program Does 162

How the lpsched Daemon Tracks the Status of Print Requests 163

Cleaning Out Log Files 163

H How to Change Frequency of Printer Request Log Rotation 164

How Local Printing Works 164

How Remote Printing Works 165

Part II Working With Remote Systems

8. Working With Remote Systems (Tasks) 171

Logging In to a Remote System (rlogin) 172

Authentication for Remote Logins (rlogin) 172

Linking Remote Logins 175

Direct vs. Indirect Remote Logins 176

What Happens After You Log In Remotely 178

H How to Search for and Remove .rhosts Files 179

H How to Find Out If a Remote System Is Operating 180

H How to Find Who Is Logged In to a Remote System 181

H How to Log In to a Remote System (rlogin) 181

Contents ix
 H How to Log Out From a Remote System (exit) 182

Logging In to a Remote System (ftp) 183

Authentication for Remote Logins (ftp) 183

Essential ftp Commands 183

H How to Open an ftp Connection to a Remote System 185

H How to Close an ftp Connection to a Remote System 186

H How to Copy Files From a Remote System (ftp) 186

H How to Copy Files to a Remote System (ftp) 188

Remote Copying With rcp 191

Security Considerations for Copy Operations 191

Specifying Source and Target 191

H How to Copy Files Between a Local and a Remote System (rcp) 193

Part III Managing Terminals and Modems

9. Managing Terminals and Modems (Overview) 201

Terminals, Modems, Ports, and Services 201

Terminals 202

Modems 202

Ports 202

Services 203

Port Monitors 203

Tools for Managing Terminals and Modems 204

Admintool 205

Service Access Facility 206

10. Setting Up Terminals and Modems (Tasks) 207

Setting Up Terminals and Modems 207

Setting Up Terminals 210

Setting Up Modems 211

H How to Start Admintool 213

x System Administration Guide, Volume II ♦ October 1998

 H How to Set Up a Terminal 214

H How to Set Up a Modem 215

H How to Set Up a Modem for Use With UUCP 217

H How to Initialize a Port 218

H How to Disable a Port 219

H How to Remove a Port Service 220

Troubleshooting Terminal and Modem Problems 221

11. Setting Up Terminals and Modems With the Service Access Facility
(Tasks) 223

Using the Service Access Facility 223

Overall Administration: sacadm Command 225

Service Access Controller: SAC Program 225

SAC Initialization Process 225

Port Monitor Service Administrator: pmadm Command 226

A Port Monitor at Work: ttymon 226

Port Initialization Process 227

Bidirectional Service 228

Port Monitors: TTY Monitor and Network Listener 228

TTY Port Monitor: ttymon 228

ttymon and the Console Port 229

Special ttymon-Specific Administrative Command: ttyadm 230

Network Listener Service: listen 230

Special listen-Specific Administrative Command: nlsadmin 230

Administering ttymon Port Monitors 231

H How to Add a ttymon Port Monitor 231

H How to View ttymon Port Monitor Status 231

Example—Viewing ttymon Port Monitor Status 232

H How to Stop a ttymon Port Monitor 233

Contents xi
 H How to Start a ttymon Port Monitor 233

H How to Disable a ttymon Port Monitor 233

H How to Enable a ttymon Port Monitor 233

H How to Remove a ttymon Port Monitor 234

Administering ttymon Services 234

H How to Add a Service 234

H How to View the Status of a TTY Port Service 236

Example—Viewing the Status of a TTY Port Monitor Service 237

H How to Enable a Port Monitor Service 238

H How to Disable a Port Monitor Service 239

Reference Material for Service Access Facility Administration 239

Files Associated With SAF 239

The /etc/saf/_sactab File 240

The /etc/saf/pmtab/_pmtab File 241

Service States 242

Port Monitor States 242

Port States 243

Part IV Managing System Security

12. Managing System Security (Overview) 247

Where to Find System Security Tasks 247

Granting Access to a Computer System 248

Maintaining Physical Site Security 248

Maintaining Login and Access Control 248

Restricting Access to Data in Files 249

Maintaining Network Control 249

Monitoring System Usage 249

Setting the Correct Path 249

Securing Files 250

xii System Administration Guide, Volume II ♦ October 1998

 Installing a Firewall 250

Reporting Security Problems 250

File Security 251

File Administration Commands 251

File Encryption 251

Access Control Lists (ACLs) 252

System Security 252

Login Access Restrictions 253

Special Logins 253

Managing Password Information 254

Using the Restricted Shell 255

Tracking Superuser (Root) Login 256

Network Security 256

Firewall Systems 257

Authentication and Authorization 258

Sharing Files 260

Restricting Superuser (Root) Access 260

Using Privileged Ports 260

Using Automated Security Enhancement Tool (ASET) 261

13. Securing Files (Tasks) 263

File Security Features 263

User Classes 264

File Permissions 264

Directory Permissions 264

Special File Permissions (setuid, setgid and Sticky Bit) 265

Default umask 267

Displaying File Information 267

H How to Display File Information 267

Contents xiii
 Changing File Ownership 269

H How to Change the Owner of a File 269

H How to Change Group Ownership of a File 270

Changing File Permissions 271

H How to Change Permissions in Absolute Mode 274

H How to Change Special Permissions in Absolute Mode 275

H How to Change Permissions in Symbolic Mode 276

Searching for Special Permissions 277

H How to Find Files With setuid Permissions 277

Executable Stacks and Security 279

H How to Disable Programs From Using Executable Stacks 279

H How to Disable Executable Stack Message Logging 280

Using Access Control Lists (ACLs) 280

ACL Entries for Files 281

ACL Entries for Directories 282

H How to Set an ACL on a File 283

H How to Copy an ACL 285

H How to Check If a File Has an ACL 285

H How to Modify ACL Entries on a File 286

H How to Delete ACL Entries From a File 287

H How to Display ACL Entries for a File 288

14. Securing Systems (Tasks) 291

Displaying Security Information 291

H How to Display a User’s Login Status 291

H How to Display Users Without Passwords 293

Temporarily Disabling User Logins 293

H How to Temporarily Disable User Logins 294

Saving Failed Login Attempts 294

xiv System Administration Guide, Volume II ♦ October 1998

 H How to Save Failed Login Attempts 295

Password Protection Using Dial-Up Passwords 295

H How to Create a Dial-Up Password 298

H How to Temporarily Disable Dial-up Logins 300

Restricting Superuser (root) Access on the Console 300

H How to Restrict Superuser (root) Login to the Console 300

Monitoring Who Is Using the su Command 301

H How to Monitor Who Is Using the su Command 301

H How to Display Superuser (root) Access Attempts to the Console 302

15. Using Authentication Services (Tasks) 303

Overview of Secure RPC 303

NFS Services and Secure RPC 304

DES Encryption 304

Diffie-Hellman Authentication 305

Kerberos Version 4 308

Administering Diffie-Hellman Authentication 310

H How to Restart the Keyserver 310

H How to Set Up NIS+ Credentials for Diffie-Hellman Authentication 310

H How to Set Up NIS Credentials with Diffie-Hellman Authentication 312

H How to Share and Mount Files With Diffie-Hellman Authentication 314

Administering Kerberos Version 4 Authentication 315

H How to Share and Mount Files With Kerberos Authentication 315

H How to Acquire a Kerberos Ticket for Superuser on a Client 315

H How to Log In to Kerberos Service 316

H How to List Kerberos Tickets 317

H How to Access a Directory With Kerberos Authentication 317

H How to Destroy a Kerberos Ticket 318

Introduction to PAM 318

Contents xv
 Benefits of Using PAM 319

Overview of PAM 319

PAM Module Types 319

Stacking Feature 320

Password-Mapping Feature 320

PAM Functionality 320

PAM Library 321

PAM Modules 321

PAM Configuration File 322

Configuring PAM 328

Planning for PAM 328

H How to Add a PAM Module 329

H How to Prevent Unauthorized Access from Remote Systems with PAM 329

H How to Initiate PAM Error Reporting 329

16. Using Automated Security Enhancement Tool (Tasks) 331

Automated Security Enhancement Tool (ASET) 331

ASET Security Levels 332

ASET Tasks 333

ASET Execution Log 335

ASET Reports 336

ASET Master Files 339

ASET Environment File (asetenv) 340

Configuring ASET 340

Restoring System Files Modified by ASET 343

Network Operation Using the NFS System 343

Environment Variables 344

ASET File Examples 348

Running ASET 350

xvi System Administration Guide, Volume II ♦ October 1998

 H How to Run ASET Interactively 350

H How to Run ASET Periodically 351

H How to Stop Running ASET Periodically 352

H How to Collect Reports on a Server 352

Troubleshooting ASET Problems 354

ASET Error Messages 354

Part V Managing System Resources

17. Managing System Resources (Overview) 361

Where to Find System Resource Tasks 361

What Are Quotas? 362

Executing Routine Tasks Automatically 362

Scheduling Repetitive Jobs: crontab 363

Scheduling a Single Job: at 363

What is System Accounting? 364

Accounting Components 364

How Accounting Works 365

18. Examining and Changing System Information (Tasks) 367

Using Commands to Display System Information 367

H How to Display System and Software Release Information 368

H How to Display General System Information (uname) 369

H How to Display a System’s Host ID Number 369

H How to Display a System’s Installed Memory 370

H How to Display the Date and Time 370

Using Commands to Change System Information 371

Using Network Time Protocol (NTP) in Your Networ 371

H How to Set Up a Network Time (NTP) Server 372

H How to Set Up a Network Time (NTP )Client 372

H How to Synchronize Date and Time From Another System 373

Contents xvii
 H How to Set a System’s Date and Time Manually 373

H How to Set Up a Message of the Day 374

H How to Set the Number of Processes per User 375

H How to Increase the Number of Pseudo-ttys 376

H How to Increase Shared Memory Segments 377

19. Managing Disk Use (Tasks) 381

Displaying Blocks and Files Used 381

H How to Display Information About Blocks, Files, and Disk Space 381

Checking the Size of Files 384

H How to Display the Size of Files 384

H How to Find Large Files 385

H How to Find Files That Exceed a Given Size Limit 386

Checking the Size of Directories 387

H How to Display the Size of Directories, Subdirectories, and Files 387

H How to Display the User Allocation of Local UFS File System 388

Finding and Removing Old and Inactive Files 389

H How to List the Newest Files 390

H How to Find and Remove Old or Inactive Files 390

H How to Clear Out Temporary Directories 392

H How to Find and Delete core Files 393

H How to Delete Crash Dump Files 393

20. Managing Quotas (Tasks) 395

Using Quotas 395

Soft Limits vs. Hard Limits 396

Difference Between Disk Block and File Limits 396

Setting Up Quotas 397

Guidelines for Setting Up Quotas 398

Setting Up Quotas Task Map 398

xviii System Administration Guide, Volume II ♦ October 1998

 H How to Configure File Systems for Quotas 399

H How to Set Up Quotas for a User 400

H How to Set Up Quotas for Multiple Users 401

H How to Check Quota Consistency 402

H How to Turn Quotas On 402

Checking Quotas 403

H How to Check for Exceeded Quotas 404

H How to Check Quotas on a File System 405

Changing and Removing Quotas 406

H How to Change the Soft Time Limit Default 407

H How to Change Quotas for a User 408

H How to Disable Quotas for a User 409

H How to Turn Quotas Off 410

21. Scheduling System Events (Tasks) 413

Commands for Scheduling System Events 413

Scheduling a Repetitive System Event (cron) 414

Inside a crontab File 414

How the cron Daemon Handles Scheduling 415

Syntax of crontab File Entries 416

Creating and Editing crontab Files 417

H How to Create or Edit a crontab File 417

H How to Verify a crontab File 418

Displaying crontab Files 419

H How to Display a crontab File 419

Removing crontab Files 420

H How to Remove a crontab File 420

Controlling Access to crontab 421

H How to Deny crontab Access 422

Contents xix
 H How to Limit crontab Access to Specified Users 423

H How to Verify Limited crontab Accesss 424

Scheduling a Single System Event (at) 425

at Command Description 425

H How to Create an at Job 426

H How to Display the at Queue 427

H How to Verify an at Job 427

H How to Display at Jobs 427

H How to Remove at Jobs 428

Controlling Access to at 429

H How to Deny at Access 429

H How to Verify at Access Is Denied 430

22. Managing System Accounting (Tasks) 433

Setting Up System Accounting 433

H How to Set Up System Accounting 434

Billing Users 437

H How to Bill Users 437

Maintaining Accounting Information 437

Fixing Corrupted Files and wtmp Errors 438

H How to Fix a wtmp File 438

Fixing tacct Errors 438

H How to Fix tacct Errors 439

Restarting runacct 439

H How to Restart runacct 440

Stopping and Disabling System Accounting 440

H How to Temporarily Stop System Accounting 440

H How to Permanently Disable System Accounting 441

23. System Accounting (Reference) 443

xx System Administration Guide, Volume II ♦ October 1998

 Daily Accounting 443

Connect Accounting 443

Process Accounting 444

Disk Accounting 444

Calculating User Fees 445

How Daily Accounting Works 445

Accounting Reports 447

Daily Accounting Reports 447

The runacct Program 456

Accounting Files 458

Files Produced by runacct 461

Part VI Managing System Performance

24. System Performance (Overview) 465

What’s New in Managing System Performance? 465

The pgrep and pkill Commands 466

Where to Find System Performance Tasks 467

System Performance and System Resources 467

Other Sources of Information 468

Processes and System Performance 468

Commands for Managing Processes 470

Process Scheduling Classes and Priority Levels 472

Disk I/O and System Performance 473

UFS Direct Input/Output (I/O) 473

H How to Enable Forced Direct I/O on a UFS File System 474

Memory and System Performance 475

Swap Space 475

Buffer Resources 476

Kernel Parameters and System Performance 476

Contents xxi
 About Monitoring Performance 477

Monitoring Tools 478

25. Managing Processes (Tasks) 481

Displaying Information About Processes 481

The ps Command 481

H How to List Processes 483

Displaying Information About Processes (/proc Tools) 484

H How to Display Information About Processes 485

Controlling Processes (/proc Tools) 487

H How to Control Processes 487

Killing a Process (pkill) 489

H How to Kill a Process 489

Managing Process Class Information 490

Changing the Scheduling Priority of Processes With priocntl 490

H How to Display Basic Information About Process Classes 490

H How to Display the Global Priority of a Process 491

H How to Designate a Process Priority 491

H How to Change Scheduling Parameters of a Timeshare Process 492

H How to Change the Class of a Process 493

Changing the Priority of a Timesharing Process With nice 494

H How to Change the Priority of a Process 495

Process Troubleshooting 496

26. Monitoring Performance (Tasks) 497

Displaying Virtual Memory Statistics (vmstat) 498

H How to Display Virtual Memory Statistics (vmstat) 498

H How to Display System Event Information 500

H How to Display Swapping Statistics 501

H How to Display Cache Flushing Statistics 502

xxii System Administration Guide, Volume II ♦ October 1998

 H How to Display Interrupts Per Device 502

Displaying Disk Utilization Information 503

H How to Display Disk Utilization Information 503

H How to Display Extended Disk Statistics 504

Displaying Disk Usage Statistics 506

H How to Display File System Information 506

Monitoring System Activities (sar) 507

H How to Check File Access (sar) 507

H How to Check Buffer Activity (sar) 508

H How to Check System Call Statistics (sar) 510

H How to Check Disk Activity (sar) 511

H How to Check Page-Out and Memory (sar) 513

H How to Check Kernel Memory Allocation (sar) 515

H How to Check Interprocess Communication (sar) 517

H How to Check Page-In Activity (sar) 518

H How to Check Queue Activity (sar) 520

H How to Check Unused Memory (sar) 521

H How to Check CPU Utilization (sar) 522

H How to Check System Table Status (sar) 523

H How to Check Swap Activity (sar) 525

H How to Check Terminal Activity (sar) 526

H How to Check Overall System Performance (sar) 528

Collecting System Activity Data Automatically (sar) 528

Collecting System Activity Data (sar) 529

H How to Set Up Automatic Data Collection 531

27. Monitoring Network Performance (Tasks) 533

Monitoring Network Performance 533

H How to Check the Response of Hosts on the Network 534

Contents xxiii
 H How to Send Packets to Hosts on the Network 535

H How to Capture Packets From the Network 536

H How to Check the Network Status 536

H How to Display NFS Server and Client Statistics 539

28. Tuning Kernel Parameters (Tasks) 543

Listing the Kernel Parameters 543

H How to Change the Value of a Kernel Parameter 544

H How to Set the Value of a Kernel Module Variable 544

Buffer Cache Parameters 545

UFS Parameters 545

STREAMS Parameters 546

Interprocess Communication (IPC) Parameters 546

H How to Tune the Interprocess Communication Parameters 548

Memory Management Parameters 548

H How to Tune Memory Management Parameters 549

Miscellaneous Parameters 550

H How to Tune Miscellaneous Parameters 550

29. The Scheduler (Reference) 551

About the Scheduler 551

Scheduler Activation 552

Scheduler Class Policies 552

Timesharing Class Policies 552

System Class Policies 553

Real-Time Class Policies 554

Scheduler Configuration 554

Default Global Priorities 555

Tunable Parameters 556

Scheduler Parameter Tables 558

xxiv System Administration Guide, Volume II ♦ October 1998

 Kernel-Mode Parameter Table 563

Part VII Troubleshooting Solaris Software Problems

30. Troubleshooting Software Problems (Overview) 567

Where to Find Software Troubleshooting Tasks 567

Troubleshooting a System Crash 568

What To Do if The System Crashes 568

Gathering Troubleshooting Data 569

Troubleshooting a System Crash Checklist 569

Viewing System Messages 570

H How to View System Messages 571

Customizing System Message Logging 572

H How to Customize System Message Logging 574

31. Managing System Crash Information 575

What’s New in Managing System Crash Information? 575

New System Crash Dump Features 575

The dumpadm Command 576

System Crashes 577

Crash Dump Files 577

Saving Crash Dumps 578

Managing Crash Dumps Task Map 578

H How to Display the Current Crash Dump Configuration 579

H How to Modify a Crash Dump Configuration 579

H How to Examine a Crash Dump 581

H How to Recover From a Full Crash Dump Directory (Optional) 582

H How to Disable or Enable Saving Crash Dumps (Optional) 583

32. Troubleshooting Miscellaneous Software Problems 585

What to Do If Rebooting Fails 585

What to Do If a System Hangs 586

Contents xxv
 What to Do If a File System Fills Up 587

A File System Fills Up Because a Large File or Directory Was

Created 587

The tmpfs File System Is Full Because the System Ran Out of
Memory 588

What to Do If File ACLs Are Lost After Copy or Restore 588

Troubleshooting Backup Problems 588

The root (/) File System Fills Up After You Back Up a File System 588

Make Sure the Backup and Restore Commands Match 589

Check to Make Sure You Have the Right Current Directory 589

Use the Old restore Command to Restore Multivolume Diskette

Backups 589

33. Troubleshooting File Access Problems 591

Solving Problems With Search Paths (Command not found) 591

H How to Diagnose and Correct Search Path Problems 592

Solving File Access Problems 594

Changing File and Group Ownerships 594

Recognizing Problems With Network Access 595

34. Troubleshooting Printing Problems 597

Tips on Troubleshooting 597

Troubleshooting Adding a Printer 598

Troubleshooting No Output (Nothing Prints) 598

Troubleshooting Incorrect Output 600

Troubleshooting Hung LP Print Service Commands 601

Troubleshooting Idle (Hung) Printers 602

Troubleshooting Conflicting Status Messages 603

Troubleshooting Printing Problems 603

H How to Troubleshoot No Printer Output 603

H How to Troubleshoot Incorrect Output 618

xxvi System Administration Guide, Volume II ♦ October 1998

 H How to Unhang the LP Print Service 624

H How to Troubleshoot an Idle (Hung) Printer 625

H How to Resolve Conflicting Printer Status Messages 627

35. Troubleshooting File System Problems 629

Error Messages 629

General fsck Error Messages 631

Initialization Phase fsck Messages 632

Phase 1: Check Blocks and Sizes Messages 636

Phase 1B: Rescan for More DUPS Messages 640

Phase 2: Check Path Names Messages 641

Phase 3: Check Connectivity Messages 650

Phase 4: Check Reference Counts Messages 653

Phase 5: Check Cylinder Groups Messages 657

Cleanup Phase Messages 659

36. Troubleshooting Software Administration Problems 661

Specific Software Administration Errors 661

General Software Administration Problems 662

Index 663

Contents xxvii
xxviii System Administration Guide, Volume II ♦ October 1998
About This Book

System Administration Guide, Volume II is part of a two-volume set that covers a

significant part of the SolarisTM system administration information. It includes both
SPARCTM and x86 information and describes how to use the SolsticeTM AdminSuiteTM
tools to perform some of the system administration tasks.
This book assumes that you have already installed the SunOSTM 5.7 operating system
and Solstice AdminSuite, and you have set up any networking software that you
plan to use. The SunOS 5.7 operating system is part of the Solaris 7 product family,
which also includes many utilities and OpenWindowsTM Version 3. The SunOS 5.7
operating system is compliant with AT&T’s System V, Release 4 operating system.
For the Solaris 7 release, new features interesting to system administrators are
covered in sections called What’s New in ... ? in the appropriate chapters.

Note - The term "x86" refers to the Intel 8086 family of microprocessor chips,
including the Pentium and Pentium Pro processors and compatible microprocessor
chips made by AMD and Cynix. In this document the term "x86" refers to the overall
platform architecture, whereas "Intel Platform Edition" appears in the product name.

The following table describes the system administration topics covered in System
Administration Guide, Volume I and System Administration Guide, Volume II.

About This Book xxix

 System Administration Guide, Volume I System Administration Guide, Volume II

“Managing User Accounts and Groups Chapter 1

(Overview)” in System Administration Guide,
Volume I

“Managing Server and Client Support Chapter 8

(Overview)” in System Administration Guide,
Volume I

“Shutting Down and Booting a System Chapter 9

(Overview)” in System Administration Guide,
Volume I

“Guidelines for Using CDs and Diskettes Chapter 12

(Overview)” in System Administration Guide,
Volume I

“Software Administration (Overview)” in Chapter 17

System Administration Guide, Volume I

“Device Management (Overview/Tasks)” in Chapter 24

System Administration Guide, Volume I

“Disk Management (Overview)” in System Chapter 30

Administration Guide, Volume I

“File Systems (Overview)” in System

Administration Guide, Volume I

“Backing Up and Restoring File Systems

(Overview)” in System Administration Guide,
Volume I

“The 64-bit Solaris Operating Environment”

in System Administration Guide, Volume I

xxx System Administration Guide, Volume II ♦ October 1998

Who Should Use This Book
This book is intended for anyone responsible for administering one or more systems
running the Solaris 7 release. To use this book, you should have 1-2 years of UNIX®
system administration experience and preferably a Computer Science B.S. degree or
equivalent knowledge.

How This Book Is Organized

This book is split into parts that each cover a major system administration topic.
Each part contains chapters that provide both overview and task information.

Most of the overview information about a topic is usually described in the beginning
chapters of each part, and the other chapters provide step-by-step instructions on
system administration tasks that you need to perform. Each set of steps is usually
followed by a way to verify that the task was successfully performed and an
example of how to perform the task.

Using AnswerBook2 to Read This Book TM

You can click on any cross reference, represented by underlined text, to quickly
access referenced information in the AnswerBook2 collections. To return to the
previous display, click on Back.

Ordering Sun Documents

The SunDocsTM program provides more than 250 manuals from Sun Microsystems,
Inc. If you live in the United States, Canada, Europe, or Japan, you can purchase
documentation sets or individual manuals using this program.

For a list of documents and how to order them, see the catalog section of the
SunExpressSM Internet site at [Link]

xxxi
 SPARC and x86 Information
This book provides system administration information for both SPARC and x86
systems. Unless otherwise noted, information throughout this book applies to both
types of systems. Table P–1 summarizes the differences between the SPARC and x86
system administration tasks.

TABLE P–1 SPARC and x86 System Administration Differences

Category SPARC x86

System operation before kernel 4 A programmable read-only 4 The basic input/output system
is loaded memory (PROM) chip with a (BIOS) runs diagnostics and
monitor program runs displays device information.
diagnostics and displays device A Solaris Device Configuration
information. Assistant boot diskette with the
4 It is also used to program default Multiple Device Boot (MDB)
boot parameters and test the program is used to boot from
devices connected to the system. non-default boot partitions, the
network, or CD-ROM.

Booting the system 4 Commands and options at the 4 Commands and options at the
PROM level are used to boot the MDB, primary, and secondary
system. boot subsystems level are used to
boot the system.

Boot programs 4 bootblk, the primary boot 4 mboot, the master boot record,
program, loads ufsboot. loads pboot.
4 ufsboot, the secondary boot
program loads the kernel. pboot, the Solaris partition boot
program, loads bootblk.
4 bootblk, the primary boot
program, loads ufsboot.
ufsboot, the secondary boot
program, loads the kernel.

System shutdown 4 The shutdown and init 4 The shutdown and init
commands can be used without commands are used but require
additional operation intervention. operator intervention at the type
any key to continue prompt.

Disk controllers 4 SCSI 4 SCSI and IDE

xxxii System Administration Guide, Volume II ♦ October 1998

TABLE P–1 SPARC and x86 System Administration Differences (continued)

Category SPARC x86

Disk slices and partitions 4 A disk may have a maximum of 4 A disk may have a maximum of
eight slices, numbered 0-7. four fdisk partitions.
4 The Solaris fdisk partition may 4 The Solaris fdisk partition may
contain up to ten slices, contain up to ten slices,
numbered 0-9, but only 0-7 can numbered 0-9, but only 0-7 can
be used to store user data. be used to store user data.

Diskette drives 4 Desktop systems usually contain 4 Systems may contain two
one 3.5-inch diskette drive. diskette drives: a 3.5-inch and a
5.25 inch drive.

What Typographic Changes Mean

The following table describes the typographic changes used in this book.

TABLE P–2 Typographic Conventions

Typeface or Symbol Meaning Example

AaBbCc123 The names of commands, files, Edit your .login file.

and directories; on-screen
Use ls -a to list all files.
computer output
machine_name% You have mail.

AaBbCc123 What you type, contrasted with machine_name% su

on-screen computer output
Password:

AaBbCc123 Command-line placeholder: To delete a file, type rm filename.

replace with a real name or
value

AaBbCc123 Book titles, new words or terms, Read Chapter 6 in User’s Guide.
or words to be emphasized These are called class options.
You must be root to do this.

xxxiii
 Shell Prompts in Command Examples
The following table shows the default system prompt and superuser (root) prompt
for the Bourne shell and Korn shell.

TABLE P–3 Shell Prompts

Shell Prompt

Bourne shell and Korn shell prompt $

Bourne shell and Korn shell superuser prompt #

General Conventions
Be aware of the following conventions used in this book.
4 When following steps or using examples, be sure to type double-quotes ("), left
single-quotes (‘), and right single-quotes (’) exactly as shown.
4 The key referred to as Return is labeled Enter on some keyboards.
4 It is assumed that the root path includes the /sbin, /usr/sbin, /usr/bin, and
/etc directories, so the steps in this book show the commands in these directories
without absolute path names. Steps that use commands in other, less common,
directories show the absolute path in the example.
4 The examples in this book are for a basic SunOS 5.7 software installation without
the Binary Compatibility Package installed and without /usr/ucb in the path.

Caution - If /usr/ucb is included in a search path, it should always be at the end

of the search path. Commands like ps or df are duplicated in /usr/ucb with
different formats and options from the SunOS 5.7 commands.

xxxiv System Administration Guide, Volume II ♦ October 1998

PART I Managing Printing Services

This part provides instructions for managing printing services in the Solaris
environment. This part contains these chapters.

Provides overview information for managing printing

Chapter 1
services on a network. This chapter provides information
on print servers, print clients, and the LP print service.

Provides overview information for planning printing

Chapter 2
services on a network, which includes information on
allocating system resources and defining printers on a
network.

Provides step-by-step instructions for setting up a

Chapter 3
printer on a system and making it available to other
systems on the network.

Provides step-by-step instructions for administering

Chapter 4
printers, such as deleting printers, setting print policies,
and managing print requests.

Provides step-by-step instructions for setting up and

Chapter 5
maintaining character sets, print filters, forms, and fonts.

Provides step-by-step instructions for customizing the

Chapter 6
LP print service, such as adjusting printer port
characteristics or adding a terminfo entry for a
unsupported printer.

Chapter 7 Provides background information on the LP print

service.
CHAPTER 1

Print Management (Overview)

This chapter provides information about managing printers, print clients, and the LP
print service. This is a list of the overview information in this chapter.
4 “The Solaris Print Software” on page 3
4 “Printing in the Solaris Operating Environment” on page 6
4 “The LP Print Service” on page 8
4 “Using the Print Client Software” on page 10
For step-by-step instructions on print management tasks, see:
4 Chapter 3
4 Chapter 4
4 Chapter 5
4 Chapter 6

The Solaris Print Software

The Solaris print software offers a better centralized print administration than the LP
print software in previous Solaris releases. Starting in the Solaris 2.6 release, you can
easily set up and manage print clients using the NIS or NIS+ name services.
Solaris print software features include:
4 Redesign of Print Packages
4 Print Protocol Adapter
4 Print Client Support
4 Network Printer Support

3
 The Solaris print software limitations include:
4 No support for print servers defined as s5 (the System V print protocol) in
previous Solaris releases.
4 No print filtering on print clients.

Redesign of Print Packages

Starting in the Solaris 2.6 release, print packages have been redesigned to provide
greater flexibility and modularity of print software installation and to allow
installation of a smaller print client footprint.
Redesign features include:
4 It is possible with a custom installation to install only the client software on the
print client, allowing for a smaller client footprint. All packages, client and server,
are installed on print servers.
The default state is to install everything, but you can choose to install client or
server software only. Print servers require that the client software is installed.
4 PostScript filter software is contained in the SUNWpsf print package.
Table 1–1 describes the set of print packages.

TABLE 1–1 Solaris Print Packages

Package Instance Package Name Base Directory

SUNWpcr SunSoft Print - Client root (/)

SUNWpcu SunSoft Print - Client usr

SUNWpsr SunSoft Print - LP Server root (/)

SUNWpsu SunSoft Print - LP Server usr

SUNWpsf Postscript Filters usr

SUNWscplp SunSoft Print - Source usr

Compatibility

The removed print packages are:

4 System Administration Guide, Volume II ♦ October 1998

4 SUNWlpr - LP print service, (root)
4 SUNWlpu - LP print service - Client, (usr)
4 SUNWlps - LP print service - Server, (usr)
Print commands contained in SUNWscpu have been moved and placed into
SUNWscplp (SunSoft Print - Source Compatibility).

Print Protocol Adaptor

Starting in the Solaris 2.6 release, the print protocol adaptor replaces the Service
Access Facility (SAF), the network listener, and lpNet on the inbound side of the LP
spooler with a more modular, modern design.
This replacement provides the following features:
4 Complete BSD print protocol implementation plus extended Solaris functionality.
4 Allows multiple spooling systems to coexist on the same host and have access to
the BSD print protocol.
4 Extensible by third-party application developers to support other printing
protocols such as Apple, Novell, etc.).
The new print protocol adaptor is compatible with print clients set up in Solaris 2.5.1
and compatible releases if the "BSD" protocol was used to configure these clients. If
not, you’ll have to modify the Solaris 2.5.1 and compatible print client configuration
to use the "BSD" protocol using AdmintoolTM , Solstice Printer Manager, or the
lpsystem command.

Using Print Clients

The print client software uses a NIS map, NIS+ table, or a single file to provide
centralized client administration. Features of the print client software include:
4 The /etc/lp directory structure on client systems is replaced with a
configuration database that can be stored in a:

4 User file ($HOME/.printers)

4 System file (/etc/[Link])
4 NIS map ([Link])
4 NIS+ FNS context

4 The client software utilizes a more streamlined implementation providing reduced

client overhead and generally quicker and more accurate responses to print status
requests.

Print Management (Overview) 5

 4 The lpset(1M) command is used to create the [Link] file. See Chapter
3 for information on using the lpset command.
4 Substantially smaller (183K total) than the previous Solaris release.
4 Interoperable with BSD protocol as described in RFC-1179. This includes SunOS
4.0 and compatible versions, Solaris 2.5.1 and compatible versions, HPUX, etc. The
print client software packages are SUNWpcr and SUNWpcu.

Enhanced Network Printer Support

The Solaris print software provides better support for network printers than in
previous Solaris releases. Features include:
4 A new interface script, /usr/lib/lp/model/netstandard, is specifically
designed to support network printers. This script collects the spooler and print
database information needed to perform network printing and passes it to the
print output module.
4 A new print output module, netpr, is called from the netstandard interface
script to print the print job by opening a network connection to the printer,
creating the correct protocol instructions, and sending the data to the printer. The
netpr program currently supports two protocols, BSD print protocol and a TCP
pass-through.
4 New arguments to the lpadmin -o command are used to specify destination
name, protocol, and timeout values for the network printer.
4 Solstice AdminSuite 2.3 Printer Manager can be used to set up and manage
network printers.

See Chapter 3 or the Solstice AdminSuite 2.3 Administration Guide for more
information about setting up a network printer.

Printing in the Solaris Operating

Environment
The Solaris printing software provides an environment for setting up and managing
client access to printers on a network.
The Solaris printing software contains these components:
4 The print client software, previously only available with the SolsticeTM
AdminSuiteTM set of administration tools, provides the ability to make printers
available to print clients via a name service.

6 System Administration Guide, Volume II ♦ October 1998

4 Admintool, a graphical user interface used to manage printing on a local system.
4 The LP print service commands, a command line interface used to set up and
manage printers that also provides functionality above and beyond the other print
management tools.
4 The Solstice AdminSuite Print Manager, a graphical user interface used to manage
printers in a name service environment, is available starting in the Solaris 2.6
release.

Table 1–2 summarizes the features of the Solaris printing components.

TABLE 1–2 Solaris Printing Component Features

Manage Print
Graphical User Set Up Print Clients and Using NIS or
Component Interface? Clients? Servers? NIS+?

SunSoft Print No Yes No Yes

Client

Admintool Yes Yes Yes No

LP commands No Yes Yes No

Solstice Yes Yes Yes Yes

AdminSuite

Note - If you do not use Solstice Printer Manager to set up and manage printing,
you will have to use some combination of the other components to completely
manage printing in the Solaris environment.

Choosing a Method to Manage Printers

The print client software and the Printer Manager application in SolsticeTM
AdminSuiteTM offer a graphical solution for setting up and managing printers on a
network. The advantage of the print client software is that it supports a name service
(NIS or NIS+), which enables you to centralize print administration for a network.
lpadmin can also be used on the command line to configure printers on individual
systems.
AdmintoolTM provides an alternative method to install printers in the Solaris
environment. Admintool is a graphical user interface that simplifies tasks for setting

Print Management (Overview) 7

 up and managing printers. See Chapter 3 for step-by-step instructions on using
Admintool.

You must run Admintool on the system to which you have attached the printer,
because Admintool does not enable you to make changes to a remote system. When
setting up a printer, Admintool makes the appropriate changes in the system’s
/etc/[Link] and /etc/lp directory as required. You can use Admintool
to set up a system as a print server or print client only if it is running the SunOS 5.6
or 5.7 releases. Setting up SunOS 4.1 print servers and clients is fully described in the
SunOS 4.0 and compatible versions documentation.

Most of your needs for setting up printing services should be met by Admintool.
However, if you have special needs, such as writing scripts, you may want to use the
LP print service commands (which underlie Admintool) directly. The setup process
with commands is described in “How to Add Access on the Print Client using LP
Commands” on page 43.

Use Table 1–3 to find printer setup information.

TABLE 1–3 Where To Find Printer Setup Information

For Information On ... See ...

Setting up print clients and print servers using

Chapter 3
Admintool

Setting up printer information available to print

Chapter 3
clients using a name service

Setting up network printers using the LP commands

Chapter 3

Setting and managing printing (including network Solstice AdminSuite 2.3

printers) using Solstice Printer Manager Administration Guide

Administering printers using the LP commands

Chapter 4

The LP Print Service

The LP print service is a set of software utilities that allows users to print files while
they continue to work. Originally, the print service was called the LP spooler. (LP

8 System Administration Guide, Volume II ♦ October 1998

stood for line printer, but its meaning now includes many other types of printers,
such as laser printers. Spool is an acronym for system peripheral operation off-line.)
The print service consists of the LP print service software and spooler, which
includes the print client software; any print filters you may provide; and the
hardware (the printer, system, and network connections).
See Chapter 7 for background information about the LP print service.
Other LP print service topics covered in this part and their chapter references are
described below.

Managing Network Printers

A network printer is a hardware device that provides printing services to print clients
without being directly cabled to a print server. It has its own system name and IP
address, and is connected directly to the network.
Network printers often have software support provided by the printer vendor. If
your printer has printer vendor supplied software it is strongly advised that the
printer vendor software be utilized. If the network printer vendor does not provide
software support, the Sun supplied software is available. This software provides
generic support for network printers and is not capable of providing full access to all
possible printer capabilities.
See Chapter 3 for step-by-step instructions on setting up a network printer.

Administering Printers
After you set up print servers and print clients, there are a number of administration
tasks you may need to perform frequently:
4 Deleting a printer and remote printer access
4 Checking the status of printers
4 Restarting the print scheduler
See Chapter 4 for step-by-step instructions on how to perform the printer
administration tasks.

Setting Definitions for Printers

Establishing definitions for the printers on your network is an ongoing task that lets
you provide a more effective print environment for users. For example, you can
assign printer descriptions for all your site’s printers to help users find where a

Print Management (Overview) 9

 printer is located, or you can define a class of printers to provide the fastest
turnaround for print requests.
See Chapter 2 for information on setting up printer definitions.

Administering Character Sets, Filters, Forms, and

Fonts
Depending on your site’s requirements and the types of printers you have on the
network, you may have to set up and administer printer-specific features of the LP
print service. For example, you can assign different print wheels, filters, and forms to
different printers. See Chapter 5 for background information and step-by-step
instructions on how to set up and administer character sets, print filters, forms, and
fonts.

Customizing the LP Print Service

Although the LP print service is designed to be flexible enough to handle most
printers and printing needs, it does not handle every possible situation. You may
have a printing request that is not accommodated by the standard features of the LP
print service. Or you may have a printer that does not quite fit into the way the LP
print service handles printers.
You can customize the LP print service in the following ways:
4 Adjust the printer port characteristics
4 Adjust the terminfo database
4 Customize the printer interface program
4 Create a print filter
4 Define a form
See Chapter 6 for detailed descriptions and step-by-step instructions to customize the
LP print service.

Using the Print Client Software

This section provides an overview of how the print client software works.

10 System Administration Guide, Volume II ♦ October 1998

 The Print Client Process
Figure 1–1 illustrates the path of a print request from the time the user initiates the
request until it is printed.

➊ ➋ ➌ ➍ ➎

Print Client Print Request Print Client Print Server Printer Printed
Command Output
Processing

Figure 1–1 Overview of the Print Client Process

1. A user submits a print request from a print client by using a print client
command.
2. The print client command checks a hierarchy of print configuration resources to
determine where to send the print request.
3. The print client command sends the print request directly to the appropriate print
server. A print server can be any server that accepts BSD printing protocol,
including SVR4 (LP) print servers and BSD print servers (such as the SunOS 4.1
BSD print server).
4. The print server sends the print request to the appropriate printer.
5. The print request is printed.

Print Clients
This section of the overview focuses on the print client, a system that can send print
requests to a print server, and print commands, which enable the print client to
initiate print requests.
Figure 1–2 highlights the part of the print process in which the user submits a print
request from a print client.

➊ ➋ ➌ ➍ ➎

Print Client Print Request Print Client Print Server Printer Printed
Command Output
Processing

Figure 1–2 The User Submits a Print Request from a Print Client

Print Management (Overview) 11

 What Is a Print Client?
A system becomes a print client when you install the print client software and enable
access to remote printers on the system. The print client commands have the same
names and produce the same output as the print commands of the previous Solaris
releases.

How the Print Client Commands Improve the Print Process

With the print client commands, the client system becomes a more effective print
client: the commands use a greater number of options to locate printer configuration
information, and the client communicates directly with the print server. In the
previous Solaris operating environment, the print client did not have these
advantages.
The print client commands:
4 Use more options to locate printer information.
The print client commands check the following resources to locate printers and
printer configuration information:

4 The command-line interface

4 A printer alias file in the user’s home directory
4 Local (print client) configuration files
4 A network (shared) configuration file, if you use a name service

4 Enable clients to submit requests directly to the print server.

The print client sends its requests to the print server’s queue; the client does not
have a local queue. The client writes the print request to a temporary spooling
area only if the print server is not available or if an error occurs. This streamlined
path to the server decreases the print client’s use of resources, reduces the chances
for printing problems, and improves performance.

Printer Configuration Resources

This section describes the resources that the print client commands use to locate
printer names and printer configuration information.
The print client commands can use a name service, which is a network (shared)
resource for storing printer configuration information for all printers on the network.
The name service (NIS or NIS+) simplifies printer configuration maintenance: When
you add a printer in the name service, all print clients on the network can access it.
Figure 1–3 highlights the part of the print process in which the print client
commands check a hierarchy of printer configuration resources to determine where
to send the print request.

12 System Administration Guide, Volume II ♦ October 1998

 ➊ ➋ ➌ ➍ ➎
Print Client Print Request Print Client
Print Server Printer Printed
Command
Processing Output

Figure 1–3 The Print Client Checks Resources to Locate Printers

How the Print Client Software Locates Printers

As shown in Figure 1–4, the print client commands use more options to locate
printers and printer configuration information.

➊ ➋
Print Command Checks:
Print Client

Print Request

Atomic, POSIX, or Context-Based

Printer Name or Class

User’s PRINTER or LPDTEST

Environment Variable for
Default Printer

User’s
.printers File for
Printer Alias

Print Client’s
/etc/[Link] File

Name Service (NIS or NIS+)

Figure 1–4 How the Print Client Software Locates Printers

Print Management (Overview) 13

 1. A user submits a print request from a print client by using the lp or lpr
command. The user can specify a destination printer name or class in any of three
styles:
4 Atomic style, which is the print command and option followed by the printer
name or class, as shown in this example.

% lp -d neptune filename

4 POSIX style, which is the print command and option followed by server:printer,
as shown in the following example.

% lpr -P galaxy:neptune filename

4 Context-based style, as defined in the Federated Naming Service Programming

Guide, shown in this example.

% lpr -d thisdept/service/printer/printer-name filename

2. The print command locates a printer and printer configuration information as

follows:
4 It checks to see if the user specified a destination printer name or printer class
in one of the three valid styles.
4 If the user didn’t specify a printer name or class in a valid style, the command
checks the user’s PRINTER or LPDEST environment variable for a default
printer name.
4 If neither environment variable for the default printer is defined, the command
checks the .printers file in the user’s home directory for the _default
printer alias.
4 If the command does not find a _default printer alias in the .printers file,
it then checks the print client’s /etc/[Link] file for configuration
information.
4 If the printer is not found in the /etc/[Link] file, the command
checks the name service (NIS or NIS+), if any.
These are the advantages of the print client method to locate printers:
4 You can use a name service (NIS or NIS+) to store printer information in one
central location. This is the single most important feature of the print client
software. If you want to add a printer and make it available to all print clients on
the network, all you have to do is enter the printer information in the name
service. The same principle applies to modifying and deleting printers. The printer
information in the name service is available to all print clients.
4 Users can manipulate their .printers file to customize printer information. Even
though print clients know about the printers that are listed in the name service,
you can customize the clients’ printer configuration files to use printer aliases and

14 System Administration Guide, Volume II ♦ October 1998

 to find only certain printers when canceling print requests or getting status
information.
4 If you don’t use a name service, you can still decrease the amount of time it takes
to set up and administer printing by creating a master of the
/etc/[Link] file with all printers on the network and copying that file
to print clients. For further information about using the /etc/[Link]
file, see Chapter 3.
4 The print client software uses POSIX-style names, which means print clients can
access printers that aren’t defined on the print client or in the name service.

Who Should Use a Name Service

A name service provides the most efficient way to add, modify, and delete printer
configuration information for a network. Almost every site can benefit significantly
from using a name service. One exception might be a very small network with only a
few printers and print clients.

Using Print Servers

This section of the overview focuses on the print server, a system that has a local
printer connected to it and makes the printer available to other systems on the
network. Figure 1–5 highlights the part of the print process in which the print server
sends the print request to the printer.

➊ ➋ ➌ ➍ ➎

Prin Client Print Request Print Client Print Server Printer Printed
Command Output
Processing

Figure 1–5 The Print Server Sends a Print Request to the Printer

The BSD Printing Protocol

The print client commands use the BSD printing protocol. One of the big advantages
of this protocol is that it can communicate with a variety of print servers:
4 SunOS 4.1 BSD (LPD) print servers
4 SunOS 5.7 and compatible SVR4 (LP) print servers

Print Management (Overview) 15

 4 Any other print server or printer that accepts the BSD printing protocol
The BSD printing protocol is an industry standard. It is widely used and it provides
compatibility between different types of systems from various manufacturers. Sun has
chosen to support the BSD printing protocol to provide interoperability in the future.

Where to Go From Here

Go to Chapter 3 for step-by-step instructions on:
4 Updating print clients to access existing printers at your site
4 Setting up new printers with print client software
If you need printer planning information, see Chapter 2.

16 System Administration Guide, Volume II ♦ October 1998

CHAPTER 2

Planning Printers on Your Network

(Overview)

The goal of setting up printers on a network is to give users access to one or more
printers. This section provides information about distributing printers across your
network to gain the best efficiency and about planning for printer setup.
4 “Distributing Printers on the Network” on page 17
4 “Assigning Print Servers and Print Clients” on page 18
4 “Print Server Requirements and Recommendations” on page 20
For step-by-step instructions on print management tasks, see:
4 Chapter 3
4 Chapter 4
4 Chapter 5
4 Chapter 6

Distributing Printers on the Network

As an administrator, you must determine whether each printer would be best used if
it is dedicated to one system or available to many systems. In a network
environment, it usually works best to distribute your printers on several print
servers. The advantage of setting up several print servers is that when one print
server has a problem, you can route print requests to other print servers.
If you use a centralized print configuration, you can still connect printers to users’
systems for convenience or for improved response. A printer that is connected to a
user’s system is still available to other systems on the network.

17
 Figure 2–1 shows an example of how you can have a centralized print configuration
and still connect printers to users’ systems.

Print client Print client Local printer connected

to a user’s system

Printers connected to
a print server
Figure 2–1 How to Distribute Printers on a Network

Assigning Print Servers and Print

Clients
You must decide which systems will have local printers physically attached to them,
and which will systems use printers on other systems. A system that has a local
printer attached to it and makes the printer available to other systems on the
network is called a print server. A system that sends its print requests to a print
server is called a print client.
The LP print service software manages printing services in the Solaris environment.
Besides physically connecting a printer to a system, you must define the printer
characteristics to the LP print service and make the system a print server. Once you
have print servers set up, you can set up other systems as print clients.
Print servers and print clients can run different versions of the SunOS operating
system. Systems running the SunOS 5.7 and compatible versions can print to existing
print servers running the SunOS 4.1 operating system, and systems running the
SunOS 4.1 operating system can print to print servers running the SunOS 5.7 and
compatible versions.

Note - SunOS 5.7 is part of the Solaris 7 operating environment.

Figure 2–2 shows example print configurations on a network with systems running
the SunOS 5.7 and compatible versions and SunOS 4.1 operating systems.

18 System Administration Guide, Volume II ♦ October 1998

4.1 Print Client 4.1 Print Client

5.7 Print Server 4.1 Pr

5.7 Print Client 5.7 Print Client

Planning Printers on Your Network (Overview) 19

 Print Server Requirements and
Recommendations
You can attach a printer to a standalone system or to any system on the network.
Any networked system with a printer can be a print server, as long as the system has
adequate resources to manage the printing load.

Spooling Space
Spooling space is the amount of disk space that is used to store and process requests in
the print queue. Spooling space is the single most important factor to consider when
deciding which systems to designate as print servers. When users submit files for
printing, the files are stored in the /var/spool/lp directory until they have been
printed. The size of the /var directory depends on the size of the disk and how the
disk is partitioned. Spooling space may be allocated in the /var directory on the
print server hard disk, or mounted from a file server and accessed over the network.

Note - If /var is not created as a separate file system, the /var directory uses space
in the root (/) file system, which is likely to be insufficient.

Disk Space
When evaluating systems as possible print servers, consider their available disk
space. A large spool directory can consume 600 Mbytes of disk space. Look at the
size and division of disk space on systems that can be designated as print servers.
Also, carefully evaluate the printing needs and use patterns of print client systems. If
users in a small group typically print only short email messages— simple ASCII files
without sophisticated formatting requirements—a print server with 20 to 25 Mbytes
of disk space allocated to /var is probably sufficient. If, however, many print client
users are printing large documents or bit-mapped or raster images, they will likely
fill up the spooling space quite frequently. When users cannot queue their jobs for
printing, work flow is interrupted. Requests for more spooling space may force you to
either add disk space for spooling or designate a different system as the print server.
If the print server has a /var directory that resides in a small partition, and if a large
amount of disk space is available elsewhere, you can use that space as spooling
space by mounting it on the /var directory on the print server. See “Mounting and
Unmounting File Systems (Tasks)” in System Administration Guide, Volume I for
information about mounting file systems and editing the vfstab file.

20 System Administration Guide, Volume II ♦ October 1998

Memory
The Solaris environment requires a minimum of 16 Mbytes of memory to run. A
print server does not require additional memory. However, you may find that more
memory improves performance in filtering print requests.

Swap Space
The swap space allocation on the print server should be sufficient to handle LP print
service requirements. See “Configuring Additional Swap Space (Tasks)” in System
Administration Guide, Volume I for information about how to increase swap space.

Hard Disk
For optimal performance, the print server should have a hard disk and a local /var
directory. You should mount spooling space for a print server on a local hard disk. If
a print server has its own hard disk and a local /var directory, printing is much
faster, and you can more accurately predict the time needed to process print requests.

Planning for Printer Setup

This section provides an overview of planning for printing in the Solaris
environment that includes:
4 Setting definitions for printers such a printer name, printer description, printer
port
4 Selecting a printer type and file content type
4 Setting up fault notification and default printer destination
4 Determining whether you want to print banner pages or limit user access to a
printer
4 Setting up printer classes and fault recovery

Setting Definitions for Printers

Establishing definitions for the printers on your network is an ongoing task that lets
you provide a more effective print environment for users. For example, you can

Planning Printers on Your Network (Overview) 21

 assign parameters for all your site’s printers to help users find where a printer is
located, or you can define a class of printers to provide the fastest turnaround for
print requests.
The lpadmin command lets you set all of the print definitions, while Admintool lets
you set only some of them when you install or modify a printer. Table 2–1 lists the
print definitions and shows whether you can assign the definition with Admintool.

TABLE 2–1 Print Definitions Set With Admintool

Print Definition Can You Set It With Admintool?

Printer name Yes

Printer description Yes

Printer port Yes

Printer type Yes

File contents Yes, but with less functionality than the

lpadmin command

Fault notification Yes, but with less functionality than the

lpadmin command

Default printer destination Yes

Printing banner pages Yes, but with less functionality than the
lpadmin command

Limiting user access to a printer Yes, but with less functionality than the
lpadmin command

Printer class No

Fault recovery No

Printer Name
When adding a printer to a system, you specify a printer name for the printer. A
printer name must be:
4 Unique among all printers within the bounds of an administrative domain
4 A maximum of 14 alphanumeric characters, which may include dashes and
underscores

22 System Administration Guide, Volume II ♦ October 1998

4 Easy to remember and may identify the type of printer, its location, or the print
server name
Establish a naming convention that works for your site. For example, if you have
different types of printers on the network, including the printer type as part of the
printer name can help users choose an appropriate printer. For instance, you could
identify PostScriptTM printers with the letters PS. If, however, all of the printers at
your site are PostScript printers, you would not need to include the initials PS as
part of the printer name.

Printer Description
You can assign a description to a printer by using the lpadmin -D command or
Admintool. The printer’s description should contain information to help users
identify the printer. You might include the room number where the printer is located,
the type of printer, the manufacturer, or the name of the person to call if there are
printing problems.
Users can look at a printer description by using the following command:

$ lpstat -D -p printer-name

Printer Port
When you install a printer or later change its setup, you can specify the device, or
the printer port, to which the printer is connected, by using Admintool or the
lpadmin -p printer-name -v device-name command.
Most systems have two serial ports and a parallel port. Unless you add ports, you
cannot connect more than two serial printers and a parallel printer to one system.
With Admintool, you can select either /dev/term/a or /dev/term/b, or choose
Other and specify any port name that the print server recognizes. These options
give you as much flexibility as the lpadmin command.
The LP print service initializes the printer port using the settings from the standard
printer interface program. See “Managing Print Filters” on page 100 for more
information about printer interface programs. If you have a parallel printer or a
serial printer for which the default settings do not work, see “Adjusting Printer Port
Characteristics” on page 121 for information about customizing the port settings.

Planning Printers on Your Network (Overview) 23

 Note - If you use multiple ports on an x86 system microprocessor-based system,
only the first port is enabled by default. The second and any subsequent ports are
disabled by default. To use more than one port, you must manually edit the device
driver port configuration file for each additional asy (serial) port or lp (parallel)
port. The pathnames for the x86 port configuration files are:
/platform/i86pc/kernel/drv/[Link]
/platform/i86pc/kernel/drv/[Link]
See the Solaris 7 (Intel Platform Edition) Installation Library for information about
configuring serial and parallel ports on x86 systems.

Printer Type
The printer type is a generic name for a type of printer. It identifies the terminfo
database entry that contains various control sequences for the printer. By convention,
printer type is usually derived from the manufacturer’s
TM
model name. For example,
the printer type name for the DECwriter printer is decwriter. However, the
common printer type PS does not follow this convention. PS is used as the printer
type for many models of PostScript printers, such as LaserWriter®I and LaserWriterII
printers.
You can specify the printer type by using the lpadmin -T command or Admintool.
With Admintool, you can specify the printer type only when you are installing a
printer. If you want to change the type of an existing printer, you must delete the
printer and reinstall it by using Admintool, otherwise change the printer type by
using the lpadmin command.
Admintool lets you select a printer type from a menu or choose Other and specify
any printer type in the terminfo database. This provides you as much capability as
the lpadmin command.

Printer Names in the terminfo Database

Information about each printer type is stored in the terminfo database
(/usr/share/lib/terminfo). This information includes the printer capabilities
and initialization control data. The printer you install must correspond to an entry in
the terminfo database.

$ pwd
/usr/share/lib/terminfo
$ ls
1 4 7 A M a d g j m p s u x

(continued)

24 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

2 5 8 B P b e h k n q t v y
3 6 9 H S c f i l o r ti w z
$

Each subdirectory contains compiled database entries for terminals or printers. The
entries are organized by the first letter of the printer or terminal type. For example, if
you have an Epson® printer, look in /usr/share/lib/terminfo/e to find your
particular model of Epson printer.

$ cd /usr/share/lib/terminfo/e
$ ls
emots ep2500+high ep48 ergo4000 exidy2500
env230 ep2500+low epson250 esprit
envision230 ep40 epson2500-80 ethernet
ep2500+basic ep4000 epson2500-h ex3000
ep2500+color ep4080 epson2500-hi8 exidy
$

The entries for Epson printers are included in the preceding example.

If you have a NEC® printer, look in the /usr/share/lib/terminfo/n directory

for your NEC printer model.

$ cd /usr/share/lib/terminfo/n
$ ls
ncr7900 ncr7901 netty-Tabs newhpkeyboard
ncr7900-na nec netty-vi nuc
ncr7900i net network nucterm
ncr7900i-na netronics netx
ncr7900iv netty newhp
$

The entry in this directory for NEC is included in the preceding example.

Selecting a Printer Type

For a local PostScript printer, use a printer type of either PostScript (PS) or Reverse
PostScript (PSR). If your printer supports PostScript, choose PS or PSR even if the
specific printer type is listed in the terminfo database.
If your PostScript printer prints pages face up, documents appear to be printed
backwards—the first page is at the bottom of the stack and the last page is on the
top. If you specify the printer’s type as PSR, the LP print service reverses the order

Planning Printers on Your Network (Overview) 25

 of the pages before sending them to the printer; the last page is printed first, and the
pages are stacked in forward order. However, the LP print service can reliably change
the page order only for PostScript files that conform to the Adobe® Document
Structuring Conventions in Appendix C of the PostScript Language Reference Manual
(written by Adobe Systems Incorporated, and published by Addison-Wesley, 1990).
If a printer can emulate more than one kind of printer, you can assign it several
types by using the lpadmin -T command. If you specify more than one printer
type, the LP print service uses the type that is appropriate for each print request.
You may not find the printer type in the appropriate terminfo directory. The type
of printer is not necessarily linked to the manufacturer’s name on the printer. For
example, for any type of PostScript printer, you can use the PS or PSR entry (found
in the /usr/share/lib/terminfo/P directory) instead of an entry specific to
manufacturer or product names.
If you have an unusual type of printer, you may need to try different entries before
you can determine whether a particular terminfo entry works for your model of
printer. If possible, find an entry in the terminfo database that works for your
printer. It will be much easier than trying to create an entry. If you have to create
your own entry, “Adding a terminfo Entry for an Unsupported Printer” on page
124 contains some useful tips.

Selecting a File Content Type

Print filters convert the content type of a file to a content type that is acceptable to
the destination printer. The file content type tells the LP print service the type of file
contents that can be printed directly, without filtering. To print without filtering, the
necessary fonts must also be available in the printer. (You must set up and use
filtering for other types of files.)
You can specify the file content type for a printer by using the lpadmin -I
command or Admintool. With Admintool, you can select a file contents type from a
menu. Not all available file content types are listed on the menu. You must use the
lpadmin command to specify file content types that are not included on the
Admintool menu.
Many printers can print two types of files directly:
4 The same type as the printer type (for example, PS for a PostScript printer)
4 The type simple (an ASCII text file)
When submitting a file for printing, the user can indicate the content type of the file
(lp -T content-type). Otherwise, a file is assumed to be simple (ASCII text). The LP
print service uses the file content type to determine which filters to use to convert
the file contents into a type the printer can handle.
Admintool provides a list of file content types from which you can choose when
installing or modifying a local printer. The choices are translated to the names that

26 System Administration Guide, Volume II ♦ October 1998

the LP print service uses. Table 2–2 describes the file content types you can choose
with Admintool.

TABLE 2–2 Choosing File Content Type With Admintool

File Contents Choice LP Print Service Name Description

PostScript postscript PostScript files do not require filtering.

ASCII files require filtering.

ASCII simple PostScript files require filtering. ASCII

files do not require filtering.

Both PostScript and simple,postscript PostScript files and ASCII files do not
ASCII require filtering.

None "" All files require filtering, except those

matching the printer’s type.

Any any No filtering required. If the printer

cannot handle a file content type
directly, the file will not be printed.

Choose the file content type that best matches the printer’s capabilities. PostScript
(which means filtering is not needed for PostScript files) is the default choice in
Admintool and is probably correct most of the time.

Frequently Used Printers

This section provides the printer type and file content type for the printers most
commonly used with SunOS 5.x software. Although not shown, many of these
printers can also directly print files with simple content type.
If you have a PostScript printer, use a printer type of PS or PSR and a content type of
postscript. PSR reverses the pagination and prints the banner page last.
Table 2–3 lists additional non-PostScript printers and shows the printer type to use
for configuring each printer. For all these printers, the file content type is simple.

Note - Sun Microsystems does not supply filtering software for the printers listed in
Table 2–3, among others. However, you can use unsupported printers if you supply
filtering or if the printer can directly print the file content type. If you have questions
about any printer for which Sun Microsystems does not supply filters, contact the
printer manufacturer.

Planning Printers on Your Network (Overview) 27

 TABLE 2–3 Some Non-PostScript Printers for Which Sun Does Not Supply Filters

Printer Printer Type

Daisy daisy

Datagraphix datagraphix

DEC LA100 la100

DEC LN03 ln03

DECwriter decwriter

Diablo diablo

diablo-m8

Epson 2500 variations epson2500

epson2500-80

epson2500-hi

epson2500-hi80

Hewlett-Packard HPCL printer hplaser

IBM Proprinter ibmproprinter

If you want to set up a printer that is not in the terminfo database, see “How to
Add a terminfo Entry for an Unsupported Printer” on page 127.

28 System Administration Guide, Volume II ♦ October 1998

CHAPTER 3

Setting Up Printers (Tasks)

This chapter explains how to set up a printer and make it accessible to systems on
the network. You can perform most printer setup tasks by using Admintool. This is a
list of the step-by-step instructions in this chapter.
4 “How to Convert Printer Information For a System Running the SunOS 5.5.1
Release or Compatible Versions” on page 32
4 “How to Convert Printer Information For a System Running the SunOS 4.1
Release” on page 32
4 “How to Start Admintool” on page 35
4 “How to Add a Local Printer Using Admintool” on page 36
4 “How to Add Printer Access on the Print Client Using Admintool” on page 42
4 “How to Add Access on the Print Client using LP Commands” on page 43
4 “How to Add Domain-Wide Access to a Printer using NIS” on page 44
4 “How to Add Domain-Wide Access to a Printer using NIS+” on page 45
4 “How to Use the /etc/[Link] File to Load NIS” on page 46
4 “How to Use the /etc/[Link] File to Load NIS+” on page 47
4 “How to Add a Network Printer Using Printer Vendor Supplied Tools” on page 53
4 “How To Add A Network Printer Using LP Commands” on page 54
For overview information about printers, see Chapter 1.

29
 Updating Print Clients to Access
Existing Printers
This section explains how to convert the printer configuration information from
systems running the SunOS 5.5.1 release and compatible versions at your site and
copy this information to print clients so they can access existing printers.

Note - If you have only a few existing printers, it may be easier to add access to the
printers by using Solstice Printer Manager or Admintool rather than convert the
printer configuration information and distribute it to print clients. See Table 3–2
information on adding access to printers.

Updating Print Clients to Access

Existing Printers Task Map
Table 3–1 provides an overview of the tasks you perform to convert the printer
configuration information for systems running the SunOS 5.5.1 release and
compatible versions at your site and distribute the information to print clients so
they can access existing printers.

30 System Administration Guide, Volume II ♦ October 1998

TABLE 3–1 Updating Print Clients to Access Existing Printers Task Map

Task Description For Instructions, Go To

Convert Existing Printer Convert Printer Configuration Information For “How to Convert Printer
Configuration Information Systems Running the SunOS 5.5.1 Release and Information For a System
Compatible Versions Running the SunOS 5.5.1
Release or Compatible
If your site uses SunOS 5.5.1 release and
Versions” on page 32
compatible versions, convert the printer
configuration information in the /etc/lp/
printers directory to the /etc/
[Link] configuration file. This is
usually a one-time task.

Convert Printer Configuration Information For “How to Convert Printer

a System Running the SunOS 4.1 Release Information For a System
Running the SunOS 4.1
If your site uses SunOS 4.1 software, convert
Release” on page 32
the printer configuration information in a 4.1
system’s /etc/printcap file to the /etc/
[Link] configuration file. This is
usually a one-time task.

Converting Existing Printer Configuration

Information
Existing printer configuration information will automatically be converted when
installing or upgrading to the Solaris 7 release or compatible versions. This section
explains how to convert the printer configuration information for a system running
SunOS 5.5.1 release or compatible versions or a system running the SunOS 4.1
release to the /etc/[Link] printer configuration file used in the print
client software. You’ll use one of two print administration commands to automate
the conversion task:

4 The conv_lp(1M) command enables you to convert information in the

/etc/lp/printers directory on a SunOS 5.7 system to entries in the system’s
/etc/[Link] file. See “How to Convert Printer Information For a
System Running the SunOS 5.5.1 Release or Compatible Versions” on page 32 for
instructions.

4 The conv_lpd(1M) command enables you to convert information in a

/etc/printcap configuration file from a SunOS 4.1 system to entries in a
/etc/[Link] file. See “How to Convert Printer Information For a
System Running the SunOS 4.1 Release” on page 32 for instructions.

Setting Up Printers (Tasks) 31

 If you are not using a name service, you should create a master
/etc/[Link] file that includes the existing printers at your site. You can
then copy the master file to all the print clients or by loading it into the NIS or NIS+
name service. This is a good way to initially enable all the new print clients access to
the existing printers at your site.

Caution - If you are using the NIS or NIS+ name service to configure printer
information, do not use a /etc/[Link] file on your print clients. A print
client uses the /etc/[Link] file first to locate a printer; however, the
/etc/[Link] file may conflict with the printer information in the NIS or
NIS+ maps and cause unexpected results. To avoid this problem, remove the
/etc/[Link] file on print clients when you want them to use NIS or NIS+
for printer information.

How to Convert Printer Information For a System

Running the SunOS 5.5.1 Release or Compatible
Versions
1. Log in as superuser on a system that has SunOS 5.7 or compatible software and
the Solaris 2.6 or compatible print client software installed.

2. Convert the printer configuration information in the system’s

/etc/lp/printers directory to the /etc/[Link] file.

# /usr/lib/print/conv_lp

How to Convert Printer Information For a System

Running the SunOS 4.1 Release
1. Copy the /etc/printcap file from a SunOS 4.1 system to a system running
the SunOS 5.7 or compatible software that has the SunOS 5.7 compatible print
client software.

2. Log in as superuser on the system running the SunOS 5.7 or compatible

software to which you copied the /etc/printcap file.

3. Convert the printer configuration information in the /etc/printcap file to

the /etc/[Link] file.

# /usr/lib/print/conv_lpd

32 System Administration Guide, Volume II ♦ October 1998

 Setting Up Printing
“Setting Up Printing Task Map” on page 33 provides an overview of the tasks
necessary to set up print servers (Add a Printer) and print clients (Add Access to the
Printer). A local printer is one which is physically cabled to the print server; a
network printer is physically attached to the network. Adding access to a printer, or
adding remote access, is the process of giving print clients (all those machines which
are not the server) access to the printer.

Setting Up Printing Task Map

TABLE 3–2 Task Map: Setting Up Printing

Task Description For Instructions, Go To

1. Add a Local Printer Using Admintool “How to Add a Local Printer

Using Admintool” on page 36
After physically attaching the printer to a
system, use Admintool to make the printer
available for printing.

Using LP Commands “How to Add a Local Printer

Using LP Commands” on page
After physically attaching the printer to a
38
system, use the LP commands to make the
printer available for printing.

2. Add Access to a Printer Using Admintool “How to Add Printer Access

on the Print Client Using
Add printer access on the print client using
Admintool” on page 42
Admintool.

Using LP Commands “How to Add Access on the

Print Client using LP
Add printer access on the print client using
Commands” on page 43
the lp commands.

Using a Name Service “Adding Access to a Remote

Printer Using a Name Service”
Add printer access on the print client by
on page 44
setting up a /etc/[Link] file in
the NIS or NIS+ name service.

Setting Up Printers (Tasks) 33

TABLE 3–2 Task Map: Setting Up Printing (continued)

Task Description For Instructions, Go To

3. Add Access to Existing Copy a Master /etc/[Link] File to Clients “Enabling Print Clients to
Printers
Access Existing Printers” on
If you don’t use a name service, copy the
page 46
printer configuration information in the
converted system’s /etc/[Link]
file to other print clients.

Use the /etc/[Link] File to Load NIS “How to Use the

/etc/[Link] File to
If you use the NIS name service, copy the
Load NIS” on page 46
printer configuration information in the
converted system’s /etc/[Link]
file to the NIS master file.

Use the /etc/[Link] File to Load NIS+ “How to Use the

If you use the NIS+ name service, copy the /etc/[Link] File to
printer configuration information in the Load NIS+” on page 47
converted system’s /etc/[Link]
file to the NIS master file.

4. Set Up a .printers File Optional. Using a $HOME/.printers file “Setting Up a .printers File”
enables users to establish their own custom on page 47
printer aliases.

5. Add a Network Printer Using Printer Vendor Supplied Tools “How to Add a Network
Printer Using Printer Vendor
After physically connecting the printer to the
Supplied Tools” on page 53
network, use vendor-supplied software to
configure the network printer.

Using LP Commands “How To Add A Network

After physically connecting the printer to the Printer Using LP Commands”
network, use SunOS 5.7 or compatible on page 54
supplied software to configure the network
printer.

6. Turn Off Banner Pages Optional. You can turn off banner pages so “How to Turn Off Banner
they are never printed. Pages” on page 70

7. Set Up Fault Alerts Optional. You can set up more specific fault “How to Set Fault Alerts for a
alerts for the printer than Admintool Printer” on page 72
provides.

34 System Administration Guide, Volume II ♦ October 1998

TABLE 3–2 Task Map: Setting Up Printing (continued)

Task Description For Instructions, Go To

8. Set Up Fault Recovery Optional. Admintool does not enable you to “How to Set Printer Fault
set up how a printer should recover after it Recovery” on page 75
faults.

9. Limit Access to the Printer Optional. Admintool enables you to set up an “How to Limit User Access to a
allow list, but if you want to limit a few Printer” on page 77
users’ access to the printer, you may want to
set up a deny list.

Starting Admintool
How to Start Admintool
1. Verify that the following prerequisites are met. To use the Admintool software,
you must have:
4 A bit-mapped display monitor. The Admintool software can be used only on a
system with a console that is a bit-mapped screen, such as a standard display
monitor that comes with a Sun workstation.
4 Running an X Window System, such as the OpenWindows environment.
4 Membership in the sysadmin group (group 14).

2. Log in on the system where you want to set up the printer.

3. Start Admintool with the following command:

$ admintool &

The Admintool main window is displayed.

4. Select Printers from the Browse menu.

Setting Up Printers (Tasks) 35

 The Printers window is displayed.

Setting Up a Print Server

When you add a local printer and/or a network printer to a system, the printer is
made accessible to the local system. The system on which you install the printer
becomes the print server.

A printer can be added using either Admintool or the LP print service commands.
The following describes how to use each of these.

How to Add a Local Printer Using Admintool

1. Select the system which is to be the printer server.
Verify that the print server has the following print packages installed by using the
pkginfo(1) command: SUNWpcr, SUNWpcu, SUNWpsr, SUNWpsu, SUNWscplp,
and SUNWpsf.

# pkginfo package_instance

2. Connect the printer to the printer server and turn on the power to the printer.

36 System Administration Guide, Volume II ♦ October 1998

 Consult the printer vendor’s installation documentation for information about the
hardware switches and cabling requirements.

3. Start Admintool on the printer server where you connected the printer.
See the procedure on “How to Start Admintool” on page 35 for detailed
information.

4. Select Add Local Printer from the Edit menu.

The Add Local Printer window is displayed.

5. Fill in the window.

If you need information to complete a field, click on the Help button to see field
definitions for this window.

6. Click on OK.
The printer is displayed in the Admintool Printers window.

7. Exit Admintool.
Click on button in upper-left corner; select quit.

8. Add client access to the new printer.

Now that the printer has been added, create access to the printer for the clients.
See “Setting Up a Print Client” on page 41.

9. Optional tasks to complete.

There are several optional tasks you may want to complete when setting up a
printer. See “Setting Up Printing Task Map” on page 33 for pointers to the
remaining tasks.

Example—Completed Add Local Printer Window

In the following example, the printer luna is added on the print server krypton.

Setting Up Printers (Tasks) 37

 How to Add a Local Printer Using LP Commands
Adding a local printer may also be accomplished using the command line interface.
1. Select the system which is to be the printer server.
Verify that the print server has the following print packages installed by using the
pkginfo(1) command: SUNWpcr, SUNWpcu, SUNWpsr, SUNWpsu, SUNWscplp,
and SUNWpsf.

# pkginfo package_instance

2. Connect the printer to the printer server and turn on the power to the printer.
Consult the printer vendor’s installation documentation for information about the
hardware switches and cabling requirements.

38 System Administration Guide, Volume II ♦ October 1998

3. Set lp ownership and read/write access on the port device.

# chown lp /dev/term/device
# chmod 600 /dev/term/device

4. Define the printer name, the device, the printer type and content type by using
the lpadmin(1M) command.
a. Define the printer name and the port device the printer will use.

# lpadmin -p printer-name -v /dev/term/device

b. Set the printer type of the printer.

# lpadmin -p printer-name -T printer-type

c. Specify the file content types of the printer.

# lpadmin -p printer-name -I content-type

5. Add filters to the print server by using the lpfilter(1M) command.

a. First, determine if the needed filters are installed.

# lpfilter -l -f all

If the filter is not installed, you will see the message:

ERROR: No filter by the name "" exists.

b. If you have determined that filter installation is needed, use the lpfilter
command to install the filters.

# cd /etc/lp/fd
# for filter in *.fd;do
> name=‘basename $filter .fd‘
> lpfilter -f $name -F $filter
> done

(continued)

Setting Up Printers (Tasks) 39

 (Continuation)

6. Allow the printer to accept printer requests and enable the printer to print the
requests.

# accept printer-name
# enable printer-name

7. Verify the printer is correctly configured by using the lpstat(1) command.

# lpstat -p printer-name

8. (Optional) Add a description to the printer.

# lpadmin -p printer_name -D "description"

9. Add client access to the new printer.

Now that the printer has been added, create access to the printer for the clients.
See “Setting Up a Print Client” on page 41.

10. Optional tasks to complete.

There are several optional tasks you may want to complete when setting up a
printer. See “Setting Up Printing Task Map” on page 33 for pointers to the
remaining tasks.

Example—Adding a Local Printer Using LP Commands

This example shows how to make a local PostScript printer available for printing on
a print server. The commands in this example must be executed on the print server

40 System Administration Guide, Volume II ♦ October 1998

where the printer is connected. The following information is used in the example
and may change depending on your situation:
4 Printer name: luna
4 Port device: /dev/term/b
4 Printer type: PS
4 File content type: postscript
1
# chown lp /dev/term/b
# chmod 600 /dev/term/b
2
# lpadmin -p luna -v /dev/term/b
3
# lpadmin -p luna -T PS
4
# lpadmin -p luna -I postscript
# cd /etc/lp/fd
5
# for filter in *.fd;do
> name=‘basename $filter .fd‘
> lpfilter -f $name -F $filter
> done
6
# accept luna destination ‘‘luna’’ now accepting requests
# enable luna printer ‘‘luna’’ now enabled
7
# lpadmin -p luna -D "Room 1954 ps"
8
# lpstat -p luna
printer luna is idle. enabled since Jun 16 10:25 1998.
available.

Setting Up a Print Client

A print client is a system that is not the server for the printer, yet has access to the
printer. A print client uses the services of the print server to spool, schedule and
filter the print jobs. Note that one system may be a print server for one printer and
be a print client for another printer.
Access to a remote printer may be configured on a domain-wide basis or on a
per-machine basis. A combination of these two may also be used. To add access to a
remote printer on a per machine basis see “How to Add Printer Access on the Print
Client Using Admintool” on page 42 or “How to Add Access on the Print Client
using LP Commands” on page 43. To add access on a domain wide basis, follow the

1. Gives lp ownership and sole access to a port device.

2. Defines the printer name and the port device the printer will use.
3. Sets the printer type of the printer.
4. Specifies the file content types to which the printer can print directly.
5. Adds print filters to the print server.
6. Accepts print requests for the printer and enables the printer.
7. Adds a description for the printer.
8. Verifies that the printer is ready.

Setting Up Printers (Tasks) 41

 instructions under “Adding Access to a Remote Printer Using a Name Service” on
page 44.

How to Add Printer Access on the Print Client

Using Admintool
1. Start Admintool on the system where you want to add access to a remote
printer.
See the procedure on “How to Start Admintool” on page 35 for detailed
information.

2. Select Add Access to Remote Printer from the Edit menu.

The Add Access to Remote Printer window is displayed.

3. Fill in the window.

If you need information to complete a field, click on the Help button to see field
definitions for this window.

4. Click on OK.
The printer is displayed in the Admintool Printers window.

5. Exit Admintool.
Click on button in upper-left corner; select quit.

Example—Adding Printer Access on the Print Client

In the following example, the print client rogue is given access to the printer
rocket on the print server enterprise.

42 System Administration Guide, Volume II ♦ October 1998

How to Add Access on the Print Client using LP
Commands
1. Collect the required information.
All that is required is the name of the printer and the name of the server for that
printer.

2. Define the printer by using the lpadmin command.

# lpadmin -p printer_name -s server_name

3. (Optional) Add a description to the printer.

# lpadmin -p printer_name -D "description"

4. Verify the printer is correctly configured by using the lpstat command.

# lpstat -p printer-name

Example—Adding Access on the Print Client using LP

Commands
If you want to print to a remote printer, you must add access to the remote printer.
This example shows how to configure access to a printer named luna, whose print
server is saturn. The system saturn becomes a print client of the printer luna.
9
# lpadmin -p luna -s saturn
10
# lpadmin -p luna -D "Room 1954 ps"
11
# lpadmin -d luna
12
# lpstat -p luna
printer luna is idle. enabled since Jun 16 10:25 1998. available.

9. Identifies the printer and the print server.

10. Adds a description for the printer.
11. Sets the printer as the system’s default printer destination.
12. Verifies that the printer is ready.

Setting Up Printers (Tasks) 43

 Adding Access to a Remote Printer
Using a Name Service
Using either the NIS or NIS+ maps, access to a printer may be obtained on a
domain-wide basis. See nis+(1) .

How to Add Domain-Wide Access to a Printer

using NIS
On the NIS master server, run the lpset command to create a [Link] file;
then create and push the map. This gives all members of the domain access to the
printers defined in the map. See lpset(1M) for more information.
1. Become superuser on the NIS master server.

2. Create a [Link] file by using the lpset command for each printer.

# lpset -a bsdaddr=server1,printer1,extensions printer1

-a bsdaddr=server1,printer1,extensions Adds the print server, printer destination,

and enables Solaris protocol extensions.

printer1 Specifies the printer name.

3. Create and push the NIS map.

# make -f /var/yp/makefile -f /usr/lib/print/[Link] [Link]

-f /var/yp/makefile Specifies the NIS makefile.

-f /usr/lib/print/[Link] Specifies the NIS print makefile. This

means implicit rules and predefined
macros from both makefiles are
concatenated.

[Link] Specifies the file to be created or updated.

44 System Administration Guide, Volume II ♦ October 1998

Example—Adding Domain-Wide Access to a Printer using NIS
This example creates a [Link] entry for the printer luna, connected to the
print server, saturn. The make command pushes the [Link] map.

# lpset -a bsdaddr=saturn,luna,Solaris -a description= "Room 1954 ps" luna

# make -f /var/yp/makefile -f /usr/lib/print/[Link] [Link]

How to Add Domain-Wide Access to a Printer

using NIS+
On the NIS+ master server, use the lpset command. See lpset(1M) and fns(5) to
add the printer configuration information to NIS+ via XFN.
1. Become superuser on the NIS+ master server.

2. (Optional) If FNS has not been initialized, create the root organization context
and its subcontents for the NIS+ root domain.

# fncreate -t org org//

3. Create the NIS+ map.

# lpset -n fns -a bsdaddr=server1,printer1,extensions printer1

-n fns Creates or updates the FNS content.

-a bsdaddr=server1,printer1,extensions Adds the print server, printer destination,

and enables Solaris protocol extensions.

printer1 Specifies the printer name.

Example—Adding Domain-Wide Access to a Printer using

NIS+
This example creates a [Link] entry for the printer luna, connected to the
print server, saturn.

Setting Up Printers (Tasks) 45

 # lpset -n fns -a bsaddr=saturn,luna,Solaris -a description=
"Room 1954 ps" luna

Enabling Print Clients to Access

Existing Printers
Once you create a master /etc/[Link] file that includes the existing
printers at your site, you can enable all the SunSoft print clients to access the existing
printers in two ways.
4 If you don’t use a name service, you can copy the master /etc/[Link]
file to all SunSoft print clients.
4 If you use a name service, you can use the master /etc/[Link] file to
load the NIS or NIS+ master file, where the information becomes available to all
SunSoft print clients.

How to Use the /etc/[Link] File to

Load NIS
1. Log in as superuser on the system that contains the /etc/[Link] file
to be copied to the NIS master server.

2. Copy the system’s /etc/[Link] file to the NIS master server’s /etc
directory.

3. Copy the /usr/lib/print/[Link] makefile to the NIS master server’s

/var/yp directory.

4. Log in as superuser on the NIS master server.

5. On this system, specify how to process the files.

# make -f /var/yp/makefile -f /var/yp/[Link] [Link]

46 System Administration Guide, Volume II ♦ October 1998

 -f /var/yp/makefile Specifies the NIS makefile.

-f /usr/lib/print/[Link] Specifies the NIS print makefile. This

means implicit rules and predefined
macros from both makefiles are
concatenated.

[Link] Specifies the file to be created or updated.

How to Use the /etc/[Link] File to

Load NIS+
1. Make sure you are a member of the NIS+ admin group. You must have the
appropriate privileges to perform this task.

2. Log in as superuser on the system that contains the /etc/[Link] file

to be copied to the NIS+ master file.

3. Copy the system’s /etc/[Link] file to the NIS+ master file.

# fncreate_printer -f /etc/[Link] thisorgunit/service/printer

See the Federated Naming Service Programming Guide if you need information
about entering this command.

Where to Go From Here

After you have given SunSoft print clients access to existing printers, users may want
to set up the .printers file in their home directory to contain custom printer
aliases. For step-by-step instructions, see the next section.

Setting Up a .printers File

There is no need to set up a .printers file in your users’ home directories if they
don’t need customized printer information. However, the .printers file enables
users to establish their own custom printer aliases. You can use the alias _default
to make a printer the default and also set up a special alias _all to define a list of
printers affected when you cancel a print request or check the status of printers.

Setting Up Printers (Tasks) 47

 Keep in mind that the LP commands check a user’s home directory to locate printer
configuration information before they check the name service. This means you can
tailor a user’s printer configuration file to use custom printer information rather than
the shared information in the name service.
See printers(4) for detailed information about the .printers file.

(Optional) How to Set Up a .printers File

1. Log in to the user’s system as superuser.

2. Start the file editor you want to use to create a .printers file in the user’s
home directory.

3. (Optional) Set up the _default alias to make a specific printer your default
printer, using an entry similar to the one shown in the following example.

# _default printer_name

4. (Optional) Set up the _all alias to define the printers affected when you
cancel a print request or check the status of printers, using an entry similar to
the one shown in the next example.

# _all printer1 printer2 printer3

5. Save the file as .printers.

Adding a Network Printer

A network printer is a hardware device that provides printing services to print clients
without being directly cabled to a print server. It has its own system name and IP
address, and is connected directly to the network. Even though a network printer is
not connected to a print server, it is necessary to set up a print server for it. The print
server provides queuing capabilities, filtering, and printing administration for the
network printer.

48 System Administration Guide, Volume II ♦ October 1998

Network printers use one or more special protocols that require a vendor-supplied
printing program. The procedures to set up the vendor-supplied printing program
can vary. If the printer does not come with vendor supplied support, the SunSoft
network printer support may be used; it is strongly advised to use the print vendor
supplied software when possible.
The vendor might supply an SVR4 printer interface script to replace the standard
printer interface script. If so, their SVR4 interface script will call the vendor-supplied
printing program to send the job to the printer. If not, you will need to modify the
standard interface script to call the vendor-supplied printing program. You can do
this by editing the per-printer copy of the standard interface script to call the
vendor-supplied printing program.
The terms used in network printer configuration are:
4 Print server: The machine which spools and schedules the jobs for a printer. This
is the machine on which the printer is configured.
4 Printer-host device: The printer-host device is the software and hardware supplied
by a vendor which provides network printer support for a non-network capable
printer. The combination of the printer-host device with one or more printers
attached to it creates a network printer.
4 Printer node: This is either the physical printer or the printer-host device. It is the
physical printer when the network support resides in the physical printer. It is the
printer-host device when an external box is used to provide the network interface.
The printer node name is the machine name given with the IP address. This name
is selected by the system administrator and has no default or vendor requirement.
The printer nodename, as with all nodes, must be unique.
4 Printer name: The name entered on the command line when using any of the
printer commands. It is selected by the system administrator at the time of printer
configuration. Any one physical printer may have several printer or queue names;
each provides access to the printer.
4 Network printer access name: The internal name of the printer node port that is
used by the printer sub-system to access the printer. It is the name of the printer
node, or the name of the printer node with a printer vendor port designation. Any
printer vendor port designation is explicitly defined in the printer vendor
documentation. It is printer specific. In the case where the printer is a printer-host
device and a printer, the port designation is documented in the printer-host device
documentation. The format is:
printer_node_name
or
printer_node_name:port_designation
4 Protocol: the over-the-wire protocol used to communicate with the printer. The
printer vendor documentation supplies the information regarding the protocol to
select. The SunSoft network printer support supplies both BSD Printer Protocol
and raw TCP. Due to implementation variations, you may want to try both.

Setting Up Printers (Tasks) 49

 4 Timeout, or retry interval: Timeout is a seed number representing the number of
seconds to wait between attempting connections to the printer. This seed number
is the smallest amount of time to wait between attemped connections, and
increases with an increase in failed connections. After repeated failures to connect
to the printer, a message is returned to the user requesting possible human
intervention. Attempts to reconnect continue until successful or the job is cancelled
by the job owner.

Printer Vendor Supplied Software for Network

Printers
Network printers often have software support provided by the printer vendor. If your
printer has printer vendor supplied software it is strongly advised that the printer
vendor software be utilized. The software is designed to support the attributes of the
printer and can take full advantage of the printer capabilities. Read the printer
vendor documentation to install and configure the printer under an LP print system.

Sun Support for Network Printers

If the network printer vendor does not provide software support, the Sun supplied
software is available. The software provides generic support for network printers
and is not capable of providing full access to all possible printer attributes.
A general discussion of how to add a network printer is provided in Chapter 3. The
following is a discussion of printer management using the Sun supplied software.

Invoking the Network Printer Support

The software support for network printers is called through the interface script.
Configuring a network printer with the network interface script, netstandard,
causes the network printer support module to be called. The command to configure
the printer with the network support is:
lpadmin -p printer_name -i /usr/lib/lp/model/netstandard

Selecting the Protocol

The print sub-system uses BSD print protocol and raw TCP to communicate with the
printer. The printer vendor documentation will provide the information about which
protocol to use. In general, we have found that the TCP protocol is more generic
across printers.
The command to select the protocol is:

50 System Administration Guide, Volume II ♦ October 1998

lpadmin -p printer_name -o protocol=bsd

or
lpadmin -p printer_name -o protocol=tcp

If the protocol selected is the BSD print protocol, you may further select the order of
sending the control file to the printer. Some printers expect the control file, then the
data file; others the reverse. See the printer vendor documentation for this
information. The default is to send the control file first.
The command to select the ordering is:
lpadmin -p printer_name -o bsdctrl=first

or
lpadmin -p printer_name -o bsdctrl=last

Selecting the Printer Node Name

The system administrator selects the printer node name. This name must be unique,
as with any node on the network. The printer node name is connected with the IP
address of the printer.

Selecting the Network Printer Access Name

The print subsystem requires access information for the printer. This is the name that
the subsystem uses when making the network connection to the printer. This name is
supplied by the system administrator to the print sub-system through the lpadmin
command. It becomes part of the printer configuration database. The printer access
name is the name of the printer node, sometimes qualified by a port name. Port
designation varies across printer vendors. You will find information about port
designation in the documentation that is provided with the printer by the printer
vendor. The format of printer access name is:

printer_node-name[:port_designation]

Example 1—Network Printer Access Name with Port

Designation (Number)
A common port designation with TCP is 9100. If the printer node name is pn1, and
the printer vendor defines the port as 9100, then the printer access name is:
pn1:9100. To configure a printer in this case use:
lpadmin -p printer_name -o dest=pn1:9100

Setting Up Printers (Tasks) 51

 Example 2—Network Printer Access Name with Port
Designation (Name)
When using the BSD protocol, the port designation may not be a number, but some
name defined by the printer vendor, for example: xxx_parallel_1. If the printer
node name is cardboard, then the printer access name is:
cardboard:xxx_parallel_1. To configure a printer in this case use:
lpadmin -p printer_name -o dest=cardboard:xxx_parallel_1

Example 3—Network Printer Access Name with No Port

Designation
If there is no port designation, and the printer node name is newspaper, the printer
access name is the printer node name: newspaper. To configure a printer in this case
use:
lpadmin -p printer_name -o dest=newspaper

Setting the Timeout Value

The timeout option is provided to allow for individual selection of the amount of
time (in seconds) to wait between successive attempts to connect to the printer. Some
printers have a long warm up time and a longer timeout value is advised. The
default is 10 seconds.

The timeout value does not impact the success or failure of the print process. It is a
seed value which the software uses as the initial timeout count; on repeated failures,
this count is increased. A message is sent to the spooler when repeated attempts to
connect to the printer fail. This alerts the user that intervention may be required.
This could be anything from the printer being turned off, to out of paper. Should
these messages be produced too often, for example when the printer is warming up,
increasing the timeout value will eliminate spurious messages.

The system administrator can experiment to find the optimal timeout value. The
command to set the timeout is:
lpadmin -p printer_name -o timeout=n

Managing Network Printer Access

Each network printer should have one and only one server that provides access to it.
This enables the server to manage the access to the printer and keep jobs coherent.

The default device for the network printer is /dev/null. This is sufficient when
there is only one queue for the printer. Should more queues be required, set the
device to a file. This enables the print system to restrict access to the printer across
queues. The following commands create a device file and configure it as the network
printer device.

52 System Administration Guide, Volume II ♦ October 1998

 touch /path/filename
chmod 600 /path/filename
lpadmin -p printer_name -v /path/filename

The following is an example of creating a device file called devtreedown.

# touch /var/tmp/devtreedown
# chmod 600 /var/tmp/devtreedown
# lpadmin -p treedown -v /var/tmp/devtreedown

How to Add a Network Printer Using Printer

Vendor Supplied Tools
1. Connect the printer to the network and turn on the power to the printer.
Consult the printer vendor’s installation documentation for information about the
hardware switches and cabling requirements. Get an IP address and select a name
for the printer node. This is equivalent to adding any node to the network.

2. Follow the printer vendor instructions to add the network printer to a SunOS
5.7 system that has an SVR4 LP print spooler.
Use the printer vendor instructions to configure the network printer. These will
be specific to the vendor and printer.

3. Add client access to the new printer.

Now that the printer has been added, create access to the printer for the clients.
See “Setting Up a Print Client” on page 41.

4. Optional tasks to complete.

There are several optional tasks you may want to complete when setting up a
network printer. See “Setting Up Printing Task Map” on page 33 for pointers to
the remaining tasks.

Setting Up Printers (Tasks) 53

 How To Add A Network Printer Using LP
Commands
Note - This describes the steps necessary to setup a network printer using the
network printer support software. The use of this software is intended for those
printers that do not come with vendor supplied software.

1. Connect the printer to the network and turn on the power to the printer.
Consult the printer vendor’s installation documentation for information about the
hardware switches and cabling requirements. Get an IP address and select a name
for the printer node. This is equivalent to adding any node to the network.

2. Collect the information required to configure a network printer.

4 Printer name
4 Printer server
4 Network printer access name
4 Protocol
4 Timeout
See the terms described in “Adding a Network Printer” on page 48 for more
information.

3. Define the printer name, the device, the printer type and content type by using
the lpadmin(1M) command.
a. Define the printer name and the port device the printer will use.

# lpadmin -p printer-name -v /dev/null

The device to use is /dev/null.

b. Identify the interface script the printer will use.

# lpadmin -p printer-name -i /usr/lib/lp/model/netstandard

The interface script that is supplied with the SunSoft network printer support
software is /usr/lib/lp/model/netstandard.

c. Set the printer destination, protocol, and timeout values.

# lpadmin -p printer-name -o dest=access-name:port -o protocol=protocol

-o timeout=value

54 System Administration Guide, Volume II ♦ October 1998

 Specifies the network printer name.
−p printer-name

-o dest=access-name:port Sets the printer destination to the network

printer access name and a designated
printer vendor port, if it is defined in the
printer vendor documentation. See
“Adding a Network Printer” on page 48
for more information.

-o protocol:protocol Sets the over-the-wire protocol used to

communicate with the printer. Both BSD
and raw TCP are supported.

-o timeout:value Sets a retry timeout value that represents a

number of seconds to wait between
attempting connections to the printer. See
“Adding a Network Printer” on page 48
for more information.

d. Specify the file content types of the printer and the printer type.

# lpadmin -p printer-name -I content-type -T printer-type

4. Add filters to the print server by using the lpfilter(1M) command.

# cd /etc/lp/fd
# for filter in *.fd;do
> name=‘basename $filter .fd‘
> lpfilter -f $name -F $filter
> done

5. Enable the printer to accept printer requests and to print the requests.

Setting Up Printers (Tasks) 55

 # accept printer-name
# enable printer-name

6. Verify the printer is correctly configured by using the lpfilter(1M)

command.

# lpstat -p printer-name

7. Add client access to the new printer.

Now that the printer has been added, create access to the printer for the clients.
See “Setting Up a Print Client” on page 41.

8. Optional tasks to complete.

There are several optional tasks you may want to complete when setting up a
printer. See “Setting Up Printing Task Map” on page 33 for pointers to the
remaining tasks.

The commands in this example must be executed on the print server. The following
information is used in the example and may change depending on your situation:

4 Printer name: luna1

4 Server: saturn
4 Network printer access name: nimquat:9100
4 Protocol: tcp
4 Timeout: 5
4 Interface: /usr/lib/lp/model/netstandard
4 Printer type: PS
4 Content types: postscript
4 Device: /dev/null
13
# lpadmin -p luna1 -v /dev/null
14
# lpadmin -p luna1 -i /usr/lib/lp/model/netstandard
15
# lpadmin -p luna1 -o dest=nimquat:9100 -o protocol=tcp -o timeout=5

13. Defines printer name; sets the device to /dev/null.

14. Defines the interface script for network printers.
15. Sets the destination, protocol and timeout.

(continued)

56 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

16
# lpadmin -p luna1 -I postscript -T PS
# cd /etc/lp/fd
17
# for filter in *.fd;do
> name=‘basename $filter .fd‘
> lpfilter -f $name -F $filter
> done
18
# accept luna1 destination "luna1" now accepting requests
# enable luna1 printer "luna1" now enabled
19
# lpadmin -p luna1 -D "Room 1954 ps"
20
# lpstat -p luna1
printer luna1 is idle. enabled since Jun 16 10:25 1998.
available.

16. Specifies the file content types to which the printer can print directly, and the printer type.
17. Adds print filters to the print server.
18. Accepts print requests for the printer and enables the printer.
19. Adds a description for the printer.
20. Verifies that the printer is ready.

Setting Up Printers (Tasks) 57

58 System Administration Guide, Volume II ♦ October 1998
CHAPTER 4

Administering Printers (Tasks)

This chapter provides the procedures to administer printers. This is a list of the
step-by-step instructions in this chapter.
4 “How to Delete a Printer and Remote Printer Access” on page 60
4 “How to Check the Status of Printers” on page 63
4 “How to Stop the Print Scheduler” on page 65
4 “How to Restart the Print Scheduler” on page 66
4 “How to Add a Printer Description” on page 66
4 “How to Set a System’s Default Printer” on page 68
4 “How to Make Banner Pages Optional” on page 69
4 “How to Turn Off Banner Pages” on page 70
4 “How to Define a Class of Printers” on page 71
4 “How to Set Fault Alerts for a Printer” on page 72
4 “How to Set Printer Fault Recovery” on page 75
4 “How to Limit User Access to a Printer” on page 77
4 “How to Check the Status of Print Requests” on page 79
4 “How to Accept or Reject Print Requests for a Printer” on page 81
4 “How to Enable or Disable a Printer” on page 84
4 “How to Cancel a Print Request” on page 85
4 “How to Cancel a Print Request From a Specific User” on page 86
4 “How to Move Print Requests to Another Printer” on page 88
4 “How to Change the Priority of a Print Request” on page 89
For overview information about printing and the LP print service, see Chapter 1.

59
 Managing Printers and the Print
Scheduler
This section provides instructions for day-to-day tasks you perform to manage
printers and the print scheduler.

Deleting Printers and Printer Access

If a printer needs to be replaced or you want to move the printer to a different
location, you must delete the printer information from the LP print service before
you physically remove it from the print server. You should also make sure that all
the current print requests on the printer are printed or moved to another printer to
be printed.
Not only does the printer information need to be deleted from the print server, but it
also needs to be deleted from the print clients or network name service. If you delete
a local printer from a print server, you should delete the remote printer entry from
the print clients or network name service. If you move a printer to another print
server, you need to delete the old remote print entry from the print clients or
network name service and add access to the remote printer in its new location.
See “How to Delete a Printer and Remote Printer Access” on page 60 for detailed
information on how to delete a local and remote printer. You can use Admintool to
delete a local or remote printer; however, Admintool does not enable you to move
queued print requests to another printer.

How to Delete a Printer and Remote Printer

Access
1. Log in as superuser or lp on a print client that has access to the printer you
want to delete.

2. Delete information about the printer from the print client.

print-client# lpadmin -x printer-name

60 System Administration Guide, Volume II ♦ October 1998

 -x Deletes the specified printer.

printer-name Name of the printer you want to delete.

Information for the specified printer is deleted from the print client’s
/etc/lp/printers directory.

3. If the print client does not use another printer on the same print server, delete
information about the print server from the print client.

print-client# lpsystem -r print-server

-r Removes the specified print server.

print-server Name of the print server you want to delete.

The print server is deleted from the print client’s /etc/lp/Systems file.

4. Repeat Step 2 on page 60 through Step 3 on page 61 on each print client that
has access to the printer.

5. Log in as superuser or lp on the print server.

6. Stop accepting print requests on the printer.

print-server# reject printer-name

reject printer-name Rejects print requests for the specified printer.

This step prevents any new requests from entering the printer’s queue while you
are in the process of removing the printer. See “How to Accept or Reject Print
Requests for a Printer” on page 81 for a detailed description.

7. Stop the printer.

print-server# disable printer-name

Administering Printers (Tasks) 61

 This step stops print requests from printing. See “How to Enable or Disable a
Printer” on page 84 for a detailed description on how to stop printing.

8. Move any print requests that are still in the queue to another printer.
See “How to Move Print Requests to Another Printer” on page 88 for a detailed
description on how to move print requests to another printer.

9. Delete the printer from the print server.

print-server# lpadmin -x printer-name

Configuration information for the printer is deleted from the print server’s
/etc/lp/printers directory.

10. Delete information about the print clients that were using the printer you just
deleted, unless they are still using another printer on the print server.

print-server# lpsystem -r print-client1 [,print-client2...]

-r Removes the specified print client.

print-client Name of the print client you want to delete from the print server.
You can specify multiple print clients in this command. Use a space
or a comma to separate print client names. If you use spaces, enclose
the list of print clients in quotes.

The specified print clients are deleted from the print server’s /etc/lp/Systems
file.

11. Verify the printer information has been deleted.

a. Check the printer information has been deleted on the print client.

print-client$ lpstat -p printer-name -l

You should receive an error indicating that the printer does not exist in the
output of the above command.

b. Check the printer information has been deleted on the print server.

print-server$ lpstat -p printer-name -l

62 System Administration Guide, Volume II ♦ October 1998

 You should receive an error indicating that the printer does not exist in the
output of the above command.

Example—Deleting a Printer and Remote Printer Access

In the following example, the commands delete the printer luna from the print
client terra and from the print server jupiter, and also delete the print client
terra from the print server.

terra# lpadmin -x luna

Removed ‘‘luna’’.
terra# lpstat -p luna -l
jupiter# lpadmin -x luna
jupiter# lpsystem -r terra
Removed ‘‘terra’’.
jupiter# lpstat -p luna -l

Checking Printer Status

Many routine printer administration tasks require information about the status of the
LP print service or a specific printer. For example, you may need to determine which
printers are available for use and examine the characteristics of those printers. You
can use the lpstat command to find out status information about the LP print
service or a specific printer.

How to Check the Status of Printers

1. Log in on any system on the network.

2. Check the status of printers by using the lpstat command.

Only the most commonly used options are shown here. See lpstat(1) for other
options.

$ lpstat [-d] [-p printer-name [-D] [-l]] [-t]

Administering Printers (Tasks) 63

 Shows the system’s default printer.
−d

Shows if a printer is active or idle, when it was enabled or

−p printer-name disabled, and whether it is accepting print requests.
You can specify multiple printer names with this command.
Use a space or a comma to separate printer names. If you use
spaces, enclose the list of printer names in quotes. If you don’t
specify printer-name, the status of all printers is displayed.

Shows the description of the specified printer-name.

−D

Shows the characteristics of the specified printer-name.

−l

Shows status information about the LP print service,

−t
including the status of all printers: whether they are active
and whether they are accepting print requests.

Examples—Checking the Status of Printers

In the following example, the command requests the name of the system’s default
printer.

$ lpstat -d
system default destination: luna

In the following example, the command requests the status of the printer luna.

$ lpstat -p luna
printer luna is idle. enabled since Jun 16 10:09 1998. available.

In the following example, the command requests a description of the printers

asteroid and luna.

$ lpstat -p "asteroid luna" -D

printer asteroid faulted. enabled since Jun 16 10:09 1998. available.
unable to print: paper misfeed jam

Description: Printer by break room.

printer luna is idle. enabled since Jun 16 10:09 1998. available.
Description: Printer by server room.

64 System Administration Guide, Volume II ♦ October 1998

In the following example, the command requests the characteristics of the printer
luna.

$ lpstat -p luna -l
printer luna is idle. enabled since Jun 16 10:11 1998.
available.
Content types: any
Printer types: unknown
Description: Printer by server room.
Users allowed:
(all)
Forms allowed:
(none)
Banner not required
Character sets:
(none)
Default pitch:
Default page size:

Restarting the Print Scheduler

The print scheduler, lpsched, handles print requests on print servers. However,
there may be times when the print scheduler stops running on a system, so print
requests stop being accepted or printed.
To restart the print scheduler, you can use the /usr/lib/lp/lpsched command. If
a print request was printing when the print scheduler stopped running, the print
request will be printed in its entirety when you restart the print scheduler.

How to Stop the Print Scheduler

1. Log in as superuser or lp on the print server.

2. Check to see if the print scheduler is running.

# lpstat -r

If the print scheduler is not running, the message scheduler is not running
is displayed.

3. If the print scheduler is running, stop it.

# /usr/lib/lp/lpshut

Administering Printers (Tasks) 65

 How to Restart the Print Scheduler
1. Log in as superuser or lp on the print server.

2. Check to see if the print scheduler is running.

# lpstat -r

If the print scheduler is not running, the message scheduler is not running
is displayed.

3. If the print scheduler is not running, start it.

# /usr/lib/lp/lpsched

Setting or Resetting Miscellaneous

Printer Definitions
This section provides step-by-step instructions on setting or resetting printer
definitions. Some of the following printer definitions can be set using Admintool or
Solstice Printer Manager. The procedures below use the lp commands to quickly set
or reset printer definitions.

How to Add a Printer Description

1. Log in as superuser or lp on the print server.

2. Add a printer description by using the lpadmin(1M) command.

# lpadmin -p printer-name -D "comment"

-p printer-name Name of the printer for which you are adding a description.

-D "comment" Specifies the characteristics of the printer, such as location or

administrative contact. Enclose characters that the shell might
interpret (like *, ?, \, !, ^) in single quotation marks.

66 System Administration Guide, Volume II ♦ October 1998

 The printer description is added in the print server’s
/etc/lp/printers/printer-name/comment file.

3. Verify the Description information is correct.

$ lpstat -p printer-name -l

Example—Adding a Printer Description

In the following example, the command adds a printer description for the printer
luna.

# lpadmin -p luna -D "Nathans office"

Setting Up a Default Printer Destination

You can specify a default printer destination for a system so you don’t need to type
the printer name when using the print commands. Before you can designate a
printer as the default, the printer must be known to the print service on the system.
You can set a system’s default printer destination by setting any of the following:
4 LPDEST environment variable
4 PRINTER environment variable
4 System’s default printer (by using the lpadmin -d command or Admintool)
When an application provides a printer destination, that destination is used by the
print service, regardless of whether you have set a system’s default printer
destination. If an application doesn’t provide a printer destination or if you don’t
provide a printer name when using a print command, the print command searches
for the default printer in a specific order. Table 4–1 shows the search order for a
system’s default printer destination.

TABLE 4–1 Search Order for Default Printer Destinations

Using SunOS/BSD Compatibility

Search Order Using /usr/bin/lp Command Commands (lpr, lpq, and lprm)

First LPDEST variable PRINTER variable

Second PRINTER variable LPDEST variable

Third System’s default printer System’s default printer

Administering Printers (Tasks) 67

 How to Set a System’s Default Printer
1. Log in as superuser or lp on the system for which you want to set a default
printer.

2. Set the system’s default printer by using the lpadmin command.

# lpadmin -d [printer-name]

-d printer-name Name of the printer you are assigning as the system’s

default printer. If you don’t specify printer-name, the system
is set up with no default printer.

The default printer name is entered in the system’s /etc/lp/default file.

3. Check the system’s default printer by using the lpstat command.

$ lpstat -d

Example—Setting a System’s Default Printer

In the following example, the command sets the printer luna as the system’s default
printer. This means that luna will be used as the system’s default printer if the
LPDEST or PRINTER environment variables are not set.

# lpadmin -d luna
# lpstat -d
system default destination: luna

Printing Banner Pages

A banner page identifies who submitted the print request, the print request ID, and
when the request was printed. A banner page will also have a modifiable title to
help users identify their printouts.
Banner pages make identifying the owner of a print job easy, which is especially
helpful when many users submit jobs to the same printer. Printing banner pages uses
more paper, however, and may not be necessary if a printer has only a few users. In
some cases, printing banner pages is undesirable. For example, if a printer has
special paper or forms mounted, like paycheck forms, printing banner pages may
cause problems.
By default, the print service forces banner pages to be printed. However, you can
give users a choice to turn off printing of a banner page when they submit a print

68 System Administration Guide, Volume II ♦ October 1998

request. You can set this choice through the lpadmin command or through
Admintool. If you give the users a choice, they have to use the −o nobanner option
to turn off printing of a banner page.
Also, you can turn off banner pages for a printer so they are never printed. This is
important if you have a situation where you don’t need or want banner pages. You
can turn off banner page printing through the command line interface only. For
step-by-step command-line instructions, see “How to Turn Off Banner Pages” on
page 70.

How to Make Banner Pages Optional

1. Log in as superuser or lp on the print server.

2. Make banner pages optional by using the lpadmin command.

# lpadmin -p printer-name -o nobanner

-p printer-name Name of the printer for which you are making banner pages
optional.

-o nobanner Enables users to specify no banner page when they submit a

print request.

If you want to force a banner page to print with every print request, specify the
−o banner option.
The banner page setting is entered in the print server’s
/etc/lp/printers/printer-name/configuration file.

3. Verify the output from the following command contains the line
Banner not required.

$ lpstat -p printer-name -l

Example—Making Banner Pages Optional

In the following example, the command enables users to request no banner page on
the printer luna.

# lpadmin -p luna -o nobanner

Administering Printers (Tasks) 69

 How to Turn Off Banner Pages
1. Log in as superuser or lp on the print server.

2. Change directory to the /etc/lp/interfaces directory.

# cd /etc/lp/interfaces

3. Edit the file that has the name of the printer for which you want to turn off
banner pages.

4. Change the nobanner variable to yes.

nobanner="yes"

Change the nobanner variable to no if you want to turn banner pages on again.
The banner page setting is entered in the print server’s
/etc/lp/printers/printer-name/configuration file.

5. Submit a print request to the printer to make sure a banner page does not print.

Setting Up Printer Classes

The print service enables you to group several locally attached printers into one
class. You can perform this task only by using the lpadmin -c command.
When you have set up a printer class, users can then specify the class (rather than
individual printers) as the destination for a print request. The first printer in the class
that is free to print is used. The result is faster turnaround because printers are kept
as busy as possible.
There are no default printer classes known to the print service; printer classes exist
only if you define them. Here are some ways you could define printer classes:
4 By printer type (for example, PostScript)
4 By location (for example, 5th floor)
4 By work group or department (for example, Accounting)
Alternatively, a class might contain several printers that are used in a particular
order. The LP print service always checks for an available printer in the order in
which printers were added to a class. Therefore, if you want a high-speed printer to
be accessed first, you would add it to the class before you add a low-speed printer.
As a result, the high-speed printer would handle as many print requests as possible.
The low-speed printer would be reserved as a backup printer when the high-speed
printer is in use.

70 System Administration Guide, Volume II ♦ October 1998

Note - Print requests are balanced between printers in a class only for local printers.

Class names, like printer names, must be unique and may contain a maximum of 14
alphanumeric characters and underscores.
You are not obligated to define printer classes. You should add them only if you
determine that using printer classes would benefit users on the network.

How to Define a Class of Printers

1. Log in as superuser or lp on the print server.

2. Define a class of printers by using the lpadmin command.

# lpadmin -p printer-name -c printer-class

-p printer-name Name of the printer you are adding to a class of printers.

-c printer-class Name of a class of printers.

The specified printer is added to the end of the list in the class in the print
server’s /etc/lp/classes/printer-class file. If the printer class does not exist, it
is created.

3. Verify the printers in a printer class by using the lpstat command.

$ lpstat -c printer-class

Example—Defining a Class of Printers

In the following example, the command adds the printer luna in the class
roughdrafts.

# lpadmin -p luna -c roughdrafts

Setting Up Printer Fault Alerts

If you choose, the print service can notify you when it detects a printer fault. You
can select any of the following methods to receive printer fault notification with the
lpadmin -A command or with Admintool:
4 Write a message to the terminal on which root is logged in

Administering Printers (Tasks) 71

 4 Electronic mail to root
4 No notification
However, the lpadmin -A command offers you an additional option of receiving a
message specified by the program of your choice. It also enables you to selectively
turn off notification for an error that you already know about.
Unless you specify a program to deliver fault notification, the content of the fault
alert is a predefined message that says the printer has stopped printing and needs to
be fixed.
Table 4–2 lists the alert values that you can set for a printer with the lpadmin -A
command. These alert values can also be set for print wheels, font cartridges, and
forms.

TABLE 4–2 Values for Printing Problem Alerts

Value for −A alert Description

’mail [user-name]’ Send the alert message by email to root or lp on the

print server, or the specified user-name, which is a name
of a user.

’write [user-name]’ Send the alert message to the root or lp console window
on the print server, or to the console window of the
specified user-name, which is a name of a user. The
specified user must be logged in to the print server to get
the alert message.

’command’ Run the command file for each alert. The environment
variables and current directory are saved and restored
when the file is executed.

quiet Stop alerts until the fault is fixed. Use this when you
(root or specified user) receive repeated alerts.

none Do not send any alerts. This is the default if you don’t
specify fault alerts for a printer.

How to Set Fault Alerts for a Printer

1. Log in as superuser or lp on the print server.

2. Set fault alerts for a printer with the lpadmin command.

# lpadmin -p printer-name -A alert [-W minutes]

72 System Administration Guide, Volume II ♦ October 1998

 -p printer-name Name of the printer for which you are specifying an alert for
printer faults.

-A alert Specifies what kind of alert will occur when the printer faults.
See Table 4–2 for detailed information about the valid values
for alert. Some valid values are mail, write, and quiet.

-W minutes Specifies how often (in minutes) the fault alert will occur. If
you don’t specify this option, the alert is sent once.

The fault alert setting is entered in the print server’s

/etc/lp/printers/printer-name/[Link] file.

3. Check the information following the On fault heading from the output of the
following command.

$ lpstat -p printer-name -l

Examples—Setting Fault Alerts for a Printer

In the following example, the command sets up the printer mars to send fault alerts
by email to a user named joe, with reminders every 5 minutes.

# lpadmin -p mars -A ’mail joe’ -W 5

In the following example, the command sets up the printer venus to send fault
alerts to the console window, with reminders every 10 minutes.

# lpadmin -p venus -A write -W 10

In the following example, the command stops fault alerts for the printer mercury.

# lpadmin -p mercury -A none

In the following example, the command stops fault alerts until the printer venus has
been fixed.

# lpadmin -p venus -A quiet

Setting Up Printer Fault Recovery

If you choose not to send any fault notification, you may want a way to find out
about printing faults so you can correct the problem. The LP print service will not
continue to use a printer that has a fault. In addition to alerts for printer faults, you

Administering Printers (Tasks) 73

 can also provide alerts that tell the system administrator to mount print wheels, font
cartridges, and forms when print requests require them.
You can define the fault recovery options for a printer only by using the
lpadmin -F command. This task is not available in Admintool.
Printer faults can be as simple as running out of paper or needing to replace a toner
cartridge. Other more serious problems may include complete printer failure or
power failure. After you fix a printer fault, the print request that was active when the
fault occurred begins printing in one of three ways:
4 Starts printing from the beginning
4 Continues printing from the top of the page where printing stopped
4 After you enable the printer, continues printing from the top of the page where the
printing stopped
A print filter is required to continue printing from the top of a page where the
printing stopped. A print filter records the control sequences used by the printer to
track page boundaries, which the default filters used by the print service cannot do.
You will be notified by the print service if recovery cannot proceed with the specified
print filter. For information about writing filters, see “How to Create a New Print
Filter” on page 142.
If you want printing to resume immediately after a printer fault is fixed, enable the
printer by using the enable command.
Table 4–3 lists the fault recovery values you can set for a printer with the
lpadmin -F command.

TABLE 4–3 Values for Printer Fault Recovery

Value for −F recover-options Description

beginning After a fault recovery, printing restarts from the

beginning of the file.

continue After a fault recovery, printing starts at the top of the

page where the printing stopped. This recovery option
requires a print filter.

wait After a fault recovery, printing stops until you enable the
printer. After you enable the printer (enable command),
printing starts at the top of the page where printing
stopped. This recovery option requires a print filter.

74 System Administration Guide, Volume II ♦ October 1998

How to Set Printer Fault Recovery
1. Log in as superuser or lp on the print server.

2. Set up fault recovery for the printer with the lpadmin(1M) command.

# lpadmin -p printer-name -F recovery-options

-p printer-name Name of the printer for which you are specifying

fault recovery.

-F recovery-options One of the three valid recovery options:

beginning, continue, or wait.

See Table 4–3 for detailed information about the
valid values for recovery-options.

The fault recovery setting is entered in the print server’s

/etc/lp/printers/printer-name/configuration file.

3. Check the information following the After fault heading in the output of
the following command.

$ lpstat -p printer-name -l

Example—Setting Printer Fault Recovery

In the following example, the command sets up the printer luna to continue
printing at the top of the page where printing stopped.

# lpadmin -p luna -F continue

Limiting User Access to a Printer

You may want to control which users can access some or all of the available printers.
For example, you may want to prevent some users from printing on a high-quality
printer to minimize expense. To restrict user access to printers, you can create allow
and deny lists using the lpadmin -u command on the print server. (Admintool
enables you to create only allow lists.) If you create neither, a printer is available to
all users who can access the printer.
An allow list contains the names of users allowed access to the specified printer; a
deny list contains the names of users denied access to the specified printer.
The rules for allow and deny lists are:

Administering Printers (Tasks) 75

 When You ... Then ...

Do not create allow and deny lists, or if you All users may access the printer.
leave both lists empty

Specify all in the allow list All users may access the printer.

Specify all in the deny list All users, except root and lp (on the server),
are denied access to the printer.

Make any entry in the allow list The deny list is ignored. Only those users
who are listed can access the printer.

Create a deny list, but you do not create an Users who are listed in the deny list are
allow list or you leave the allow list empty denied access to the printer.

Because the print server is actually controlling access to the printer, allow and deny
lists can only be created on the print server itself. If you create allow and deny lists,
the print server will exclusively control user access to printers.
Table 4–4 lists the values you can add to an allow or deny list to limit user access to
a printer.

TABLE 4–4 Values for Allow and Deny Lists

Value for user-list Description

user User on any system

all All users on all systems

none No user on any system

system!user User on system only

!user User on local system only

all!user User on any system

all!all All users on all systems

76 System Administration Guide, Volume II ♦ October 1998

TABLE 4–4 Values for Allow and Deny Lists (continued)

Value for user-list Description

system!all All users on system

!all All users on local system

How to Limit User Access to a Printer

1. Log in as superuser or lp on the print server.

2. Allow or deny users access to a printer by using the lpadmin command.

# lpadmin -p printer-name -u allow:user-list [ deny:user-list]

-p printer-name Name of the printer to which the allow or deny user access
list applies.

-u allow:user-list User names to be added to the allow user access list. You can
specify multiple user names with this command. Use a space
or a comma to separate names. If you use spaces, enclose the
list of names in quotes.

Table 4–4 provides the valid values for user-list.

-u deny:user-list User names to be added to the deny user access list. You can
specify multiple user names with this command. Use a space
or a comma to separate names. If you use spaces, enclose the
list of names in quotes.

Table 4–4 provides the valid values for user-list.

The specified users are added to the allow or deny user access list for the printer
in one of the following files on the print server:
/etc/lp/printers/printer-name/[Link]
/etc/lp/printers/printer-name/[Link]

Administering Printers (Tasks) 77

 Note - If you specify none as the value for user-list in the allow user access list,
the following files are not created for the print server:
/etc/lp/printers/printer-name/[Link]
/etc/lp/printers/printer-name/[Link]
/etc/lp/printers/printer-name/[Link]
/etc/lp/printers/printer-name/[Link]

3. Check the information following the Users allowed or Users denied

heading in the output of the following command.

$ lpstat -p printer-name -l

Examples—Limiting User Access to a Printer

In the following example, the command allows only the users nathan and george
access to the printer luna.

# lpadmin -p luna -u allow:nathan,george

In the next example, the command denies the users nathan and george access to
the printer asteroid.

# lpadmin -p asteroid -u deny:"nathan george"

Managing Print Requests

When a user submits a print request from a print client, the print request is added to
a queue on the print server before it is sent to the printer. While a print request is in
the queue, you can cancel or gain status information on the request from a client
system. To move, hold, resume, or change the priorities of print requests you must
login to the print server. These actions can help you keep printing services operating
smoothly.

The LP commands enable you to perform all print request management tasks.
Admintool enables you to perform some print request management tasks when you

78 System Administration Guide, Volume II ♦ October 1998

modify a print server. Table 4–5 lists the print request management tasks you can
perform with Admintool.

TABLE 4–5 Print Request Management With Admintool

Task Can You Do With Admintool?

Canceling a print request No

Moving a print request No

Changing priority of print requests No

Accepting or rejecting print requests Yes

Processing or stopping printing Yes

Table 4–6 lists the values for changing the priority of a print request with the lp -H
command.

TABLE 4–6 Values for Changing the Priority of a Print Request

Value for -H change-priority Description

hold Places the print request on hold until you cancel it or

instruct the LP print service to resume printing the
request.

resume Places a print request that has been on hold back in

the queue. It will be printed according to its priority
and placement in the queue. If you put a hold on a
print job that is already printing, resume puts the
print request at the head of the queue so it becomes
the next request printed.

immediate Places a print request at the head of the queue. If a

request is already printing, you can put it on hold to
allow the next request to print immediately.

How to Check the Status of Print Requests

1. Log in on any system on the network.

2. Check the status of printers and print requests by using the lpstat command.

Administering Printers (Tasks) 79

 Only the most commonly used options are shown here. See lpstat(1) for other
valid options.

$ lpstat -o [list] | -u [user-list]

Shows the status of print requests on a specific printer. list

−o list
can be one or more printer names, printer class names, or
print request IDs.
You can specify multiple printer names, class names, and IDs
for list. Use a space or a comma to separate values. If you use
spaces, enclose the list of values in quotes.
If you don’t specify list, the status of print requests to all
printers is displayed.

Shows the status of print requests for a specific user. user-list

−u user-list
can be one or more user names.
You can specify multiple users with this command. Use a
space or a comma to separate user names. If you use spaces,
enclose the list of names in quotes.
If you don’t specify user-list, the status of print requests for
all users is displayed.

When used to check the status of print requests, the lpstat command displays
one line for each print request. From left to right, the line shows the request ID,
the user, the output size in bytes, the date and time of the request, and
information about the request, such as “being filtered.”

Examples—Checking the Status of Print Requests

In the following example, the command shows that user fred has one print request
queued to the printer luna.

$ lpstat
luna-1 fred 1261 Mar 12 17:34

In the following example, the command shows that the user paul currently has no
print requests in queue.

$ lpstat -u paul

In the following example, the command shows that there are two print requests on
the printer moon.

80 System Administration Guide, Volume II ♦ October 1998

 $ lpstat -o moon
moon-78 root 1024 Jan 14 09:07
moon-79 root 1024 Jan 14 09:08

Processing or Stopping Printing

The enable(1) and disable(1) commands (or the Process Print Requests field on
Admintool’s Modify Printer window) control whether a printer prints or stops
printing requests that are in the print queue. When you disable a printer, the printer
stops printing requests in queue; however, requests are still added to the queue. (You
must set the printer to reject print requests so requests are not added to the queue.
See “Accepting or Rejecting Print Requests” on page 82 for information about
rejecting print requests.)

You must enable the printer whenever it has been disabled, which may happen
when a printer fault occurs. When you enable a printer, it prints requests from the
print queue until the queue is empty, even if the print service rejects additional
requests for the print queue.

Figure 4–1 shows the point at which processing of print requests is interrupted when
a printer is disabled.

Print Client Print Server

enable

Print Client Print Server

disable

Figure 4–1 What Happens When a Printer Is Enabled or Disabled

How to Accept or Reject Print Requests for a

Printer
1. Log in as superuser or lp on the print server.

2. Stop accepting print requests for the printer by using the reject(1M)
command.

Administering Printers (Tasks) 81

 # reject [-r "reason"] printer-name

Provides users a reason why the printer is rejecting print

−r "reason"
requests. The reason is stored and displayed whenever a user
checks on the status of the printer (lpstat -p).

printer-name Name of the printer that will stop accepting print requests.

The queued requests will continue printing as long as the printer is enabled. For
instructions on disabling a printer so it stops printing, see “How to Enable or
Disable a Printer” on page 84.

3. Start accepting print requests for the printer by using the accept(1M)
command.

# accept printer-name

4. Check the status of the printer to see whether it is accepting or rejecting print
requests by using the lpstat command.

$ lpstat -p printer-name

Examples—Accepting or Rejecting Print Requests for a Printer

In the following example, the command stops the printer luna from accepting print
requests.

# reject -r "luna is down for repairs" luna

destination "luna" will no longer accept requests

In the following example, the command sets the printer luna to accept print requests.

# accept luna
destination "luna" now accepting requests

Accepting or Rejecting Print Requests

The accept and reject commands—or the Accept Print Requests field in
Admintool’s Modify Printer window—enable you to turn on or turn off a print
queue that stores requests to be printed.

82 System Administration Guide, Volume II ♦ October 1998

When you use the reject command, the print queue for a specified printer is
turned off—no new print requests can enter the queue on the print server. All print
requests that are in the queue are still printed. You must disable the printer if you
want it to stop printing requests that are already in the queue. Table 4–7 compares
the functions of the accept, reject, enable, and disable commands.

TABLE 4–7 Functions of accept/reject and enable/disable Commands

Command Function

accept Accept print requests that are sent to the print queue.

enable Print the requests that are in the print queue.

reject Reject print requests that are sent to the print queue.

disable Stop printing requests that are currently in the print

queue.

See “Processing or Stopping Printing” on page 81 for information about disabling a

printer.
If a print request is rejected, the print service writes or mails a message to the user
who submitted the request, saying that print requests are not being accepted for the
specified printer.
You can also specify a reason for not accepting requests through the command line.
The reason is displayed on users’ systems when one tries to check the printer’s
queue. Figure 4–2 shows the point at which processing of print requests is
interrupted when a print queue rejects print requests.

Print Client Print Server

accept

Print Client Print Server

reject

Figure 4–2 What Happens When a Print Queue Accepts or Rejects Requests

Administering Printers (Tasks) 83

 How to Enable or Disable a Printer
1. Log in as superuser or lp on the print server.

2. Stop printing print requests on the printer by using the disable command.

# disable [-c | -W] [-r "reason"] printer-name

disable Cancels the current job, then disables the printer. The current
job is saved to reprint when the printer is enabled.

Cancels the current job, then disables the printer. The current
−c
job is not printed later.

Waits until the current job is finished before disabling the

−W
printer.

Provides users with a reason why the printer is disabled. The

−r "reason"
reason is stored and displayed whenever a user checks on
the status of the printer (lpstat -p).

printer-name Name of the printer that will stop printing print requests.

Note - You cannot enable or disable classes of printers. Only individual printers
can be enabled or disabled.

3. Start printing print requests on the printer by using the enable command.

# enable printer-name

4. Verify the printer is enabled.

$ lpstat -p printer-name

Examples—Enabling or Disabling a Printer

In the following example, the command stops the current job on the printer luna,
saves it to print later, and provides a reason why the printer has stopped printing
print requests.

# disable -r "changing the form" luna

84 System Administration Guide, Volume II ♦ October 1998

In the following example, the command starts printing print requests on the printer
luna.

# enable luna
printer "luna" enabled

Canceling a Print Request

You can use the cancel(1) to cancel print requests from printer queues or to cancel
jobs that are printing. There are three ways to use the cancel command:
4 Cancel requests by request identification number (request ID)
4 Cancel requests from a specific user on all, or specified, printers
4 Cancel the job currently printing
When you use cancel, a message tells you the request(s) are canceled, and the next
request in queue is printed. You can cancel a print request only if you are:
4 The user who submitted the request and you are logged in on the system from
which you submitted the request
4 The user who submitted the request on any client system and the print server has
the “user-equivalence” option configured for the printer in it’s
/etc/[Link] file.
4 Logged in as superuser or lp on the print server.
To cancel a specific request, you need to know its request ID. The request ID is
comprised of the name of the printer, a dash, and the number of the print
request—for example, luna-185. When you submit the print request, the request ID
is displayed. If you do not remember the print request ID, you can find it by using
the lpstat command with the -o printer option.

How to Cancel a Print Request

1. If you are going to cancel print requests of other users, become superuser or lp.

2. Determine the request IDs of the print requests to cancel by using the lpstat
command.
See “How to Check the Status of Print Requests” on page 79 for more details.

3. Cancel a print request by using the cancel command.

$ cancel request-id | printer-name

Administering Printers (Tasks) 85

 request-id Request ID of a print request to be canceled. You can specify
multiple request IDs with this command. Use a space or a
comma to separate request IDs. If you use spaces, enclose the
list of request IDs in quotes.

printer-name Specifies the printer for which you want to cancel the
currently printing print request.
You can specify multiple printer names with this command.
Use a space or a comma to separate printer names. If you use
spaces, enclose the list of printer names in quotes.

4. Verify the print requests are canceled.

$ lpstat -o printer-name

Examples—Canceling a Print Request

In the following example, the command cancels the luna-3 and luna-4 print
requests.

$ cancel luna-3 luna-4

request "luna-3" cancelled
request "luna-4" cancelled

In the following example, the command cancels the print request that is currently
printing on the printer luna.

# cancel luna
request "luna-9" cancelled

How to Cancel a Print Request From a Specific

User
1. (Optional) Become superuser or lp if you are going to cancel print requests of
other users.

2. Cancel a print request from a specific user with the cancel command.

$ cancel -u user-list [printer-name]

86 System Administration Guide, Volume II ♦ October 1998

 Cancels the print request for a specified user.
−u user-list
user-list can be one or more user names. Use a space or a
comma to separate user names. If you use spaces, enclose the
list of names in quotes.

printer-name Specifies the printer for which you want to cancel the
specified user’s print requests.

printer-name can be one or more printer names. Use a space

or a comma to separate printer names. If you use spaces,
enclose the list of printer names in quotes.
If you don’t specify printer-name, the user’s print requests
will be canceled on all printers.

Examples—Canceling a Print Request From a Specific User

In the following example, the command cancels all the print requests submitted by
the user george on the printer luna.

# cancel -u george luna

request "luna-23" cancelled

In the following example, the command cancels all the print requests submitted by
the user george on all printers.

# cancel -u george
request "asteroid-3" cancelled
request "luna-8" cancelled

Moving a Print Request

If you plan to change the way a printer is used or decide to take a printer out of
service, you should set up the LP print service to reject additional print requests, and
then move or cancel any requests that are currently queued to the printer. You can
use the lpmove(1M) command to move individual or all print requests to another
local printer.
Request IDs are not changed when you move print requests, so users can still find
their requests. Print requests that have requirements (such as file content type or
forms) that cannot be met by the newly specified printer cannot be moved; they
must be canceled.

Administering Printers (Tasks) 87

 How to Move Print Requests to Another Printer
To move all print requests from one printer to another, you do not need to know the
request IDs; however, it is a good idea to see how many print requests are affected
before you move them.
1. Log in as superuser or lp on the print server.

2. (Optional) Check the request IDs of the print requests on the original printer.

# lpstat -o printer-name1

3. (Optional) Check if the destination printer is accepting print requests.

# lpstat -p printer-name2

Name of the printer to which you are moving the print

−p printer-name2
requests.

4. Move all the print requests from the original printer to the destination printer.

# lpmove printer-name1 printer-name2

printer-name1 Name of the printer from which all print requests will be
moved.

printer-name2 Name of the printer to which all print requests will be moved.

If some requests cannot be printed on the destination printer, they are left in the
original printer’s queue. By using request IDs, you can also move specific print
requests to another printer with the lpmove command.

5. Start accepting print requests on the original printer.

If you move all the print requests to another printer, the lpmove command
automatically stops accepting print requests for the printer. This step is necessary
if you want to begin accepting new print requests for the printer.

# accept printer-name1

88 System Administration Guide, Volume II ♦ October 1998

6. Check for any remaining print requests in the original printer’s queue by using
the following command.

$ lpq -P printer-name1

Make sure all specified print requests were moved to the destination printer’s
queue by using the following command.

$ lpq -P printer-name2

Example—Moving Print Requests to Another Printer

In the following example, the lpmove command moves print requests from the
printer luna to the printer terra, and the accept command tells the original
printer luna to resume accepting print requests.

# lpmove luna terra

# accept luna

Changing the Priority of Print Requests

After a user has submitted a print request, you can change its priority in the print
server’s queue by:

4 Putting any print request on hold if it has not finished printing. Putting a request
on hold stops it, if it is currently printing, and keeps it from printing until you
resume printing it. Other print requests go ahead of the on-hold request.

4 Moving any print request to the head of the queue, where it will be the next job
eligible for printing. If you want a job to start printing immediately, you can
interrupt the job that is currently printing by putting it on hold.

4 Changing the priority of a job still waiting to be printed, moving it in the queue so
it is ahead of lower priority requests and behind requests at the same level or at a
higher priority.

How to Change the Priority of a Print Request

1. Log in as superuser or lp on the print server that is holding the print request.

2. Determine the request IDs of the print requests whose priority you want to
change by using the lpstat command.
See “How to Check the Status of Print Requests” on page 79 for more information.

Administering Printers (Tasks) 89

 3. Change the priority of a print request by using the lp command.

# lp -i request-id -H change-priority

Request ID of a print request you want to change.

−i request-id
You can specify multiple request IDs with this command.
Use a space or a comma to separate request IDs. If you
use spaces, enclose the list of request IDs in quotes.

One of the three ways to change the priority of a print

−H change-priority
request: hold, resume, immediate.
See Table 4–6 for detailed information about valid values
for change-priority.

You can also use the lp -q command to change the priority level of a specified
print request. You can change the priority level from 0, the highest priority, to 39,
the lowest priority.

Example—Changing the Priority of a Print Request

In the following example, the command changes a print request with the request ID
asteroid-79, to priority level 1.

# lp -i asteroid-79 -q 1

90 System Administration Guide, Volume II ♦ October 1998

CHAPTER 5

Managing Character Sets, Filters, Forms,

and Fonts (Tasks)

This chapter provides background information and step-by-step instructions for

setting up and administering character sets, print filters, forms, and fonts.
This is a list of the step-by-step instructions in this chapter.
4 “How to Define a Print Wheel or Font Cartridge” on page 94
4 “How to Unmount and Mount a Print Wheel or Font Cartridge” on page 95
4 “How to Set an Alert to Mount a Print Wheel or Font Cartridge” on page 96
4 “How to Set Up an Alias for a Selectable Character Set” on page 98
4 “How to Add a Print Filter” on page 102
4 “How to Delete a Print Filter” on page 103
4 “How to View Information About a Print Filter” on page 103
4 “How to Add a Form” on page 107
4 “How to Delete a Form” on page 108
4 “How to Unmount and Mount a Form” on page 108
4 “How to Set an Alert to Mount a Form” on page 110
4 “How to View Information About a Form” on page 112
4 “How to View the Current Status of a Form” on page 113
4 “How to Limit User Access to a Form” on page 113
4 “How to Limit Printer Access to a Form” on page 114
4 “How to Install Downloaded PostScript Fonts” on page 118
4 “How to Install Host-Resident PostScript Fonts” on page 118
For overview information about printing, see Chapter 1.

91
 Managing Character Sets
Printers differ in the method they use to print text in various font styles. For
example, PostScript printers treat text as graphics. These printers can generate text in
different fonts, and place the text in any position, size, or orientation on the page.
Other types of printers support a more limited number of font styles and sizes, using
either print wheels, font cartridges, or preprogrammed selectable character sets.
Usually, only one of these printing methods applies to a given printer type.
Print wheels and font cartridges, from the perspective of the LP print service, are
similar, because someone must intervene and mount the hardware on the printer,
when needed. Character sets that require you to physically mount a wheel or
cartridge are referred to as hardware character sets. Character sets that do not require
hardware mounting, that come preprogrammed with the printer, and can be selected
by a print request, are referred to as software character sets.
When you set up a non-PostScript printer, you need to tell the LP print service which
print wheels or selectable character sets are available to users. When users submit
print requests, the lp -S command enables them to specify a print wheel or
selectable character set to use for the print job. Users do not have to know which
type of character set applies; they just refer to the font style by the name you have
defined. For example, you may have defined a print wheel as gothic. To request the
gothic print wheel, the user would enter lp -S gothic.

Selectable Character Sets

The selectable character sets supported by a printer are listed in the terminfo entry
for that printer. For example, the entry for the ln03 printer is
/usr/share/lib/terminfo/l/ln03. You can find the names of selectable
character sets for any printer type in the terminfo database by using the tput
command. The syntax for the tput command is:

tput -T printer-type csn

The csn option is an abbreviation for character set number. The number starts with 0,
which is always the default character set number after the printer is initialized. You
can repeat the command, using −1, −2, −3, and so on in place of the −0, to display
the names of the other character sets. For each selectable character set, a terminfo
name (for example, usascii, english, finnish, and so forth) is returned.
In general, the terminfo character set names should closely match the character set
names used in the manufacturer’s documentation for the printer. Because
manufacturers do not all use the same character set names, the terminfo character
set names may differ from one printer type to the next.

92 System Administration Guide, Volume II ♦ October 1998

You do not have to register the selectable character set names with the LP print
service. However, you can give them more meaningful names or aliases.

Note - If you do not specify the selectable character sets that can be used with a
printer, the LP print service assumes that the printer can accept any character set
name (such as cs0, cs1, or cs2) or the terminfo name known for the printer.

Users can use the lpstat -p -l command to display the names of the selectable
character sets that you have defined for each printer on a print server.

Note - Character sets for PostScript printers are not listed when you use the
lpstat -p -l command because the PostScript fonts are controlled by PostScript
filters, not by entries in the terminfo database. See “Managing Fonts” on page 115
for information about how to administer PostScript fonts.

Hardware-Mounted Character Sets

Another method to obtain alternative character sets is to use removable print wheels
or font cartridges that you physically attach, or mount, in a printer.
To administer hardware-mounted character sets, you inform the LP print service of
the names you want to use for the available print wheels, and how you want to be
alerted when a printer needs a different print wheel. Then, when a user requests a
particular character set with the lp -S command, the scheduler sends an alert to
mount the print wheel, and the print request is placed in the print queue. When you
mount the correct print wheel and tell the LP print service that the print wheel is
mounted, the job is printed. See “How to Unmount and Mount a Print Wheel or
Font Cartridge” on page 95 for more information.
If you do not specify multiple print wheels or cartridges for a printer, the LP print
service assumes that the printer has a single, fixed print wheel or cartridge, and
users cannot specify a special print wheel or cartridge when using the printer.
Unlike selectable character sets, the names you use for print wheels or cartridges are
not tied to entries in the terminfo database. Print wheel or cartridge names are
used only for the purpose of communicating with the LP print service and its users.
The names you choose for print wheels or cartridges, however, should have meaning
to the users; the names should refer to font styles. In addition, the names should be
the same across printers that have similar print wheels or cartridges, or selectable
character sets. That way, users can ask for a font style (character set) without regard
to which printer—or even whether a print wheel or cartridges—or selectable
character set will be used.
Of course, you and the printer users should agree on the meanings of print wheel or
cartridge names. Otherwise, what a user asks for and what you mount, may not be
the same character set.

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 93

 Tracking Print Wheels
The procedure for tracking print wheels is similar to the procedure for tracking
forms. Some printers (usually letter-quality printers) have removable print heads,
such as print wheels or print cartridges, that provide a particular font or character
set. A user can request a named character set. If that character set is not available,
the LP print service notifies root of the request. The job is stored in the print queue
until the print wheel is changed.

Alerts for Mounting Print Wheels or Cartridges

You request alerts for mounting print wheels or cartridges in the same way you
request other alerts from the LP print service. See “Setting Up Printer Fault Alerts”
on page 71 for general information about alerts.

How to Define a Print Wheel or Font Cartridge

1. Log in as superuser or lp on the print server.

2. Define a print wheel or font cartridge that can be used with the printer.

print-server# lpadmin -p printer-name -S hard-charset1[,hard-charset2...]

-p printer-name Name of the printer for which you are defining a print wheel
or font cartridge.

-s hard-charset Hardware character set name of the print wheel or font

cartridge.
You can specify multiple hardware character sets with this
command. Use commas or spaces to separate character set
names. If you use spaces, enclose the list of character set
names in quotes.
Define names that are meaningful to users, and inform the
users of the names.

The print wheel or font cartridge definition is added in the print server’s
/etc/lp/printers/printer-name/configuration file.

3. Log in as superuser or lp on a system that is a print client of the print server.

4. Define the same print wheel or font cartridge for the print client.

94 System Administration Guide, Volume II ♦ October 1998

 print-client# lpadmin -p printer-name -S hard-charset1[,hard-charset2...]

In this command, the variables are the same as those in Step 2 on page 94.
The print wheel or font cartridge definition is added in the print client’s
/etc/lp/printers/printer-name/configuration file.

5. Repeat Step 3 on page 94 and Step 4 on page 94 for each print client that may
need to use the print wheel or font cartridge.

6. Verify the information following the Character sets heading in the

following output is correct on both the print server and the print client.

$ lpstat -p printer-name -l

Example—Defining a Print Wheel

In the following example, the command defines the pica print wheel on the printer
luna for a print client named asteroid.

asteroid# lpadmin -p luna -S pica

How to Unmount and Mount a Print Wheel or

Font Cartridge
1. Log in as superuser or lp on the print server.

2. Unmount the print wheel or font cartridge that is in the printer by using the
lpadmin command.

# lpadmin -p printer-name -M -S none

-p printer-name Printer on which you are unmounting a print wheel or font

cartridge.

-M -S none Specifies unmounting the current print wheel or font

cartridge.

The current print wheel or font cartridge is deleted from the print server’s
/etc/lp/printers/printer-name/configuration file.

3. Remove the print wheel or font cartridge from the printer.

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 95

 4. Put the new print wheel or font cartridge in the printer.

5. Mount the new print wheel or font cartridge by using the lpadmin command.

# lpadmin -p printer-name -M -S hard-charset

-p printer-name Printer on which you are mounting a print wheel or font

cartridge.

-M -S hard-charset Hardware character set name of the print wheel or font

cartridge you want to mount.

The print wheel or font cartridge is added in the print server’s

/etc/lp/printers/printer-name/configuration file. The mounted print
wheel or font cartridge remains active until it is unmounted or until a new print
wheel or font cartridge is mounted.

6. Check the information under the Print wheels or Character set heading
in the output of the following command. You should see the name of the print
wheel or character set and the notation (mounted)

$ lpstat -p printer-name -l

Example—Unmounting and Mounting a Print Wheel

In the following example, the commands unmount the current print wheel on the
printer luna and mount the pica print wheel.

# lpadmin -p luna -M -S none

# lpadmin -p luna -M -S pica

How to Set an Alert to Mount a Print Wheel or

Font Cartridge
1. Log in as superuser or lp on the print server.

2. Set an alert to mount a print wheel or font cartridge by using the

lpadmin(1M) command.

96 System Administration Guide, Volume II ♦ October 1998

 # lpadmin -S hard-charset -A alert [-Q requests] [-W minutes]

-S hard-charset Hardware character set name of the print wheel or font

cartridge for which you want to set an alert.

-A alert Specifies what kind of alert will occur when a print wheel or
font cartridge is requested. See Table 4–2 for detailed
information about the valid values for alert. Some valid
values are mail, write, and quiet.
If you specify mail or write, a predefined alert message
says to mount the specified print wheel or font cartridge and
includes the names of one or more printers that have been set
up to use such a print wheel or cartridge.

-Q requests Specifies the number of print requests that require the print
wheel or font cartridge that must be in the queue before an
alert occurs. If you don’t specify this option, only one print
request in the queue triggers an alert.

-W minutes Specifies how often (in minutes) the alert will occur. If you
don’t specify this option, the alert is sent only once.

The alert is added in the print server’s

/etc/lp/pwheels/charset-name/[Link] file.

3. Verify that the alert has been added for the print wheel or font cartridge by
checking the output of the following command.

# lpadmin -S hard-charset -A list

Otherwise, if you have set a low number of print requests to trigger the alert,
submit enough print requests to meet the minimum requirement and make sure
you receive an alert to mount the print wheel or font cartridge.

Examples—Setting an Alert to Mount a Print Wheel or Font

Cartridge
In the following example, the command sets email alerts to occur every five minutes
for the elite print wheel when there are ten print requests for elite in the print
queue.

# lpadmin -S elite -A mail -Q 10 -W 5

In the following example, the command sets email alerts to occur every minute for
the finnish font cartridge when there are five print requests for finnish in the
print queue.

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 97

 # lpadmin -S finnish -A mail -Q 5 -W 1

In the following example, the command sets console-window alerts to occur every 10
minutes for the elite print wheel when there are five print requests for elite in
the print queue.

# lpadmin -S elite -A write -Q 5 -W 10

In the following example, the command sets no alerts to occur for the elite print
wheel.

# lpadmin -S elite -A none

How to Set Up an Alias for a Selectable Character

Set
Note - You do not need to perform this procedure if the terminfo(4) names for the
selectable character sets are adequate. See “Adding a terminfo Entry for an
Unsupported Printer” on page 124 for more information on using the terminfo
database.

1. Log in as superuser or lp on the print server.

2. Display the names of the selectable character sets for the specified printer type
by using the tput(1) command.

# tput -T printer-type csn

-T printer-type Printer type found in the terminfo database. See “Printer

Type” on page 24 for information on entries in the
terminfo database.

Number (0, 1, 2, 3, 4, 5, and so on) that represents a

n
selectable character set for the specified printer type. The
system displays the selectable character set name followed by
the prompt symbol. For example, cs1 could cause the
system to display english#.

3. Set up an alias for a selectable character set.

# lpadmin -p printer-name -S select-charset1=alias1[,select-charset2=alias2...]

98 System Administration Guide, Volume II ♦ October 1998

 -p printer-name Printer on which you are setting up aliases for selectable
character sets.

-S select-charset Selectable character set name for which to set an alias. The
name can be found in Step 2 on page 98.

Alias for the specified selectable character set. This alias can
alias
be used in addition to the selectable character set name.
You can set up more than one alias with this command. Use
commas or spaces to separate the aliases. If you use spaces,
enclose the list of aliases in quotes.

The alias is added in the print server’s

/etc/lp/printers/printer-name/configuration file.

4. Log in as superuser or lp on a system that is a print client of the print server.

5. Set up an alias for the selectable character set.

# lpadmin -p printer-name -S select-charset1=alias1[,select-charset2=alias2...]

In this command, the variables are the same as those in Step 3 on page 98.
The alias is added in the print client’s
/etc/lp/printers/printer-name/configuration file.

6. Repeat Step 4 on page 99 and Step 5 on page 99 for each print client that may
need to use the alias.

7. Verify that the selectable character set alias is listed in the output of the
following command on the print server and print clients.

$ lpstat -p printer-name -l

Otherwise, submit a print request that uses the alias for the selectable character
set and check for output.

Example—Setting Up an Alias for a Selectable Character Set

In the following example, the commands display the names of selectable character
sets and specify text as an alias for the usascii selectable character set on the
printer luna, which is an ln03 printer type.

# tput -T ln03 cs0

usascii# tput -T ln03 cs1
english# tput -T ln03 csn2

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 99

 (Continuation)

finnish# tput -T ln03 csn3

japanese# tput -T ln03 cs4
norwegian#
# lpadmin -p luna -S usascii=text

Managing Print Filters

Print filters are programs that convert the content type of a file to a content type that
is acceptable to the destination printer. The LP print service uses filters to:
4 Convert a file from one data format to another so it can be printed properly on a
specific type of printer
4 Handle the special modes of printing, like two-sided printing, landscape printing,
or draft- and letter-quality printing
4 Detect printer faults and notify the LP print service of them so the print service
can alert users and system administrators
Not every print filter can perform all these tasks. Because each task is
printer-specific, the tasks can be implemented separately.
The LP print service provides the PostScript filters listed in Table 5–1. The filter
programs are located in the /usr/lib/lp/postscript directory. For PostScript
printing, you usually do not need to do anything beyond installing the filter
programs when setting up a print server. Admintool automatically enables the
supplied filters. However, if you administer other printers, you may need to
administer print filters for them.

Creating Print Filters

To create a new print filter, you must write a print filter program and create a print
filter definition. Filters contain input types, output types, and complex options that
provide a language to process command-line arguments within the filter. See
“Creating a New Print Filter” on page 133 for background information and
step-by-step instructions.

100 System Administration Guide, Volume II ♦ October 1998

Adding, Changing, Removing, and Restoring Print
Filters
Print filters are added, changed, or removed on the print server only.

You use the lpfilter(1M) command to manage the list of available filters. System
information about filters is stored in the /etc/lp/[Link] file. The
lpfilter command gets the information about filters to write to the table from filter
descriptor files. The filter descriptor files supplied (PostScript only) are located in the
/etc/lp/fd directory. The actual filter programs are located under /usr/lib/lp.

The LP print service imposes no fixed limit on the number of print filters you can
define. You may remove filters that are no longer used to avoid extra processing by
the LP print service. (LP examines all filters to find one that works for a specific print
request.) If in doubt, do not remove a filter.

As you add, change, or delete filters, you may overwrite or remove some of the
original filters provided by the LP print service. You can restore the original set of
filters, if necessary, and remove any filters you have added.

SunOS 5.7 system software provides a default set of PostScript filters, which
Admintool automatically adds to a print server. Some of the TranScript filters used
with SunOS 4.1 have SunOS 5.7 equivalents, but others do not. Table 5–1 lists the
default PostScript filters and identifies the TranScript filters, where applicable.

TABLE 5–1 Default PostScript Filters

Filter Action TranScript Equivalent

download Download fonts

dpost ditroff to PostScript psdit

postdaisy daisy to PostScript

postdmd dmd to PostScript

Serial interface for PostScript printer pscomm

postio

postior Communicate with printer

postmd Matrix gray scales to PostScript

postplot plot to PostScript psplot

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 101

 TABLE 5–1 Default PostScript Filters (continued)

Filter Action TranScript Equivalent

postprint simple to PostScript enscript

postreverse Reverse or select pages psrev

posttek TEK4014 to PostScript ps4014

SunOS 5.7 does not provide the following filters:

4 TEX
4 oscat (NeWSprint opost)
4 Enscript
The postreverse, postprint, postio, and dpost filters are provided in place of
Enscript.
Admintool adds the default PostScript filters to a print server. If you have printing
needs that are not met by these filters, see “How to Create a New Print Filter” on
page 142 for information about writing a custom print filter.

How to Add a Print Filter

1. Log in as superuser or lp on the print server.

2. Add a print filter that is based on a print filter definition by using the
lpfilter command.

# lpfilter -f filter-name -F filter-def

-f filter-name Name you choose for the print filter.

-F filter-def Name of the print filter definition.

The print filter is added in the print server’s /etc/lp/[Link] file.

3. Verify that the print filter was added by checking for information about the
print filter in the output of the following command.

# lpfilter -f filter-name -l

102 System Administration Guide, Volume II ♦ October 1998

Example—Adding a Print Filter
In the following example, the command adds the daisytroff print filter that has
the [Link] print filter definition.

# lpfilter -f daisytroff -F /etc/lp/fd/[Link]

How to Delete a Print Filter

1. Log in as superuser or lp on the print server.

2. Delete the print filter by using the lpfilter command.

# lpfilter -f filter-name -x

-f filter-name Name of the print filter to be deleted.

-x Deletes the specified filter.

The print filter is deleted from the print server’s /etc/lp/[Link] file.

3. Verify that filter was deleted by using the following command. You should
receive an error indicating that no filter by the specified name exists.

# lpfilter -f filter-name -l

Example—Deleting a Print Filter

In the following example, the command deletes the daisytroff print filter.

# lpfilter -f daisytroff -x

How to View Information About a Print Filter

1. Log in as superuser or lp on the print server.

2. Request information about a print filter by using the lpfilter command.

# lpfilter -f filter-name -l

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 103

 -f filter-name Print filter for which you want to view information. Specify
all for filter-name to view information about all the available
print filters.

-l Displays information about the specified filter.

Information about the specified print filter(s) is displayed.

Examples—Viewing Information About a Print Filter

In the following example, the command requests information for the postdaisy
print filter, and the information that is displayed in response.

# lpfilter -f postdaisy -l
Input types: daisy
Output types: postscript
Printer types: any
Printers: any
Filter type: slow
Command: /usr/lib/lp/postscript/postdaisy
Options: PAGES * = -o*
Options: COPIES * = -c*
Options: MODES group = -n2
Options: MODES group\=\([2-9]\) = -n\1
Options: MODES portrait = -pp
Options: MODES landscape = -pl
Options: MODES x\=\(\-*[\.0-9]*\) = -x\1
Options: MODES y\=\(\-*[\.0-9]*\) = -y\1
Options: MODES magnify\=\([\.0-9]*\) = -m\1

In the following example, the command redirects information about the

daisytroff filter to a file (creates the filter definition for that filter). This is useful if
a filter definition is removed unintentionally.

# lpfilter -f daisytroff -l > [Link]

In the following example, the command displays all the print filters that have been
added to the system, and the information that is displayed in response.

# lpfilter -f all -l | grep Filter

(Filter "download")
Filter type: fast
(Filter "postio")
Filter type: fast
(Filter "postior")
Filter type: fast

(continued)

104 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

(Filter "postreverse")
Filter type: slow

Managing Forms
A form is a sheet of paper on which information is printed in a predetermined
format. Unlike plain paper stock, forms usually have text or graphics preprinted on
them. Common examples of forms are company letterhead, invoices, blank checks,
receipts, and labels.
The term form has two meanings: the physical medium (the paper) and the software
that defines a form to the LP print service.
The LP print service allows you to control the use of forms. This section provides
information about adding, changing, removing, mounting, and controlling access to
forms.

Adding, Changing, or Deleting Forms

When you add a form, you tell the LP print service to include the form in its list of
available forms. You also have to supply the information required to describe or
define the form. Although you can enter such definitions when you add the form, it
helps to create the definitions first and save them in files. You can then change the
form definition by editing the file. See “How to Create a New Form Definition” on
page 147 for information about how to create form definitions.

Note - No form definitions are supplied with the LP print service.

To change a form, you must re-add the form with a different definition.
The LP print service imposes no limit on the number of forms you can define.
However, you should delete forms that are no longer appropriate. Obsolete forms
may result in unnecessary processing by the print service.

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 105

 Mounting Forms
To print a form, you must load the paper in the printer and use a command to mount
the form, which notifies the LP print service that print requests submitted to the
printer are to be printed using the form definition. If you use one printer for
different types of printing, including forms, you should:
4 Disable the printer before you load the paper and mount the form.
4 Re-enable the printer when the form is ready; otherwise, the LP print service will
continue to print files that do not need the form on the printer.
When you mount a form, make sure it is aligned properly. If an alignment pattern
has been defined for the form, you can request that the pattern print repeatedly after
you have mounted the form, until you have adjusted the printer so the alignment is
correct.
When you want to change or discontinue using a form on a printer, you must notify
the LP print service by unmounting the form.

Tracking Forms
The LP print service helps you track which forms are mounted on each printer and
notifies you when it cannot find a description it needs to print a form. You are
responsible for creating form descriptions and mounting and unmounting form
paper in each printer, either as part of setting up a printer or in response to alerts
from the LP print service.
Users can specify the form on which they want a job to print. As root, you can
mount a specific form, then tell the LP print service that the form is available and on
which printer it is mounted. Users can submit print requests specifying a particular
form. When the LP print service receives the request, it sends an alert message to
root requesting that you mount the form.

Defining Alerts for Mounting Forms

You request alerts for mounting forms in the same way you request other alerts from
the LP print service. See “Setting Up Printer Fault Alerts” on page 71 for general
information about alerts.

Checking Forms
When you have defined a form for the LP print service, you can check it with either
of two commands, depending on the type of information you want to check.

106 System Administration Guide, Volume II ♦ October 1998

4 Show the attributes of the form by using the lpforms(1M) command. You can
also redirect the output of the command into a file to save it for future reference.
4 Display the current status of the form by using the lpstat command. To protect
potentially sensitive content, the alignment pattern is not shown.
If you are not sure about the name of an existing form, you can list the contents of
the /etc/lp/forms directory to see the names of the forms there.

Limiting Access to Forms

You can control which printers and users have access to some or all of the forms
available on the network. For example, you may want only the people in the payroll
or accounts payable department to be able to print check forms. In addition, you
may want the check forms to be available only on certain printers.
To limit user access to forms, see “How to Limit User Access to a Form” on page
113. To limit printer access to a form, see “How to Limit Printer Access to a Form”
on page 114.

How to Add a Form

1. Log in as superuser or lp on the print server.

2. Add a form that is based on a form definition by using the lpforms command.

# lpforms -f form-name -F /etc/lp/forms/form

-f form-name Name you choose for the form.

-F /etc/lp/forms/form Name of the form definition.

The form is added in the print server’s /etc/lp/forms/form-name/describe

file.

3. Verify that the form was added by checking for a listing of information about
the form in the output of the following command.

# lpforms -f form-name -l

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 107

 Example—Adding a Form
In the following example, the command adds the medical form that uses the
[Link] form definition.

# lpforms -f medical -F /etc/lp/forms/[Link]

Note - Before the form can be used, one or more printers must be given access to the
form. See “How to Limit Printer Access to a Form” on page 114.

How to Delete a Form

1. Log in as superuser or lp on the print server.

2. Delete the form by using the lpforms command.

# lpforms -f form-name -x

-f form-name Form to be deleted.

-x Deletes the specified form.

The form is deleted from /etc/lp/forms/form-name file.

3. Verify that form was deleted by using the following command. You should
receive an error indicating that a form by the specified name does not exist.

# lpforms -f form-name -l

Example—Deleting a Form
In the following example, the command deletes the medical form.

# lpforms -f medical -x

How to Unmount and Mount a Form

1. Log in as superuser or lp on the print server.

108 System Administration Guide, Volume II ♦ October 1998

2. Stop accepting print requests on the printer on which you are unmounting the
current form by using the reject command.

# reject printer-name

printer-name Name of the printer on which you are unmounting a form.

New print requests (which may not require the form) are not allowed to enter the
printer’s queue.

3. Unmount the current form by using the lpadmin command.

# lpadmin -p printer-name -M -f none

In this command, the variable printer-name is the same as in Step 2 on page 109.
The current form is deleted from the print server’s
/etc/lp/printers/printer-name/configuration file.

4. Remove the form paper from the printer.

5. Load the form paper for the next print request.

6. Mount the form by using the lpadmin command.

# lpadmin -p printer-name -M -f form-name[-a -o filebreak]

-p printer-name Printer on which you are mounting a form.

-M -f form-name Name of the form to be mounted.

Optionally enables you to print a copy of the alignment

−a -o filebreak pattern defined for the form, if it has one.

The specified form is added in the print server’s

/etc/lp/printers/printer-name/configuration file.

7. Start accepting print requests on the printer.

# accept printer-name

The printer is ready to print the form you just mounted.

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 109

 8. Verify that the form has been mounted by checking for the form name under
the Form mounted heading in the output of the following command.

$ lpstat -p printer-name -l

Otherwise, submit a print request that requires the new form and check the
printer for output.

Examples—Unmounting and Mounting a Form

The following example shows the process of unmounting the currently mounted
form on the printer luna.

# reject luna
destination "luna" will no longer accept requests
# lpadmin -p luna -M f none
# accept luna
destination "luna" now accepting requests

The following example shows the process of mounting the medical form on the
printer luna.

# reject luna
destination "luna" will no longer accept requests
# lpadmin -p luna -M f medical -a -o filebreak
# accept luna
destination "luna" now accepting requests

How to Set an Alert to Mount a Form

1. Log in as superuser or lp on the print server.

2. Set a request alert for mounting a form by using the lpadmin command.

# lpforms -f form-name -A alert [-Q requests] [-W minutes]

110 System Administration Guide, Volume II ♦ October 1998

 -f form-name Form for which you want to set a request alert.

-A alert Specifies what kind of alert will occur when a form is

requested. See Table 4–2 for detailed information about the
valid values for alert. Some valid values are mail, write,
and quiet. If you choose mail or write, a predefined alert
message says to mount the specified form and includes the
names of one or more printers that have been set up to use
the form.

-Q requests Specifies how many print requests that require the form must
be in the queue to trigger an alert. If you don’t specify this
option, an alert occurs with just one print request in the
queue.

-W minutes Specifies how often (in minutes) the alert will occur. If you
don’t specify this option, the alert is sent once.

The request alert is added in the print server’s

/etc/lp/forms/form-name/[Link] file.

3. Verify that the alert has been added for the form by checking the output of the
following command.

# lpforms -f form-name -A list

Otherwise, if you have set a low number of print requests to trigger the alert,
submit print requests to meet the minimum requirement and make sure you
receive an alert to mount the form.

Examples—Setting an Alert to Mount a Form

In the following example, the command sets email alerts to occur every five minutes
for the letterhead form when there are 10 print requests for letterhead in the
print queue.

# lpforms -f letterhead -A mail -Q 10 -W 5

In the following example, the command sets console window alerts to occur every 10
minutes for the letterhead form when there are five requests for letterhead in
the print queue.

# lpforms -f letterhead -A write -Q 5 -W 10

In the following example, the command sets no request alerts for the invoice form.

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 111

 # lpforms -f invoice -A none

How to View Information About a Form

1. Log in as superuser or lp on the print server.

2. Request information about a form by using the lpforms command.

# lpforms -f form-name -l

-f form-name Form for which you want to view information. Specify all
for form-name to view information about all the available
forms.

-l Lists the specified form.

Information about the specified form(s) is displayed.

Examples—Viewing Information About a Form

In the following example, the command displays information about the medical
form.

# lpforms -f medical -l
Page length: 62
Page width: 72
Number of pages: 2
Line pitch: 6
Character pitch: 12
Character set choice: pica
Ribbon color: black
Comment:
Medical claim form

In the following example, the command redirects the information about the medical
form to a file. (This command creates the form definition for the form.) This is useful
if a form definition gets removed unintentionally.

# lpforms -f medical -l > [Link]

112 System Administration Guide, Volume II ♦ October 1998

How to View the Current Status of a Form
1. Log in on the print server.

2. Request information about the current status of a form by using the lpstat(1)
command.

$ lpstat -f form-name

Form for which you want to view the current status. Specify all for
−f form-name
form-name to view the current status of all the forms.

Information about the current status of the specified form(s) is displayed.

Example—Viewing the Current Status of a Form

In the following example, the command displays the status of the medical form.

$ lpstat -f medical,payroll
form medical is available to you

How to Limit User Access to a Form

1. Log in as superuser or lp on the print server.

2. Allow or deny users access to a form by using the lpforms command.

# lpforms -f form-name -u allow:user-list | deny:user-list

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 113

 -f form-name Name of the form for which the allow or deny user access
list is being created.

-u allow:user-list Represents users to be added to the allow access list. Use a

comma or a space to separate users’ login IDs. If you use
spaces, enclose the list of IDs in quotes.

Table 4–4 provides the valid values for user-list.

deny:user-list Represents users to be added to the deny user access list. Use
a comma or a space to separate users’ login IDs. If you use
spaces, enclose the list of IDs in quotes. Table 4–4 provides
the valid values for user-list.

The specified user(s) are added to the allow or deny user access list for the
specified form in one of the following files on the print server:

/etc/lp/forms/form-name/allow/etc/lp/forms/form-name/deny

3. Verify the allow and deny user access lists by using the lpforms command.

# lpforms -f form-name -l

Examples—Limiting User Access to a Form

In the following example, the command allows only the users nathan and marcia
access to the check form.

# lpforms -f check -u allow:nathan,marcia

In the following example, the command denies users jones and smith access to the
dental form.

# lpforms -f dental -u deny:"jones,smith"

How to Limit Printer Access to a Form

1. Log in as superuser or lp on the print server.

2. Allow or deny use of forms on a printer by using the lpadmin command.

# lpadmin -p printer-name -f allow:form-list | deny:form-list

114 System Administration Guide, Volume II ♦ October 1998

 -p printer-name Name of the printer for which the allow or deny
forms list is being created.

-f allow:form-list | deny:form-list Form names to be added to the allow or deny list.

Use a space or a comma to separate multiple form
names. If you use spaces to separate form names,
enclose the list of form names in quotes.

The specified form(s) are added to the allow or deny forms list in one of the
following files on the print server:

/etc/lp/printers/printer-name/[Link] /etc/lp/printers/printer-name/[Link]

3. Verify the allow and deny forms lists by using the following command.

# lpstat -p printer-name -l

Examples—Limiting Printer Access to a Form

In the following example, the command allows the printer luna to access only the
medical, dental, and check forms.

# lpadmin -p luna -f allow:medical,dental,check

In the following example, the command denies the printer luna from accessing the
medical, dental, and check forms.

# lpadmin -p luna -f deny:"medical dental payroll"

Managing Fonts
If you have a laser printer, you may need to install and maintain PostScript fonts. You
may also have to decide where to install PostScript fonts and how to manage them.
For many printers, the fonts are set up as part of the printer installation process.
PostScript fonts are stored in outline form, either on the printer or on a system that
communicates with the printer. When a document is printed, the PostScript
interpreter generates each character as needed (in the appropriate size) from the
outline description of it. If a font required for a document is not stored on the printer

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 115

 being used, it must be transmitted to that printer before the document can be
printed. This transmission process is called downloading fonts.
Fonts are stored and accessed in several ways:
4 Printer-resident fonts are stored permanently on a printer. These fonts are installed
in read-only memory (ROM) on the printer by the manufacturer. If the printer has
a disk, you may need to install fonts on that disk. Most PostScript printers are
shipped with 35 standard fonts.
4 A permanently downloaded font is transmitted to a printer with a PostScript
exitserver program. A permanently downloaded font remains in printer
memory until the printer is turned off. Memory allocated to a downloaded font
reduces the memory available on the server for PostScript print requests. Use of an
exitserver program requires the printer system password and may be reserved
for the printer administrator. You should permanently download a font if most
print requests serviced by the printer use that font.
4 Fonts that are used infrequently or for special purposes can be stored on a user’s
system. The user can specify these fonts when submitting the print request. The
fonts are appended to the print request and transmitted to the printer. When the
print request is processed, the space allocated for the font is freed for other print
requests.
4 Host-resident fonts are stored on a system shared by many users. The system that
stores the fonts may be a print server or a print client. Each user may request fonts
in the document to be printed. This method is useful when there are numerous
available fonts, or when these fonts are not used by all print requests. If the fonts
will be used only on printers attached to a print server, they should be stored on
the print server. If the fonts are to be used by the users on one system and the
users may submit requests to multiple printers on a network, the fonts should be
stored on the users’ system.
The LP print service provides a special download filter to manage host-resident
fonts. It also supplies troff width tables for the 35 standard PostScript fonts
which reside on many PostScript printers, for use by the troff(1) program.

Managing Printer-Resident Fonts

Most PostScript printers come equipped with fonts resident in the printer ROM.
Some printers have a disk on which additional fonts are stored. When a printer is
installed, you should add the list of printer-resident fonts to the font list for that
printer. By identifying printer-resident fonts, you prevent fonts from being
transmitted unnecessarily across a network. Each printer has its own list of resident
fonts, which is contained in the file:

/etc/lp/printers/printer-name/residentfonts

116 System Administration Guide, Volume II ♦ October 1998

When the printer is attached to a print server, make sure the list in the
residentfonts file includes fonts that are on the print server and which are
available for downloading to the printer.

You must edit the files containing the list of printer-resident fonts by using a text
editor such as vi.

Downloading Host-Resident Fonts

When a PostScript document contains a request for fonts not loaded on the printer,
the download filter manages this request. The download filter uses PostScript
document structuring conventions to determine which fonts to download.
LP print filters are either fast or slow. A fast filter quickly prepares a file for printing,
and it must have access to the printer while the filter is processing. A slow filter
takes longer to convert a file, and it does not need to access the printer while the
filter is processing. An example of a slow filter is ASCII to PostScript.
The download filter is a fast filter; it downloads fonts automatically if the fonts are
on the print server. The download filter may also be used to send fonts to a print
server. To do this, you may create a new filter table entry that calls the download
filter as a slow filter by using the lp -y command. Alternatively, you may force
selection of this filter by changing the input type.

The download filter performs five tasks:

1. It searches the PostScript document to determine which fonts are requested. These
requests are documented with the following PostScript structuring comments:
%%DocumentFonts: font1 font2 … in the header comments.
2. It searches the list of printer-resident fonts to determine if the requested font must
be downloaded.
3. If the font is not resident on the printer, the download filter searches the
host-resident font directory (by getting the appropriate file name from the map
table) to determine if the requested font is available.
4. If the font is available, the filter takes the file for that font and appends it to the
file to be printed.
5. It sends the font definition file and the source file (the file to be printed) to the
PostScript printer.

Installing and Maintaining Host-Resident Fonts

Some fonts reside on the host system and are transmitted to the printer as needed for
particular print requests. As the administrator, you make PostScript fonts available to
all users on a system. To do so, you must know how and where to install these fonts.
Because fonts are requested by name and stored in files, the LP print service keeps a
map file that shows the correspondence between the names of fonts and the names

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 117

 of the files containing those fonts. Both the map and the font list must be updated
when you install host-resident fonts.

The fonts available for use with PostScript printers are stored in directories you
create called /usr/share/lib/hostfontdir/typeface/font, where typeface is
replaced by a name like palatino or helvetica, and font is replaced by a name
like bold or italic.

How to Install Downloaded PostScript Fonts

1. Log in as superuser or lp on the print server or print client.

2. Change directory to the /etc/lp/printers/printer-name directory.

# cd /etc/lp/printers/printer-name

printer-name Name of the printer on which you want to install downloaded

PostScript fonts.

3. Create the residentfonts file, if it does not already exist.

# touch residentfonts

This file may not exist if this is the first time you are adding permanently
downloaded fonts.

4. Edit the residentfonts file by adding all the printer-resident fonts and fonts
to be permanently downloaded.
You can use any text editor, such as vi.

5. Save the file.

How to Install Host-Resident PostScript Fonts

1. Log in as superuser or lp on the print server or print client.

2. Create the hostfontdir directory, if it does not already exist.

# cd /usr/share/lib
# mkdir hostfontdir

118 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

# chmod 775 hostfontdir

3. Create a directory for a new typeface, if the directory does not already exist.

# mkdir typeface

4. Copy the font file to the appropriate directory.

# cp filename /usr/share/lib/hostfontdir/typeface/font

5. Add the name of the font and the name of the file in which it resides to the
map table.
a. Change to the /usr/share/lib/hostfontdir directory.

b. Edit the map file using a text editor such as vi.

Add a one-line entry for each font you want to add to the table, with the font
name first, followed by a space, followed by the name of the file where the
font resides. For example:

Palatino-Bold /usr/share/lib/hostfontdir/palatino/bold

c. Save the file.

When an example entry exists in the map table on the appropriate system,
users will be able to apply the font (for example, Palatino Bold) in their print
jobs. When they submit a print request containing this font, the LP print
service appends a copy of the file
/usr/share/lib/hostfontdir/palatino/bold to that file before
sending it to the printer.

6. If you are using troff, you must create new width tables for this font in the
standard troff font directory.

Managing Character Sets, Filters, Forms, and Fonts (Tasks) 119

120 System Administration Guide, Volume II ♦ October 1998
CHAPTER 6

Customizing the LP Print Service (Tasks)

This chapter provides background information and procedures for customizing the
LP print service.
This is a list of the step-by-step instructions in this chapter.
4 “How to Adjust the Printer Port Characteristics” on page 123
4 “How to Add a terminfo Entry for an Unsupported Printer” on page 127
4 “How to Set Up a Custom Printer Interface Program” on page 131
4 “How to Create a New Print Filter” on page 142
4 “How to Create a New Form Definition” on page 147
For overview information about printers, see Chapter 1.

Adjusting Printer Port Characteristics

The printer port characteristics set by the LP print service must be compatible with
the printer communication settings. If the default printer port settings provided by
the LP print service do not work with a printer, refer to the printer manual from the
manufacturer to find out what settings the printer requires from the LP print service.
Use the stty command to set and display printer communication settings.
Table 6–1 shows the default stty settings used by the LP print service.

121
 TABLE 6–1 stty Default Settings Used by the LP Print Service

Option Meaning

Set baud to 9600

−9600

Set 8-bit bytes

−cs8

Send one stop bit per byte

−cstopb

Do not generate parity

−parity

Enable XON/XOFF (also known as START/STOP or DC1/DC3)

−ixon

Do “output post-processing” using all the settings that follow in

−opost
this table

Do not map lowercase to uppercase

−olcuc

Change line feed to carriage return/line feed

−onlcr

Do not change carriage returns into line feeds

−ocrnl

Output carriage returns even at column 0

−onocr

No delay after line feeds

−n10

No delay after carriage returns

−cr0

No delay after tabs

−tab0

No delay after backspaces

−bs0

No delay after vertical tabs

−vt0

No delay after form feeds

−ff0

122 System Administration Guide, Volume II ♦ October 1998

How to Adjust the Printer Port Characteristics
1. Log in as superuser or lp on the print server.

2. Adjust the printer port characteristics by using the lpadmin command.

# lpadmin -p printer-name -o "stty=options"

-p printer-name Name of the printer for which you are adjusting the port
characteristics.

-o "stty=options" Sets the port characteristic (stty option) specified by

[Link] can change more than one stty option setting
with this command. Enclose each option in single
quotation marks and use a space to separate the options.
See stty(1) for a complete list of options. Table 6–1 shows
the default stty settings used by the LP print service.

3. Verify that the printer port characteristics have been changed by using the
following command.

# stty -a

Examples—Adjusting the Printer Port Characteristics

In the following example, the command sets the port characteristics for the printer
luna. The parenb option enables parity checking/generation, parodd sets odd
parity generation, and cs7 sets the character size to 7 bits.

# lpadmin -p luna -o "stty=’parenb parodd cs7’"

In the following example, the command sets the terminal baud rate to 19200 for the
printer venus.

# lpadmin -p venus -o "stty=19200"

Customizing the LP Print Service (Tasks) 123

 Adding a terminfo Entry for an
Unsupported Printer
The LP print service uses an interface program and the terminfo database to
initialize each printer and establish a selected page size, character pitch, line pitch,
and character set.
Each printer is identified in the terminfo database with a short name. The name
required by the terminfo database is identical to the name used to set the TERM
shell variable. This name is also the printer type you specify when setting up a
printer. For example, the entries for different types of PostScript printers are in
/usr/share/lib/terminfo/P. The default entries provided with the SunOS 5.7
system are PS (for PostScript) and PSR (for PostScript Reverse).
If you cannot find a terminfo entry for your printer, you still may be able to use
the printer with the LP print service without the automatic selection of page size,
pitch, and character sets. However, you may have trouble keeping the printer set in
the correct modes for each print request.
If there is no terminfo entry for your type of printer and you want to keep the
printer set in the correct modes, you can either customize the interface program used
with the printer or add an entry to the terminfo database. A terminal or printer
entry in the terminfo database contains and defines hundreds of items. The LP
print service, however, uses fewer than 50 of these items. Table 6–2 lists the required
terminfo items for a printer.

TABLE 6–2 Required terminfo Items for a Printer

Item Meaning

Booleans:

cpix Changing character pitch changes resolution

daisy Printer requires an operator to change character set

lpix Changing line pitch changes resolution

Numbers:

bufsx Number of bytes buffered before printing

cols Number of columns in a line

124 System Administration Guide, Volume II ♦ October 1998

TABLE 6–2 Required terminfo Items for a Printer (continued)

Item Meaning

cps Average print rate in characters per second

it Tabs initially every n spaces

lines Number of lines on a page

orc Horizontal resolution, in units per character

orhi Horizontal resolution, in units per inch

orl Vertical resolution, in units per line

orvi Vertical resolution, in units per inch

Strings:

chr Change horizontal resolution

cpi Change number of characters per inch

cr Carriage return

csnm List of character set names

cudl Down one line

cud Move carriage down n lines

cuf Move carriage right n columns

cvr Change vertical resolution

ff Page eject

hpa Horizontal position absolute

ht Tab to next 8-space tab stop

Customizing the LP Print Service (Tasks) 125

 TABLE 6–2 Required terminfo Items for a Printer (continued)

Item Meaning

if Name of initialization file

iprog Path name of initialization program

is1 Printer initialization string

is2 Printer initialization string

is3 Printer initialization string

Strings:

lpi Change number of lines per inch

mgc Clear all margins (top, bottom, and sides)

rep Repeat a character n times

rwidm Disable double-wide printing

scs Select character set

scsd Start definition of a character set

slines Set page length to n lines per page

smgl Set left margin at current column

smglp Set left margin

smgr Set right margin at current column

smgrp Set right margin

smglr Set both left and right margins

msgt Set top margin at current line

126 System Administration Guide, Volume II ♦ October 1998

TABLE 6–2 Required terminfo Items for a Printer (continued)

Item Meaning

smgtp Set top margin

smgb Set bottom margin at current line

smgbp Set bottom margin

smgtb Set both top and bottom margins

swidm Enable double-wide printing

vpa Vertical position absolute

How to Add a terminfo Entry for an

Unsupported Printer

Note - Before you create a terminfo entry for a printer, you should first make sure
none of the existing terminfo entries will support the printer. To do so, try to set
up the printer with an entry for a similar printer, if there is one.

1. Log in as superuser or lp on the print server.

1. Determine a terminfo entry name for the printer.

The directories in the /usr/share/lib/terminfo directory contain all the
valid terminfo entries. Use them as a guide for choosing a name for the printer.

2. Create a terminfo entry file for the printer.

Table 6–2 shows the items you must define in the terminfo entry to add a new
printer to the LP print service. For more details about the structure of the
terminfo database, see terminfo(4).
To help you start writing a new terminfo entry, use the infocmp command to
save an existing terminfo entry to a file. This is helpful if there is a terminfo
entry that is similar to one you want to create. For example, the following
command saves the ps entry to the ps_cust file, which will become the new
terminfo entry.
infocmp ps > ps_cust

Customizing the LP Print Service (Tasks) 127

 3. Compile the terminfo entry file into the terminfo database.

# tic terminfo_entry

terminfo_entry The terminfo entry file you created.

4. Check for the new terminfo entry file in the /usr/share/lib/terminfo

directory.

Customizing the Printer Interface

Program
If you have a printer that is not supported by the standard printer interface program,
you can furnish your own printer interface program. You can copy the standard
program and then tell the LP print service to use it for a specified printer. But first
you need to understand what is in the standard program. The following section
describes the standard program.
A printer interface program should:
4 Initialize the printer port, if necessary. The standard printer interface program uses
the stty command to initialize the printer port.
4 Initialize the printer hardware. The standard printer interface program gets the
control sequences from the terminfo database and the TERM shell variable.
4 Print a banner page, if necessary.
4 Print the number of copies specified by the print request.

Caution - If you have a printer interface program from a release of UNIX System V
prior to Release 3.2, it will probably work with the SunOS 5.7 or compatible LP print
service. However, several −o options have been standardized in the SunOS 5.7 or
compatible LP print service and will be passed to every printer interface program.
These options may interfere with similarly named options used by the old interface.

The LP print service, not a printer interface program, is responsible for opening the
printer port. The printer port is given to the printer interface program as standard
output, and the printer is identified as the “controlling terminal” for the printer

128 System Administration Guide, Volume II ♦ October 1998

interface program so that a “hang-up” of the port will cause a SIGHUP signal to be
sent to the printer interface program.

The Standard Printer Interface Program

The standard (model) printer interface program, /usr/lib/lp/model/standard,
is used by the LP print service to set the printing defaults shown in Table 6–3.

TABLE 6–3 Default Printer Port Characteristics

Characteristic Default Setting

Default filter None

Character pitch None

Line pitch None

Page width None

Page length None

Character set None

stty options 9600 cs8 -cstopb -parenb -parodd ixon -ixany opost
-olcuc onlcr -ocrnl -onocr -onlret -ofill nl0 cr0
tab0 bs0 vt0 ff0

Exit code 0

Customizing stty Modes

If you need to change the terminal characteristics, like baud rate or output options,
look for the section of the standard printer interface program that begins with the
following comment:
## Initialize the printer port

Customizing the LP Print Service (Tasks) 129

 Exit Codes
When printing is complete, your interface program should exit with a code that
shows the status of the print job. The exit code is the last entry in the printer
interface program.
Table 6–4 shows the exit codes and how they are interpreted by the LP print service.

TABLE 6–4 Printer Interface Program Exit Codes

Code Meaning to the LP Print Service

0 The print request has been successfully completed. If a printer fault

occurred, it has been cleared.

1 to 127 A problem was encountered when printing a request (for example, too
many nonprintable characters or the request exceeds the printer
capabilities). The LP print service notifies the person who submitted the
request that there was an error when printing it. This error will not affect
future print requests. If a printer fault has occurred, it has been cleared.

128 This code is reserved for internal use by the LP print service. Interface
programs must not exit with this code.

129 A printer fault was encountered when printing the request. This fault will
affect future print requests. If the fault recovery for the printer directs the
LP print service to wait for the administrator to correct the problem, the
LP print service disables the printer. If the fault recovery is to continue
printing, the LP print service will not disable the printer, but it will try
printing again in a few minutes.

>129 These codes are reserved for internal use by the LP print service.
Interface programs must not exit with codes in this range.

If the program exits with a code of 129, root is alerted of a printer fault. The LP print
service must also reprint the request from the beginning, after the fault has been
cleared. If you do not want the entire request to be reprinted, you can have the
interface program send a fault message to the LP print service, but wait for the fault
to be cleared. When the fault is cleared, the interface program can resume printing
the file. When printing is finished, the printer interface program can give a zero exit
code, just as if the fault had never occurred. An added advantage of this approach is
that the interface program can detect when the fault is cleared automatically, so that
the administrator does not need to re-enable the printer.

130 System Administration Guide, Volume II ♦ October 1998

Fault Messages
You can use the [Link] program to send fault messages to the LP print service.
This program is referenced by the LPTELL shell variable in the standard printer
interface code. The program takes standard input and sends it to the LP print
service, where it is put into the message that alerts the administrator to the printer
fault. If its standard input is empty, [Link] does not initiate an alert. For an
example of how the [Link] program is used, examine the standard printer
interface code immediately after the following comment:
# Here’s where we set up the $LPTELL program to capture fault messages

If you use the special exit code 129 or the [Link] program, the printer interface
program does not need to disable the printer itself. The interface program can
disable the printer directly, but doing so will override the fault-alerting mechanism.
Alerts are sent only if the LP print service detects that the printer has a fault, and the
special exit code and the [Link] program are its main detection tools.
If the LP print service has to interrupt printing of a file at any time, it kills the
interface program with a signal TERM (trap number 15). (See kill(1) and
signal(3B).) If the printer interface program dies from receipt of any other signal,
the LP print service assumes that future print requests will not be affected, and
continues to use the printer. The LP print service notifies the user who submitted the
request that the request has not been finished successfully.
When the interface is first invoked, the signals HUP, INT, QUIT, and PIPE (trap
numbers 1, 2, 3, and 13) are ignored. The standard interface changes this so the
signals are trapped at appropriate times. The standard interface interprets receipt of
these signals as warnings that the printer has a problem; when it receives a signal, it
issues a fault alert.

Using a Customized Printer Interface Program

You can create a customized printer interface program and use it in place of the
standard printer interface program on the print server. To do so, you use the
lpadmin command to register the program with the LP print service for a specific
printer.

How to Set Up a Custom Printer Interface

Program
1. Log in as superuser or lp on the print server.

2. Determine your next step based on whether you have a custom printer
interface program.

Customizing the LP Print Service (Tasks) 131

 If You ... Then ...

Need to create a custom printer interface program Go to Step 3 on page 132.

Already have a custom printer interface program Go to Step 5 on page 132.

3. Copy the standard printer interface program.

# cp /var/spool/lp/model/standard custom-interface

4. Change the copy of the standard printer interface program to meet your needs.
Refer to the description of the program in “The Standard Printer Interface
Program” on page 129 to determine what you need to change.

5. Set up the custom printer interface program for a specific printer.

# lpadmin -p printer-name -i custom-interface

-p printer-name The printer that will use the custom printer interface
program.

-i custom-interface Name of the custom printer interface program.

The custom printer interface program is registered with the LP print service, and
will be used by that printer when users submit print requests.

6. Verify that the custom printer interface program has been added in the
/etc/lp/printers/printer-name/configuration file.

Examples—Setting Up a Custom Printer Interface Program

In the following example, the command sets up a custom printer interface program
named custom for the printer luna.

# lpadmin -p luna -i custom

In the following example, the command sets up a custom printer interface program
that the system venus is using on the printer asteroid.

# lpadmin -p asteroid -e venus

132 System Administration Guide, Volume II ♦ October 1998

Creating a New Print Filter
A filter is used by the LP print service each time it has to print a type of file that the
printer cannot interpret. Creating a new print filter is not easy; it usually requires
extensive experimentation. The process of defining a new print filter consists of two
steps:
4 Writing a print filter program
4 Creating a print filter definition
A print filter can be as simple or as complex as needed. Filters contain input types,
output types, and complex options that provide a language to process command-line
arguments within the filter.
If you have non-PostScript printers, you have to create and add print filters as
required. First, you need to understand what print filters are and the requirements
that must be met by a filter program.

Writing a Print Filter Program

The SunOS 5.7 print service provides filter programs in the
/usr/lib/lp/postscript directory. These filters cover most PostScript printing
situations—where the destination printer requires the data to be in PostScript format.
A print filter program must be a binary executable.

Types of Filters
There are two types of print filters: fast filters and slow filters.
Fast filters do not require much processing time to prepare a file for printing. They
must have access to the printer when they run. To be capable of detecting printer
faults, a print filter must be a fast filter. Any filter that uses the PRINTER keyword as
a filter option must be installed as a fast filter.
Slow filters require a great deal of processing time to prepare a file for printing. They
do not require access to the printer when they run. Slow filters are run in the
background so they do not tie up the printer, allowing other files that do not need
slow filtering to be printed.

Converting Files
The LP print service uses print filters to convert files from one content type to
another. You can specify the accepted file content types for each printer. The user

Customizing the LP Print Service (Tasks) 133

 specifies the file content type when submitting a print request, and the LP print
service finds a printer that can print files of that content type. Because many
applications can generate files for various printers, this is often sufficient. However,
some applications may generate files that cannot be printed on any available printers.
Each time the LP print service receives a request to print a type of file that is in a
format that cannot be accepted directly by a printer, the LP print service tries to
match the content type of the print request with the content type of the available (or
specified) printer. If there is a match, the file can be sent directly to the printer
without filtering. If no match is found, or if the content type specifies that a filter be
used, the LP print service tries to match the content type of the file with the input
content type of available filters, and match the output type of the filter with the
content type of the printer. When an appropriate filter is found, the print request is
passed through the filter.

Handling Special Printing Modes

A print filter handles special modes and requests to print specific pages. A special
printing mode is needed to print any characteristics of print requests that require a
customized filter. Filters handle the following characteristics:
4 Printer type
4 Character pitch
4 Line pitch
4 Page length
4 Page width
4 Pages to print
4 Character set
4 Form name
4 Number of copies
The LP print service provides default settings for these characteristics; however, a
print filter may handle some characteristics more efficiently. For example, some
printers can handle multiple copies more efficiently than the LP print service, and, in
this case, you may want to provide a filter for multiple-copy page control.

Detecting Printer Faults

Each printer has its own way of detecting printer faults and transmitting fault
signals to the LP print service. The LP print service only checks for hang-ups (loss of
carrier) and excessive delays in printing.
Some printers provide good fault coverage and can send a message describing the
reason for a fault. Other printers indicate a fault by using signals other than the

134 System Administration Guide, Volume II ♦ October 1998

signals indicating loss of carrier signal or shut off of data flow. A filter is required to
interpret this additional printer fault information.
A filter can also put a print request on hold, wait for a printer fault to clear, and then
resume printing. With this capability, the print request that was interrupted does not
need to be reprinted in its entirety. Only a filter that knows the control sequences
used by a printer can determine where to break a file into pages. Consequently, only
such a filter can find the place in the file where printing should start after a fault is
cleared.
When a print filter generates messages, those messages are handled by the LP print
service, and alerts are sent to the system administrator if alerts are enabled. For
further information, see “Setting Up Printer Fault Alerts” on page 71.

Requirements for a Print Filter Program

A print filter can be simple or complex, but it has to meet the following requirements:
4 The filter should get the contents of a file from its standard input and send the
converted file to the standard output.
4 A program cannot be used as a filter if it references external files. You may be
tempted to use a program like troff, nroff, or a similar word processing
program as a filter. The LP print service does not recognize references to other
files, known as include files, from a filter program. Because troff and nroff
allow include files, they may fail when used as filters. If the program needs other
files to complete its processing, it should not be used as a filter.
4 The filter should not depend on files that normally would not be accessible to a
user. If a filter fails when run directly by a user, it will fail when run by the LP
print service.
4 A slow filter can send messages about errors in the file to standard error; a fast
filter should not. Error messages from a slow filter are collected and sent to the
user who submitted the print request.
4 If a slow filter dies because it received a signal, the print request is stopped and
the user who submitted the request is notified. Likewise, if a slow filter exits with
a non-zero exit code, the print request is stopped and the user is notified. The exit
codes from fast filters are treated differently.
If you want the filter to detect printer faults, it should also meet the following
requirements:
4 If possible, the filter should wait for a fault to be cleared before exiting. It should
also continue to print at the top of the page where printing stopped after the fault
is cleared. If you do not want use the continuation feature, the LP print service
will stop the filter before alerting the administrator.
4 The filter should send printer fault messages to its standard error as soon as the
fault is recognized. It does not have to exit; it can wait for the fault to be cleared.

Customizing the LP Print Service (Tasks) 135

 4 The filter should not send messages about errors in the file to standard error.
These messages should be included in the standard output, where they can be
read by the user.
4 The filter should exit with a zero exit code if the file is finished printing (even if
errors in the file have prevented it from being printed correctly).
4 The filter should exit with a non-zero exit code only if a printer fault has
prevented it from finishing a print request.
4 When added to the filter table, the filter must be added as a fast filter.

Creating a Print Filter Definition

A print filter definition tells the LP print service about the filter, what print filter
program to run, what kind of conversion it does, and so on. A set of filter descriptor
files are provided in the /etc/lp/fd directory. These files describe the
characteristics of the filters (for example, fast or slow filter), and point to the filter
programs (for example, /usr/lib/lp/postscript/postdaisy).
When defining a new print filter, in addition to writing a filter program, you must
create a print filter definition. A print filter definition contains the following
information used by the LP print service:
4 Name of the filter program to run
4 Input types it accepts
4 Output types it produces
4 Printer types to which it can send jobs
4 Names of specific printers to which it can send jobs
4 Filter types (either fast or slow)
4 Options
You can type the characteristics as direct input to the lpfilter command. You also
can create a file that specifies the filter’s characteristics, and use the file name as
input to the lpfilter command. Such a file is called a filter descriptor file and
should be located in the /etc/lp/fd directory. These files are not the filters
themselves, but rather point to the filters.
Whether you store the information in a file, or enter it directly on the command line,
use the following format:

Command: command-pathname [options]

Input types: input-type-list
Output types: output-type-list
Printer types: printer-type-list

(continued)

136 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

Printers: printer-list
Filter type: fast or slow
Options: template-list

Note - If you provide more than one definition (that is, more than one line) for any
filter characteristic other than Options, only the second definition will be used by
the print service.

The information can be arranged in any order, and not all the information is
required. When you do not specify values, those shown in Table 6–5 are assigned by
default. They are not very useful, which is why you should specify explicit values.

TABLE 6–5 Default Values for lpfilter Arguments

Item Default

Input types any

Output type any

Printer types any

Printers any

Filter type slow

Command
Use the full path of the filter program. If there are any fixed options that the
program always needs, include them here.

Input Types
Input types is a list of file content types that the print filter can process. The LP print
service does limit the number of input types, but most filters can accept only one

Customizing the LP Print Service (Tasks) 137

 type. Several file types may be similar enough that the filter can deal with them. You
can use whatever names you like, with a maximum of 14 alphanumeric characters
and dashes. Do not use underscores as part of the input type name.
The LP print service uses these names to match a filter to a file type, so follow a
consistent naming convention. For example, if more than one filter can accept the
same input type, use the same name for that input type when you specify it for each
filter. Inform your users of these names so they know how to identify the file type
when submitting a file for printing.

Output Types
Output types is list of file types that the filter can produce as output. For each input
type, the filter produces a single output type. The output type may vary, however,
from job to job. The name of the output type is restricted to 14 alphanumeric
characters and dashes.
The output type names should either match the types of available (local or remote)
printers, or match the input types handled by other filters. The LP print service
groups filters in a shell pipeline if it finds that several passes by different filters are
needed to convert a file. It is unlikely that you will need this level of sophistication,
but the LP print service allows it. Try to find a set of filters that takes as input types
all the different files the users may want printed, and that converts those files
directly into file types the printer can handle.

Printer Types
Printer types is a list of the types of printers into which the print filter can convert
files. For most printers and filters, you can leave this part of the filter definition
blank, because it is identical to the list of output types. But it can be different. For
example, you could have a printer with a single printer type for purposes of
initialization, but which can recognize several different file content types. Essentially,
this printer has an internal filter that converts the various file types into one that it
can handle. Thus, a filter may produce one of several output types that match the file
types that the printer can handle. The print filter should be marked as working with
that printer type.
As another example, you may have two different models of printers that are listed as
accepting the same file types. Due to slight differences in manufacture, however, one
printer deviates in the results it produces. You label the printers as being of different
printer types, say A and B, where B is the one that deviates. You create a filter that
adjusts files to account for the deviation produced by printers of type B. Because this
filter is needed only for those printer types, you would list it as working only on
type B printers.

138 System Administration Guide, Volume II ♦ October 1998

Printers
A print filter is normally able to work with all printers that accept its output, so you
can usually skip this part of the filter definition.
You may, however, have some printers that are or inappropriate for the output that
the filter produces. For example, you may want to dedicate one printer for fast
turnaround, only sending files that require no filtering to that printer. Other printers
of identical type may be used for files that need extensive filtering before they can be
printed.

Filter Type
The LP print service recognizes fast and slow filters, as described in “Types of
Filters” on page 133.

Slow filters that are invoked by printing modes (using the lp -y command) must be
run on the system from which the print request originated. The LP print service
cannot pass values for modes to print servers. It can, however, match a file content
type (specified after the -T option of the lp command) to a content type on a print
server. Therefore, if you want to activate special modes on a print server, you must
specify content types that permit the LP print service to match input types and
output types.

Options
Options specify how different types of information are converted into command-line
arguments to the filter command. This information may include specifications from a
user (with the print request), the printer definition, and the specifications
implemented by any filters used to process the request.

Defining Print Filter Options With Templates

There are 13 sources of information for defining print filter options, each of which is
represented by a keyword. Each option is defined in a template. A template is a
statement in a filter definition that defines an option to be passed to the filter
command, based on the value of one of the characteristics of the filter.
The options specified in a filter definition may include none, all, or any subset of the
13 keywords. In addition, a single keyword may be defined more than once, if
multiple definitions are required for a complete filter definition. Table 6–6 contains
descriptions of the 13 keywords available for defining Options in a print filter
definition.

Customizing the LP Print Service (Tasks) 139

 TABLE 6–6 Print Filter Options Keywords

Characteristic Keyword Possible Patterns Example

Content type (input) INPUT content-type troff

Content type OUTPUT content-type postscript,

(output) impress

Printer type TERM printer-type att495

Printer name PRINTER printer-name lp1

Character pitch CPI scaled-decimal 10

Line pitch LPI scaled-decimal 6

Page length LENGTH scaled-decimal 66

Page width WIDTH scaled-decimal 80

Pages to print PAGES page-list 1-5,13-20

Character set CHARSET character-set finnish

Form name FORM form-name invoice2

Number of copies COPIES integer 3

Special modes MODES mode landscape

A print filter definition can include more than one template. Multiple templates are
entered on a single line and separated with commas, or they are entered on separate
lines, preceded by the Options: prefix.
The format of a template is as follows:
keywordpattern = replacement
The keyword identifies the type of option being registered for a particular
characteristic of the filter.
The pattern is a specific option for the keyword.

140 System Administration Guide, Volume II ♦ October 1998

The replacement is what happens when the keyword has the noted value.
For an example of how an option is defined for a particular filter, suppose you want
to have the print service scheduler assign print requests to filters following this
criteria:
4 If the type of OUTPUT to be produced by the filter is impress, then pass the -I
option to the filter.
4 If the type of OUTPUT to be produced by the filter is postscript, then pass the -P
option to the filter.
To specify these criteria, provide the following templates as options to the lpfilter
command:

Options: OUTPUT impress=-I, OUTPUT postscript=-P

If the Options line becomes too long, put each template on a separate line, as
follows:

Options: OUTPUT impress=-I

Options: OUTPUT postscript=-P

In both templates, the keyword is defined as OUTPUT. In the first template, the pattern
is impress and the value of the replacement is -I. In the second template, the value
of pattern is postscript and the value of replacement is -P.
To find out which values to supply for each type of template (that is, for the pattern
and replacement arguments for each keyword), consider the following:
4 The values for the INPUT templates come from the file content type that needs to
be converted by the filter.
4 The values for the OUTPUT templates come from the output type that has to be
produced by the filter.
4 The value for the TERM template is the printer type.
4 The value for the PRINTER template is the name of the printer that will print the
final output.
4 The values for the CPI, LPI, LENGTH, and WIDTH templates come from the user’s
print request, the form being used, or the default values for the printer.
4 The value for the PAGES template is a list of pages that should be printed.
Typically, it is a list of page ranges separated by commas. Each page range consists
of a pair of numbers separated by a dash, or a single number. (For example,
1–5,6,8,10 indicates pages 1 through 5, plus pages 6, 8, and 10.) However,
whatever value was given in the −P option to a print request is passed unchanged.
4 The value for the CHARSET template is the name of the character set to be used.
4 The value for the FORM template is the name of the form requested by the lp -f
command (the command used to submit a print request).

Customizing the LP Print Service (Tasks) 141

 4 The value of the COPIES template is the number of copies of the file to print. If
the filter uses this template, the LP print service will reduce to one the number of
copies of the filtered file it prints, since this “single copy” includes the multiple
copies produced by the filter.

4 The value of the MODES template comes from the lp -y command. Because a user
can specify several −y options, there may be several values for the MODES
template. The values will be applied in the left-to-right order given by the user.

The replacement part of a template shows how the value of a template should be
given to the filter program. It is typically a literal option, sometimes with the
placeholder asterisk (*) included to show where the value goes. The pattern and
replacement also can use the regular expression syntax of ed(1) for more complex
conversion of user input options into filter options. All regular expression syntax of
ed(1) is supported, including the \( ... \) and \n constructions, which can be
used to extract portions of the pattern for copying into the replacement, and the &,
which can be used to copy the entire pattern into the replacement.

Note - If a comma or an equal sign (=) is included in a pattern or a replacement,

precede it with a backslash (\). A backslash in front of any of these characters is
removed when the pattern or replacement is used.

How to Create a New Print Filter

1. Log in as superuser or lp on the print server.

2. Create a print filter program.

See “Writing a Print Filter Program” on page 133 for information on print filter
programs. By convention, filter programs for PostScript printers are located in the
/usr/lib/lp/postscript directory. You should put programs you create
under /usr/lib/lp in a directory of your choosing.

3. Create a print filter definition.

See “Creating a Print Filter Definition” on page 136 for information on print filter
definitions. You should save the printer filter definition in a text file. By
convention, filter definitions are located in the /etc/lp/fd directory and are
identified with the .fd suffix.

4. Add the print filter to a print server.

For instructions, see “How to Add a Print Filter” on page 102.

Examples—Creating a New Print Filter

The following example shows a print filter definition to convert N37 or Nlp to
simple.

142 System Administration Guide, Volume II ♦ October 1998

 Input types: N37, Nlp, simple
Output types: simple
Command: /usr/bin/col
Options: MODES expand = -x
Options: INPUT simple = -p -f

In this example, the print filter program is named col. Once you add the new print
filter to a print server, a user’s print requests will be handled as follows:
4 When a user enters the following command:

$ lp -y expand [Link]

The print filter program is run with the following arguments to convert the file:

/usr/bin/col -x -p -f

4 When a user enters the following command:

$ lp -T N37 -y expand [Link]

The print filter program is run with the following arguments to convert the file:

/usr/bin/col -x

The following example shows a print filter definition to convert from troff to
PostScript.

Input types: troff

Output types: postscript

Printer types: PS

Filter type: slow

Command: /usr/lib/lp/postscript/dpost

Options: LENGTH * = -l*

Options: MODES port = -pp, MODES land = -pl

Options: MODES group \=\([1-9]\) = -n\l

In this example, the filter program is named dpost. It takes one input type, troff,
produces a postscript output, and works with any printer of type PS (PostScript).
Users need to give just the abbreviation port or land when they ask for the paper
orientation to be in portrait mode or landscape mode. Because these options are not
intrinsic to the LP print service, users must specify them using the lp -y command.

Customizing the LP Print Service (Tasks) 143

 After you add the new print filter to a print server, print requests will be handled as
follows:
4 When a user enters the following command to submit a troff file type for
printing on a PostScript printer (type PS), with requests for landscape orientation
and a page length of 60 lines:

$ lp -T troff -o length=60 -y land -d luna [Link]

The print filter program dpost is run with the following arguments to convert the
file:

/usr/lib/lp/postscript/dpost -l60 -pl luna [Link]

4 When a user enters the following command:

$ lp -T troff -y group=4 -d luna [Link]

The print filter program dpost is run with the following arguments to convert the
file:

/usr/lib/lp/postscript/dpost -n4

Creating a New Printer Form

When you want to provide a new form, you must define its characteristics by
entering information about nine required characteristics (such as page length and
page width) as input to the lpforms command. The LP print service uses this
information to:
4 Initialize the printer so that printing is done properly on the form
4 Send reminders to the system administrator about how to handle the form
The form name can be anything you choose, as long as it does not contain more than
14 alphanumeric characters and underscores. The information must be in the
following format:

Page length: scaled number

Page width: scaled number
Number of pages: integer
Line pitch: scaled number
Character pitch: scaled number
Character set choice: character-set-name [,mandatory]
Ribbon color: ribbon-color

(continued)

144 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

Comment:
informal notes about the form
Alignment pattern: [content-type] alignment pattern

The optional phrase [,mandatory] means that the user cannot override the
character set choice in the form. The content-type can be given, although this is
optional, with an alignment pattern. If this attribute is given, the print service uses it
to determine, as necessary, how to filter and print the file.
With two exceptions, the information may appear in any order. The exceptions are
the Alignment pattern (which must always be last), and the comment (which
must always follow the line with the Comment: prompt). If the comment contains a
line beginning with a key phrase (like Page length, Page width , and so on),
precede that line with a > character so the key phrase is not at the beginning of the
line. The initial > character is stripped from the comment and is not displayed.
Not all of the information must be given. When you do not specify values for the
items listed in Table 6–7 the default values are assigned. Before running the lpforms
command, gather the following information about the new form:

TABLE 6–7 Default Form Values

Item Default Description

Page length 66 lines The length of the form, or the length of each
page in a multipage form. This information
can be the number of lines, or the size in
inches or centimeters.

Page width 80 columns The width of the form, in characters, inches,

or centimeters.

Number of pages 1 The number of pages in a multipage form.

The LP print service uses this number with
a print filter (if available) to restrict the
alignment pattern to a length of one form.
See the description of alignment pattern
below. If no filter is available, the LP print
service does not truncate the output.

Customizing the LP Print Service (Tasks) 145

 TABLE 6–7 Default Form Values (continued)

Item Default Description

Line pitch 6 lines per inch A measurement of how close lines appear
on the form. This is also called leading. It is
the distance between two lines, from
baseline to baseline, measured by either
lines per inch or lines per centimeter.

Character pitch 10 characters per A measurement of how close together

inch characters appear on the form. It is the
distance between characters, measured by
either characters per inch or characters per
centimeter.

Character set choice Any The character set, print wheel, or font
cartridge that should be used when this
form is used. Users may choose a different
character set for their own print requests
when using this form, or you can require
that only one character set be used.

Ribbon color Any If the form should always be printed using a

certain color ribbon, the LP print service can
give a mount alert message indicating which
color to use.

Comment (No default) Any remarks that might help users

understand the form. For example, the
remarks could indicate the name of the
form, its revision, its purpose, or restrictions
on its use.

Alignment pattern (No default) A sample file that the LP print service uses
to fill one blank form. When mounting the
form, you can print this pattern on the form
to align it properly. You can also define a
content type for this pattern so that the print
service knows how to print it.

Note - The LP print service does not try to mask sensitive information in the
alignment pattern. If you do not want sensitive information printed on sample
forms—for example when you align checks—then you should mask the appropriate
data. The LP print service keeps the alignment pattern stored in a safe place, where
only those logged in as root or lp can read it.

146 System Administration Guide, Volume II ♦ October 1998

When you have gathered the information for the form, you enter it as input to the
lpforms command. You should record this information first in a separate file so you
can edit it before entering it with lpforms. You can then use the file as input instead
of typing each piece of information separately after a prompt.

How to Create a New Form Definition

1. Log in as superuser or lp on the print server.

2. Create a form definition file.

See “Creating a New Printer Form” on page 144 for a description on creating
print forms. You should save the printer definition in a text file.

3. Add the form to the LP print service by using the lpadmin command.

# lpadmin -p printer-name -M -f form-name

4. Add the form to a print server.

For instructions, see “How to Add a Form” on page 107.

Customizing the LP Print Service (Tasks) 147

148 System Administration Guide, Volume II ♦ October 1998
CHAPTER 7

LP Print Service Reference Information

This chapter provides background information on the LP print service.

4 “The Structure of the LP Print Service” on page 150
4 “LP Print Service Commands” on page 158
4 “Functions of the LP Print Service” on page 160
4 “How LP Administers Files and Schedules Local Print Requests” on page 160
4 “Scheduling Network Print Requests” on page 162
4 “Filtering Print Files” on page 162
4 “What the Printer Interface Program Does” on page 162
4 “How the lpsched Daemon Tracks the Status of Print Requests” on page 163
4 “Cleaning Out Log Files” on page 163
For step-by-step instructions on print management tasks, see:
4 Chapter 3
4 Chapter 4
4 Chapter 5
4 Chapter 6

The LP Print Service

The LP print service is a set of software utilities that allows users to print files while
they continue to work. Originally, the print service was called the LP spooler. (LP
stood for line printer, but its meaning now includes many other types of printers,
such as laser printers. Spool is an acronym for system peripheral operation off-line.)

149
 The print service consists of the LP print service software, any print filters you may
provide, and the hardware (the printer, system, and network connections).

The Structure of the LP Print Service

This section describes the directory structure, files, logs, and commands of the LP
print service.

Directories
The files of the LP print service are distributed among seven directories, as shown in
Table 7–1.

TABLE 7–1 Directories for the LP Print Service

Directory Contents

/usr/bin The LP print service user commands

/etc/lp A hierarchy of LP server configuration files

/usr/share/lib The terminfo database directory

/usr/sbin The LP print service administrative commands

/usr/lib/lp The LP daemons; directories for binary files and PostScript

filters; and the model directory (which contains the standard
printer interface program)

/var/lp/logs The logs for LP activities: lpsched.n – Messages from

lpsched and requests.n – Information about completed
print requests

/var/spool/lp The spooling directory where files are queued for printing

Configuration Files
The scheduler stores configuration information in LP configuration files located in
the /etc/lp directory, as described in Table 7–2.

150 System Administration Guide, Volume II ♦ October 1998

Caution - The configuration files listed in Table 7–2 are private interfaces, and are
subject to change in future releases. You should not build software that relies on
these files being in their current locations or that relies on the data being in the
format currently used.

TABLE 7–2 Contents of the /etc/lp Directory

File Type Description

classes Directory Files identifying classes provided by the

lpadmin -c command.

fd Directory Description of existing filters.

[Link] File Print filter lookup table.

forms Directory Location to put files for each form.

Initially, this directory is empty.

interfaces Directory Printer interface program files.

logs Link to /var/lp/logs Log files of printing activities.

model Link to /usr/lib/lp/ The standard printer interface program.

model

printers Directory Directories for each local printer. Each

directory contains configuration
information and alert files for an
individual printer.

pwheels Directory Print wheel or cartridge files.

These configuration files serve a similar function to the /etc/printcap file in the
SunOS 4.1 release.

Note - You can check the contents of the configuration files, but you should not edit
them directly. Instead, use the lpadmin(1M) command to make configuration
changes. Your changes will be written to the configuration files in the /etc/lp
directory. The lpsched daemon administers and updates the configuration files.

LP Print Service Reference Information 151

 The /etc/lp/printers directory has a subdirectory for each local printer known
to the system. The following example shows the /etc/lp/printers subdirectories
of printers sparc1 and luna.

$ ls -l /etc/lp/printers
drwxrwxr-x 2 lp lp 512 Jan 23 23:53 luna
drwxrwxr-x 2 lp lp 512 Jan 11 17:50 sparc1

Within each of the printer-specific directories, the following files can describe the
printer:
4 [Link] – Shell to execute in response to alerts
4 [Link] – Alert variables
4 configuration – Configuration file
4 [Link] – List of users to whom printer access is denied
4 comment – Printer description
The configuration file for the printer luna,
/etc/lp/printers/luna/configuration, would typically appear as follows:

Banner: on: Always

Content types: PS
Device: /dev/term/b
Interface: /usr/lib/lp/model/standard
Printer type: PS
Modules: default

The terminfo Database

The /usr/share/lib directory contains the terminfo database directory, which
contains definitions for many types of terminals and printers. The LP print service
uses information in the terminfo database to initialize a printer, to establish a
selected page size, character pitch, line pitch, and character set, as well as to
communicate the sequence of codes to a printer.
Each printer is identified in the terminfo database with a short name. See “Printer
Type” on page 24 for a description of the structure of the terminfo database. If
necessary, you can add entries to the terminfo database, but it is a tedious and
time-consuming process. See “Adding a terminfo Entry for an Unsupported
Printer” on page 124.

Daemons and LP Internal Files

The /usr/lib/lp directory contains daemons and files used by the LP print
service, as described in Table 7–3.

152 System Administration Guide, Volume II ♦ October 1998

TABLE 7–3 Contents of the /usr/lib/lp Directory

File Type Description

bin Directory Contains files for generating printing alerts,

slow filters, and queue management
programs.

lpsched Daemon Manages scheduling of LP print requests.

model Directory Contains the standard printer interface

program.

postscript Directory Contains all PostScript filter programs

provided by the SunOS 5.7 or compatible LP
print service. These filters come with
descriptor files in the /etc/lp/fd directory
that tell the LP print service the
characteristics of the filters and where to
locate them.

Log Files
The LP print service maintains two sets of log files:
4 /var/spool/lp — A list of current requests that are in the print queue
4 /var/lp/logs/requests — An ongoing history of print requests

Print Queue Logs

The scheduler for each system keeps a log of print requests in the directories
/var/spool/lp/tmp/system and /var/spool/lp/requests/system. Each print
request has two files (one in each directory) that contain information about the
request. The information in the /var/spool/lp/requests/system directory can be
accessed only by root or lp. The information in the /var/spool/lp/tmp/system
can be accessed only by the user who submitted the request, root, or lp.
The following example shows the contents of the /var/spool/lp/tmp/terra
directory:

$ ls /var/spool/lp/tmp/terra
20-0 21-0

(continued)

LP Print Service Reference Information 153

 (Continuation)

terra$ cat 21-0

C 1
D slw2
F /etc/default/login
P 20
t simple
U tamiro
s 0x1000

These files remain in their directories only as long as the print request is in the queue.
Once the request is finished, the information in the files is combined and appended
to the file /var/lp/logs/requests, which is described in the next section.
Use the information in the /var/spool/lp logs if you need to track the status of
a print request that is currently in the queue.

History Logs
The LP print service records a history of printing services in two log files: lpsched
and requests. These log files are located in the /var/lp/logs directory. You can
use the information in these logs to diagnose and troubleshoot printing problems.
This is an example of the contents of the /var/lp/logs directory:

# cd /var/lp/logs
# ls
lpsched.1 requests requests.2
lpsched lpsched.2 requests.1
#

The files with the .1 and .2 suffixes are copies of the previous day’s logs. Each day,
the lp cron job cleans out the lpsched and requests log files and keeps copies
for two days. See “Creating and Editing crontab Files” on page 417 for suggestions
on modifying the cron job for cleaning out the requests log.
The two most important log files for troubleshooting is the lpsched log, which
contains information about local printing requests
The requests log contains information about print requests that are completed and
no longer in the print queue. Once a request is finished printing, the information in
the /var/spool/lp log files is combined and appended to the
/var/lp/logs/requests log.
The requests log has a simple structure, so that you can extract data using
common UNIX shell commands. Requests are listed in the order they are printed,
and are separated by lines showing their request IDs. Each line below the separator

154 System Administration Guide, Volume II ♦ October 1998

line is marked with a single letter that identifies the kind of information contained in
that line. Each letter is separated from the data by a single space.
The following example shows the contents of a requests log:

# pwd
/var/lp/logs
# tail requests.2
= slw2-20, uid 200, gid 200, size 5123, Tue Jun 17 [Link] MDT
1998
z slw2
C 1
D slw2
F /etc/motd
P 20
t simple
U irving
s 0x0100
#

Table 7–4 shows the letter codes and the content of their corresponding lines in the
LP requests log.

TABLE 7–4 Letter Codes in the LP requests Log

Letter Content of Line

= The separator line. It contains the following items: request ID, user ID
(UID), and group IDs (GIDs) of the user, the total number of bytes in the
original (unfiltered) file size, and the time when the request was queued.

C The number of copies printed.

D The printer or class destination or the word any.

F The name of the file printed. The line is repeated for each file printed;
files were printed in the order shown.

f The name of the form used.

H One of three types of special handling: resume, hold, and immediate.

N The type of alert used when the print request was successfully completed.
The type is the letter M if the user was notified by email or W if the user
was notified by a message to the terminal.

O The printer-dependent -o options (for example, nobanner).

LP Print Service Reference Information 155

 TABLE 7–4 Letter Codes in the LP requests Log (continued)

Letter Content of Line

P The priority of the print request.

p The list of pages printed.

r A single-letter line that is included if the user asked for “raw” processing
of the files (the lp -r command).

S The character set, print wheel, or cartridge used.

s The outcome of the request, shown as a combination of individual bits

expressed in hexadecimal form. Several bits are used internally by the
print service. The bits and what they mean are describe in Table 7–5.

T The title placed on the banner page.

t The type of content found in the files.

U The name of the user who submitted the print request.

x The slow filter used for the print request.

Y The list of special modes for the print filters used to print the request.

z The printer used for the request. This printer differs from the destination
(the D line) if the request was queued for any printer or a class of
printers, or if the request was moved to another destination.

Table 7–5 shows the outcome codes in the LP requests log and their descriptions.

TABLE 7–5 Outcome Codes in the LP requests Log

Outcome Code Description

0x0001 The request was held pending resume.

0x0002 Slow filtering is running.

0x0004 Slow filtering finished successfully.

156 System Administration Guide, Volume II ♦ October 1998

TABLE 7–5 Outcome Codes in the LP requests Log (continued)

Outcome Code Description

0x0008 The request is on the printer.

0x0010 Printing finished successfully.

0x0020 The request was held pending user change.

0x0040 The request was canceled.

0x0080 The request will print next.

0x0100 The request failed filtering or printing.

0x0200 The request is in transit to a remote printer. (obsolete)

0x0400 The user will be notified.

0x0800 A notification is running.

0x1000 A remote system has accepted the request. (obsolete)

0x2000 The administrator placed a hold on the request.

0x4000 The printer had to change filters.

0x8000 The request is temporarily stopped.

Spooling Directories
Files queued for printing are stored in the /var/spool/lp directory until they are
printed, which may be only seconds. Table 7–6 shows the contents of the
/var/spool/lp directory.

LP Print Service Reference Information 157

 TABLE 7–6 Contents of the /var/spool/lp Directory

File Type Description

SCHEDLOCK File Lock file for the scheduler. Check for this file if
the scheduler dies and will not restart.

admins Directory Link to /etc/lp.

bin Directory Link to /usr/lib/lp/bin.

logs Link Link to ../lp/logs where completed print

requests are logged.

model Link Link to /usr/lib/lp/model.

requests Directory Directory that contains subdirectories for each

configured printer where print requests are
logged until printed. Users cannot access this log.

system Directory A print status file for the system.

temp Link Link to /var/spool/lp/tmp/hostname, which

contains the spooled requests.

tmp Directory Directory for each configured printer where print

requests are logged until printed. Changes to
existing print requests are also recorded in this log.

LP Print Service Commands

Table 7–7 lists frequently used LP print service commands. You must be root or lp to
use the 1M commands.

158 System Administration Guide, Volume II ♦ October 1998

TABLE 7–7 Quick Reference to LP Print Service Commands

Command Task

Activate a printer
enable(1)

Cancel a print request

cancel(1)

Send one or more file(s) to a printer

lp(1)

Report the status of the LP print service

lpstat(1)

Deactivate one or more printers

disable(1)

Permit print requests to be queued for a specific destination

accept(1M)

Prevent print requests from being queued for a specific

reject(1M) destination

Set up or change printer configuration

lpadmin(1M)

Set up or change filter definitions

lpfilter(1M)

Set up or change preprinted forms

lpforms(1M)

Mount a form
lpadmin(1M)

Move output requests from one destination to another

lpmove(1M)

LP Print Service Reference Information 159

 TABLE 7–7 Quick Reference to LP Print Service Commands (continued)

Command Task

Start the LP print service scheduler

lpsched(1M)

Stop the LP print service scheduler

lpshut(1M)

Set or change the default priority and priority limits that can be
lpusers(1M) requested by users of the LP print service

Functions of the LP Print Service

The LP print service performs the following functions:
4 Administers files and schedules local print requests
4 Receives and schedules network requests
4 Filters files (if necessary) so they print properly
4 Starts programs that interface with the printers
4 Tracks the status of jobs
4 Tracks forms mounted on the printer
4 Tracks print wheels currently mounted
4 Delivers alerts to mount new forms or different print wheels
4 Delivers alerts about printing problems
“The Structure of the LP Print Service” on page 150 describes the directory structure
and commands.

How LP Administers Files and Schedules Local

Print Requests
The LP print service has a scheduler daemon called lpsched. The scheduler daemon
updates the LP system files with information about printer setup and configuration.
The lpsched daemon schedules all local print requests on a print server, as shown in
Figure 7–1, whether users issue the requests from an application or from the

160 System Administration Guide, Volume II ♦ October 1998

command line. Also, the scheduler tracks the status of printers and filters on the
print server. When a printer finishes a request, the scheduler schedules the next
request, if there is one, in the queue on the print server.

Figure 7–1 The lpsched Daemon Schedules Local Print Requests

Each print server must have only one LP scheduler running. The scheduler is started
when a system is booted (or enters run level 2) by the control script
/etc/rc2.d/S80lp. Without rebooting the systems, you can stop the scheduler
with the /usr/lib/lp/lpshut command and restart the scheduler with the
lpsched command. The scheduler for each system manages requests issued to the
system by the lp commands.

LP Print Service Reference Information 161

 Scheduling Network Print Requests
Each print client communicates directly with a print sever over the network. The
communication is done between the requesting command (lp, lpstat, cancel,
lpr, lpq, or lprm) and the print service on the print server. Doing so, reduces the
print system overhead on client only systems, improving scalability, performance and
accuracy of data.
Print servers now listen for print request with the Internet services daemon (inetd).
Upon hearing a request for print service from the network, inetd starts a program
called the “protocol adaptor” ([Link]). The protocol adaptor translates the print
request and communicates it to the print spooler, returning the results to the
requestor. It starts on demand and exits when it has serviced the network request.
This eliminates idle system overhead for printing. It also eliminates any additional
system configuration for networked printing support as was the case in previous
versions of Solaris printing.

Filtering Print Files

Print filters are programs on the print server that convert the content of a queued file
from one format to another.
A print filter can be as simple or as complex as needed. SunOS 5.7 system software
provides print filters in the /usr/lib/lp/postscript directory that cover most
situations where the destination printer requires the data to be in PostScript format.
If you need filters for non-PostScript printers, you have to create the filters and add
them to the systems that need them.
A set of print filter descriptor files are provided in the /etc/lp/fd directory. These
descriptor files describe the characteristics of the filter (for example, fast or slow
filter), and point to the filter program (for example,
/usr/lib/lp/postscript/postdaisy).

What the Printer Interface Program Does

The LP print service interacts with other parts of the operating system. It uses a
standard printer interface program to:
4 Initialize the printer port, if necessary. The standard printer interface program uses
the stty command to initialize the printer port.
4 Initialize the printer. The standard printer interface program uses the terminfo
database and the TERM shell variable to find the appropriate control sequences.
4 Print a banner page, if necessary.
4 Print the correct number of copies specified by the print request.

162 System Administration Guide, Volume II ♦ October 1998

The LP print service uses the standard interface program (found in the
/usr/lib/lp/model directory) unless you specify a different one. You can create
custom interface programs, but you must make sure that the custom program does
not terminate the connection to the printer or interfere with proper printer
initialization.

How the lpsched Daemon Tracks the Status of

Print Requests
The lpsched daemon on both the print server and print client keeps a log of each
print request that it processes and notes any errors that occur during the printing
process. This log is kept in the /var/lp/logs/lpsched file. Every night, the lp
cron job renames /var/lp/logs/lpsched to a new lpsched.n file and starts a
new log file. If errors occur or jobs disappear from the print queue, you can use the
log files to determine what lpsched has done with a printing job.

Cleaning Out Log Files

The lpsched and requests log files in the /var/lp/logs directory grow as
information is appended. The LP print service uses a default cron job to clean out
the log files. The lp cron job is located in the /var/spool/cron/crontabs/lp
file. It periodically moves the contents of the log files. The contents of log are moved
to log.1, and the contents of log.1 are moved to log.2. The contents of log.2 are lost
(that is, replaced by the former contents of log.1) when log.2 gets overwritten.

# pwd
/var/lp/logs
# tail requests
s 0x1010
= slw2-20, uid 200, gid 200, size 5123, Mon Jun 16 [Link] MDT
1997
z slw2
C 1
D slw2
F /etc/motd
P 20
t simple
U irving
s 0x1010
#

LP Print Service Reference Information 163

 How to Change Frequency of Printer Request Log
Rotation
Starting with the Solaris 2.6 release, the requests log file on the printer server is
rotated weekly rather than daily. You may want to change the rotation interval back
to daily if the printer server is busy.
1. Become superuser or lp on the printer server.

2. Set the EDITOR environment variable.

# EDITOR=vi
# export EDITOR

3. Edit the lp crontab file.

# crontab -e lp

4. Change the first line of the file which rotates the requests log files every
Sunday (0) to an asterisk (*) for daily rotation:

13 3 * * * cd /var/lp/logs; if [ -f requests ]; then if

[ -f requests.1 ]; then /bin/mv requests.1 requests.2; fi; /usr/bin/cp
requests requests.1; >requests; fi

5. Save the file and exit.

How Local Printing Works

Figure 7–2 shows what happens when a user submits a request to print a PostScript
file on a local printer, which is a printer connected to the user’s system. The local
system does all processing; however, the print request follows the same path it
would if the client and server were separate systems. Requests always flow from
client to server following the same path.

164 System Administration Guide, Volume II ♦ October 1998

Figure 7–2 The Local Printing Process

How Remote Printing Works

Figure 7–3 shows what happens when a user on a SunOS 5.7 and compatible print
client submits a print request to a SunOS 4.1 print server. The command opens a
connection and handles it’s own communications with the print server directly.

LP Print Service Reference Information 165

 Figure 7–3 Network Printing Between a SunOS 5.7 or Compatible Print Client and
a SunOS 4.1 Print Server
Figure 7–4 shows a SunOS 4.1 print client submitting a print request to a SunOS 5.7
or compatible print server. The lpd daemon handles the local part of the print
request and the connection to the print server. On the print server, the network listen
process, inetd, waits for network printing requests and starts a protocol adaptor to
service the request. The protocol adaptor communicates with the lpsched daemon,
which processes the request on the print server.

166 System Administration Guide, Volume II ♦ October 1998

Figure 7–4 Network Printing Between a SunOS 4.1 Print Client and a SunOS 5.7 or
Compatible Print Server
Figure 7–5 shows what happens when a user of a SunOS 5.7 or compatible print
client submits a print request to a SunOS 5.7 or compatible print server. The print
command on the print client handles the local part of each print request by
communicating directly with the print server.

LP Print Service Reference Information 167

 The inetd process on the print server monitors network printing requests and starts
a protocol adaptor to communicate with the lpsched daemon on the print server,
which processes the print request.

Figure 7–5 Network Printing Between a SunOS 5.7 or Later Print Client and a
SunOS 5.7 or Compatible Print Server

168 System Administration Guide, Volume II ♦ October 1998

PART II Working With Remote Systems

This part provides instructions for working with remote systems in the Solaris
environment. This part contains this chapter.

Step-by-step instructions for working with remote

Chapter 8
systems using the rlogin, ftp, and rcp commands,
and remote authorization and authentication.
CHAPTER 8

Working With Remote Systems (Tasks)

This chapter describes all the tasks required to log in to remote systems and work
with their files. This is a list of the step-by-step instructions in this chapter.
4 “How to Search for and Remove .rhosts Files” on page 179
4 “How to Find Out If a Remote System Is Operating” on page 180
4 “How to Find Who Is Logged In to a Remote System” on page 181
4 “How to Log In to a Remote System (rlogin) ” on page 181
4 “How to Log Out From a Remote System (exit)” on page 182
4 “How to Open an ftp Connection to a Remote System” on page 185
4 “How to Close an ftp Connection to a Remote System” on page 186
4 “How to Copy Files From a Remote System (ftp)” on page 186
4 “How to Copy Files to a Remote System (ftp)” on page 188
4 “How to Copy Files Between a Local and a Remote System (rcp)” on page 193
For the purpose of this chapter, a remote system is a workstation or server that is
connected to the local system with any type of physical network and configured for
TCP/IP communication, shown in Figure 8–1:

earth pluto

TCP/IP TCP/IP

LAN
WAN
local system remote system
Figure 8–1 A Remote System

171
 On systems running the Solaris release, TCP/IP configuration is established
automatically during start-up. For more information, see the TCP/IP and Data
Communications Administration Guide.

Logging In to a Remote System

(rlogin)
The rlogin command enables you to log in to a remote system. Once logged in,
you can navigate through the remote file system and manipulate its contents (subject
to authorization), copy files, or execute remote commands.
If the system you are logging into is in a remote domain, be sure to append the
domain name to the system name. In this example, SOLAR is the name of the remote
domain:
rlogin [Link]
Also, you can interrupt a remote login operation at any time by typing Control-d.

Authentication for Remote Logins (rlogin)

Authentication (establishing who you are) for rlogin operations can be performed
either by the remote system or by the network environment.
The main difference between these forms of authentication lies in the type of
interaction they require from you and the way they are established. If a remote
system tries to authenticate you, you will be prompted for a password, unless you
set up the /etc/[Link] or .rhosts file. If the network tries to authenticate
you, you won’t be asked for a password, since the network already knows who you
are. Figure 8–2 shows a simplified illustration to describe authentication for remote
logins.

172 System Administration Guide, Volume II ♦ October 1998

 Authentication by the Remote System
local system remote system

Can I log in?

What’s your
password?

Authentication by the Network

local system remote system

Can I log in?

YES NO

NIS Maps or NIS+ Tables

Figure 8–2 Authentication for Remote Logins (rlogin)
When the remote system attempts to authenticate you, it relies on information in its
local files; specifically if:
4 Your system name and user name appears in the remote system’s
/etc/[Link] file, or
4 Your system name and user name appears in the remote user’s .rhosts file,
under the remote user’s home directory
Network authentication relies on one of these two methods:
4 A “trusting network environment” that has been set up with your local network
information service and the automounter
4 One of the network information services pointed to by the remote system’s
/etc/[Link] file contains information about you

Note - Network authentication generally supersedes system authentication.

Working With Remote Systems (Tasks) 173

 The /etc/[Link] File
The /etc/[Link] file contains a list of trusted hosts for a remote system, one
per line. If a user attempts to log in remotely (using rlogin) from one of the hosts
listed in this file, and if the remote system can access the user’s password entry, the
remote system allows the user to log in without a password.

A typical [Link] file has the following structure:

host1
host2 user_a
+@group1
-@group2

When a simple entry for a host is made in [Link], such as the entry above
for host1, it means that the host is trusted, and so is any user at that machine.

If the user name is also mentioned, as in the second entry in the example, then the
host is trusted only if the specified user is attempting access.

A group name preceded by a plus sign (+) means that all the machines in that
netgroup are considered trusted.

A group name preceded by a minus sign (–) means that none of the machines in that
netgroup are considered trusted.

Security Risks When Using the /etc/[Link] File

The /etc/[Link] file presents a security risk. If you maintain a
/etc/[Link] file on your system, you should include only trusted hosts in
your network. The file should not include any host that belongs to a different
network, or any machines that are in public areas. (For example, do not include a
host that is located in a terminal room.)

This can create a serious security problem. Either replace the /etc/[Link]
file with a correctly configured one, or remove the file altogether.

A single line of + in the /etc/[Link] file indicates that every known host is
trusted.

The .rhosts File

The .rhosts file is the user equivalent of the /etc/[Link] file. It contains a
list of host-user combinations, rather than hosts in general. If a host-user
combination is listed in this file, the specified user is granted permission to log in
remotely from the specified host without having to supply a password.

174 System Administration Guide, Volume II ♦ October 1998

Note that a .rhosts file must reside at the top level of a user’s home directory.
.rhost files located in subdirectories are not consulted.
Users can create .rhosts files in their home directories. Using the .rhosts file is
another way to allow trusted access between their own accounts on different systems
without using the /etc/[Link] file.

Security Risks When Using the .rhosts File

Unfortunately, the .rhosts file presents a major security problem. While the
/etc/[Link] file is under the system administrator’s control and can be
managed effectively, any user may create a .rhosts file granting access to
whomever the user chooses without the system administrator’s knowledge.
In a situation in which all of the users’ home directories are on a single server and
only certain people have superuser access on that server, a good way to prevent a
user from using a .rhosts file is to create an empty file as superuser in their home
directory. You would then change the permissions in this file to 000 so that it would
be difficult to change it, even as superuser. This would effectively prevent a user
from risking system security by using a .rhosts file irresponsibly. It would not,
however, solve anything if the user is able to change the effective path to his or her
home directory.
The only secure way to manage .rhosts files is to completely disallow them. See
“How to Search for and Remove .rhosts Files” on page 179 for detailed
instructions. As system administrator, you can check the system often for violations
of this policy. One possible exception to this policy is for the root account—you may
need to have a .rhosts file to perform network backups and other remote services.

Linking Remote Logins

Provided your system is configured properly, you can link remote logins. In this
example, a user on earth logs in to jupiter, and from there decides to log in to
pluto:

Working With Remote Systems (Tasks) 175

 rlogin jupiter rlogin pluto (through jupiter )

local system:
earth

remote system:
jupiter

remote system:
pluto
Of course, the user could have logged out of jupiter and then logged in directly to
pluto, but this type of linking can be more convenient.
To link remote logins without having to supply a password, you must have the
/etc/[Link] or .rhosts file set up correctly.

Direct vs. Indirect Remote Logins

The rlogin command allows you to log in to a remote system directly or indirectly,
as shown in Figure 8–3.

176 System Administration Guide, Volume II ♦ October 1998

 rlogin mars
Direct Login

earth mars

Already logged on to
the local system
earth, Jones logs in
remotely to the remote
system mars.

rlogin -l jones earth

Indirect Login

earth mars
From mars, Jones
logs in remotely to
his home system
earth.
Figure 8–3 Direct and Indirect Logins
A direct remote login is attempted with the default user name; that is, the user name
of the individual currently logged in to the local system. This is the most common
form of remote login.
An indirect remote login is attempted with a different user name, which is supplied
during the remote login operation. This is the type of remote login you might
attempt from a workstation that you borrowed temporarily. For instance, if you were
in a coworker’s office and needed to examine files in your home directory, you might
log in to your system remotely, from your coworker’s system, but you would
perform an indirect remote login, supplying your own user name.
The dependencies between direct and indirect logins and authentication methods are
summarized in Table 8–1.

Working With Remote Systems (Tasks) 177

 TABLE 8–1 Dependencies Between Login Method and Authentication Method (rlogin)

User Name
Type of Login Supplied By Authentication Password

Direct System Network None

System Required

Indirect User Network None

System Required

What Happens After You Log In Remotely

When you log in to a remote system, the rlogin command attempts to find your
home directory. If the rlogin command can’t find your home directory, it will
assign you to the remote system’s root (/) directory. For example:

Unable to find home directory, logging in with /

However, if the rlogin command finds your home directory, it sources both your
.cshrc and .login files. Therefore, after a remote login, your prompt is your
standard login prompt, and the current directory is the same as when you log in
locally.
For example, if your usual prompt displays your system name and working
directory, and when you log in, your working directory is your home directory, your
login prompt looks like this:

earth(/home/smith):

Then when you log in to a remote system, you will see a similar prompt and your
working directory will be your home directory, regardless of the directory from
which you entered the rlogin command:

earth(/home/smith):rlogin pluto
.

pluto(/home/smith):

178 System Administration Guide, Volume II ♦ October 1998

The only difference is that the name of the remote system would take the place of
your local system at the beginning of the prompt. Where, then, is the remote file
system? It is parallel to your home directory, as shown below:
Your home directory has been
mounted on the remote system,
parallel to the remote user’s
home directory.
local remote
earth:/home pluto:/home

earth:/home/smith pluto:/home/smith pluto:/home/jones

In other words, if you cd to /home and then run ls, this is what you’ll see:

earth(home/smith): cd ..

earth(/home): ls
smith jones

How to Search for and Remove .rhosts Files

1. Become superuser.

2. Search for and remove .rhosts files by using the find(1) command.

# find home-directories -name .rhosts -print -exec rm{}

home-directories Identifies the path to a directory where users’ home

directories are located. Note that you can enter multiple
paths to search more than one home directory at a time.

-name .rhosts Identifies the filename.

-print Prints the current pathname.

-exec rm {} \; Tells the find command to apply the rm command to all

files identified using the matching filename.

Working With Remote Systems (Tasks) 179

 The find command starts at the designated directory and searches for any file
named .rhosts. If it finds any, it prints the path on the screen and removes it.

Example—Searching For and Removing .rhosts Files

The following example searches and removes .rhosts files in all the user’s home
directories located in the /export/home directory.

# find /export/home -name .rhosts -print | xargs -i -t rm{}

How to Find Out If a Remote System Is Operating

Find out if a remote system is operating by using the ping(1M) command.

$ ping system-name | ip-address

system-name The name of the remote system.

ip-address The IP address of the remote system.

The ping command returns one of three messages:

Status Message Explanation

system-name is alive The system can be accessed over the

network.

ping:unknown host system-name The system name is unknown.

ping:no answer from system-name The system is known, but is not currently
operating.

If the system you “ping” is located in a different domain, the return message may
also contain routing information, which you can ignore.
The ping command has a time-out of 20 seconds. In other words, if it does not get a
response within 20 seconds, it returns the third message. You can force ping to wait
longer (or less) by entering a time-out value, in seconds:

$ ping system-name | ip-address time-out

For more information, see the ping man page.

180 System Administration Guide, Volume II ♦ October 1998

How to Find Who Is Logged In to a Remote
System
Find who is logged in to a remote system by using the rusers(1) command.

$ rusers [-l] remote-system-name

rusers (No options) Displays the name of the system followed by the name of users
currently logged in to it, including root.

-l Displays additional information about each user: the user’s login window, login
time and date, amount of time logged in, and the name of the remote system from
which the user logged on.

Example—Finding Who Is Logged In to a Remote System

The following example shows the short output of rusers.

$ rusers pluto
pluto smith jones

In the following example, the long version of rusers show that two users are
logged in to the remote system named pluto. The first user logged in from the
system console on November 18 and has been logged on for 4 hours and 10 minutes.
The second user logged in from a remote system, mars, on the same date, and has
been logged on for a similar amount of time.

$ rusers -l pluto
smith pluto:console Nov 18 09:19 4:10
jones mars:console Nov 18 09:20 4:11 (mars)

How to Log In to a Remote System (rlogin)

Log in to a remote system using the rlogin(1) command.

$ rlogin [-l user-name] system-name

Working With Remote Systems (Tasks) 181

 rlogin (No options) Logs you in to the remote system directly; in other words,
with your current user name.

-l user-name Logs you into the remote system indirectly; in other words, with the
user name you supply.

If the network attempts to authenticate you, you won’t be prompted for a password.
If the remote system attempts to authenticate you, you will be asked to provide a
password.
If the operation succeeds, the rlogin command displays brief information about
your latest remote login to that system, the version of the operating system running
on the remote system, and whether you have mail waiting for you in your home
directory.

Example—Logging In to a Remote System (rlogin)

The following example shows the output of a direct remote login to pluto. The user
has been authenticated by the network.

$ rlogin pluto
Last login: Thu Feb 26 [Link] from earth
Sun Microsystems Inc. SunOS 5.7 September 1998
You have mail.
pluto%

The following example shows the output of an indirect remote login to pluto, with
the user being authenticated by the remote system.

$ rlogin -l smith pluto

password: user-password
Last login: Thu Feb 26 [Link] from earth
Sun Microsystems Inc. SunOS 5.7 September 1998
You have mail.
pluto%

How to Log Out From a Remote System (exit)

Log out from a remote system by using the exit(1) command.

182 System Administration Guide, Volume II ♦ October 1998

 $ exit

Example—Logging Out From a Remote System (exit)

This example shows the user smith logging out from the system pluto.

$ exit
pluto% logout
Connection closed.
earth%

Logging In to a Remote System (ftp)

The ftp command opens the user interface to the Internet’s File Transfer Protocol.
This user interface, called the command interpreter, enables you to log in to a remote
system and perform a variety of operations with its file system. The principal
operations are summarized in Table 8–2.
The main benefit of ftp over rlogin and rcp is that ftp does not require the
remote system to be running UNIX. (The remote system does, however, need to be
configured for TCP/IP communications.) On the other hand, rlogin provides access
to a richer set of file manipulation commands than ftp does.

Authentication for Remote Logins (ftp)

Authentication for ftp remote login operations can be established either by:
4 Including your password entry in the remote system’s /etc/passwd file or
equivalent network information service map or table.
4 Establishing an anonymous ftp account on the remote system.

Essential ftp Commands

Working With Remote Systems (Tasks) 183

 TABLE 8–2 Essential ftp Commands

Command Description

ftp Accesses the ftp command interpreter

ftp remote-system Establishes an ftp connection to a remote system. For

instructions, see “How to Open an ftp Connection to a Remote
System” on page 185

open Logs in to the remote system from the command interpreter

close Logs out of the remote system and returns to the command
interpreter

bye Quits the ftp command interpreter

help Lists all ftp commands or, if a command name is supplied,

briefly describes what the command does

reset Re-synchronizes the command-reply sequencing with the

remote ftp server

ls Lists the contents of the remote working directory

pwd Displays the name of the remote working directory

cd Changes the remote working directory

lcd Changes the local working directory

mkdir Creates a directory on the remote system

rmdir Deletes a directory on the remote system

get, mget Copies a file (or multiple files) from the remote working
directory to the local working directory

put, mput Copies a file (or multiple files) from the local working directory
to the remote working directory

delete, mdelete Deletes a file (or multiple files) from the remote working
directory

For more information, see ftp(1).

184 System Administration Guide, Volume II ♦ October 1998

How to Open an ftp Connection to a Remote
System
1. Make sure you have ftp authentication.
You must have ftp authentication, as described in “Authentication for Remote
Logins (ftp)” on page 183.

2. Open a connection to a remote system by using the ftp command.

$ ftp remote-system

If the connection succeeds, a confirmation message and prompt is displayed.

3. Enter your user name.

Name (remote-system:user-name): user-name

4. If prompted, enter your password.

331 Password required for user-name:

Password: password

If the system you are accessing has established an anonymous ftp account, you
will not be prompted for a password. If the ftp interface accepts your password,
it displays a confirmation message and the (ftp>) prompt.
You can now use any of the commands supplied by the ftp interface, including
help. The principal commands are summarized in Table 8–2.

Example—Opening an ftp Connection to a Remote System

This ftp session was established by the user smith on the remote system pluto:

$ ftp pluto
Connected to pluto.
220 pluto FTP server (UNIX(r) System V Release 4) ready.
Name (pluto:smith): smith
331 Password required for smith:
Password: password
230 User smith logged in.

(continued)

Working With Remote Systems (Tasks) 185

 (Continuation)

ftp>

How to Close an ftp Connection to a Remote

System
Close an ftp connection to a remote system by using the bye command.

ftp> bye
221 Goodbye.
earth%

A good-bye message appears, followed by your usual shell prompt.

How to Copy Files From a Remote System (ftp)

1. Change to a directory on the local system where you want the files from the
remote system to be copied.

$ cd target-directory

2. Establish an ftp connection.

See “How to Open an ftp Connection to a Remote System” on page 185.

3. Change to the source directory.

ftp> cd source-directory

If your system is using the automounter, the home directory of the remote
system’s user appears parallel to yours, under /home.

4. Make sure you have Read permission for the source files.

ftp> ls -l

5. To copy a single file, use the get command.

ftp> get filename

186 System Administration Guide, Volume II ♦ October 1998

6. To copy multiple files at once, use the mget command.

ftp> mget filename [filename ...]

You can supply a series of individual file names and you can use wildcard
characters. The mget command will copy each file individually, asking you for
confirmation each time.

7. Close the ftp connections.

ftp> bye

Examples—Copying Files From a Remote System (ftp)

In this example, the user kryten opens an ftp connection to the system pluto, and
uses the get command to copy a single file from the /tmp directory:

$ cd $HOME
ftp pluto
Connected to pluto.
220 pluto FTP server (SunOS 5.7) ready.
Name (pluto:kryten): kryten
331 Password required for kryten.
Password: xxx
230 User kryten logged in.
ftp> cd /tmp
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls ([Link],34344)
(0 bytes).
dtdbcache_:0
filea
files
ps_data
[Link]
226 ASCII Transfer complete.
53 bytes received in 0.022 seconds (2.39 Kbytes/s)
ftp> get filea
200 PORT command successful.
150 ASCII data connection for filea ([Link],34331)
(0 bytes).
226 ASCII Transfer complete.
ftp> bye
221 Goodbye.

In this example, the same user kryten uses the mget command to copy a set of files
from the /tmp directory to his home directory. Note that kryten can accept or reject
individual files in the set.

Working With Remote Systems (Tasks) 187

 $ ftp> cd /tmp
250 CWD command successful.
ftp> ls files
200 PORT command successful.
150 ASCII data connection for /bin/ls ([Link],34345)
(0 bytes).
fileb
filec
filed
226 ASCII Transfer complete.
remote: files
21 bytes received in 0.015 seconds (1.36 Kbytes/s)
ftp> cd files
250 CWD command successful.
ftp> mget file*
mget fileb? y
200 PORT command successful.
150 ASCII data connection for fileb ([Link],34347)
(0 bytes).
226 ASCII Transfer complete.
mget filec? y
200 PORT command successful.
150 ASCII data connection for filec ([Link],34348)
(0 bytes).
226 ASCII Transfer complete.
mget filed? y
200 PORT command successful.
150 ASCII data connection for filed ([Link],34351)
(0 bytes).
226 ASCII Transfer complete.200 PORT command successful.
ftp> bye
221 Goodbye.

How to Copy Files to a Remote System (ftp)

1. Change to the source directory on the local system.
The directory from which you enter the ftp command will be the local working
directory, and thus the source directory for this operation.

2. Establish an ftp connection.

See “How to Open an ftp Connection to a Remote System” on page 185.

3. Change to the target directory.

ftp> cd target-directory

Remember, if your system is using the automounter, the home directory of the
remote system’s user appears parallel to yours, under /home.

188 System Administration Guide, Volume II ♦ October 1998

4. Make sure you have Write permission to the target directory.

ftp> ls -l target-directory

5. To copy a single file, use the put command.

ftp> put filename

6. To copy multiple files at once, use the mput command.

ftp> mput filename [filename ...]

You can supply a series of individual file names and you can use wildcard
characters. The mput command will copy each file individually, asking you for
confirmation each time.

7. To close the ftp connection, type bye.

ftp> bye

Examples—Copying Files to a Remote System (ftp)

In this example, the user kryten opens an ftp connection to the system pluto, and
uses the put command to copy a file from his system to the /tmp directory on
system pluto:

$ cd /tmp
ftp pluto
Connected to pluto.
220 pluto FTP server (SunOS 5.7) ready.
Name (pluto:kryten): kryten
331 Password required for kryten.
Password: xxx
230 User kryten logged in.
ftp> cd /tmp
250 CWD command successful.
ftp> put filef
200 PORT command successful.
150 ASCII data connection for filef ([Link],34356).
226 Transfer complete.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls ([Link],34357) (0 bytes).
dtdbcache_:0
filea

(continued)

Working With Remote Systems (Tasks) 189

 (Continuation)

filef
files
ps_data
[Link]
226 ASCII Transfer complete.
60 bytes received in 0.058 seconds (1.01 Kbytes/s)
ftp> bye
221 Goodbye.

In this example, the same user kryten uses the mput command to copy a set of files
from his home directory to the /tmp directory system pluto. Note that kryten can
accept or reject individual files in the set.

$ cd $HOME/testdir
$ ls
test1 test2 test3
$ ftp pluto
Connected to pluto.
220 pluto FTP server (SunOS 5.7) ready.
Name (pluto:kryten): kryten
331 Password required for kryten.
Password: xxx
230 User kryten logged in.
ftp> cd /tmp
250 CWD command successful.
ftp> mput test*
mput test1? y
200 PORT command successful.
150 ASCII data connection for test1 ([Link],34365).
226 Transfer complete.
mput test2? y
200 PORT command successful.
150 ASCII data connection for test2 ([Link],34366).
226 Transfer complete.
mput test3? y
200 PORT command successful.
150 ASCII data connection for filef ([Link],34356).
226 Transfer complete.
ftp> bye
221 Goodbye.

190 System Administration Guide, Volume II ♦ October 1998

 Remote Copying With rcp
The rcp command copies files or directories between a local and a remote system or
between two remote systems. You can use it from a remote system (after logging in
with the rlogin command) or from the local system (without logging in to a remote
system).
With rcp, you can perform the following remote copy operations:
4 Copy a file or directory from your system to a remote system
4 Copy a file or directory from a remote system to your local system
4 Copy a file or directory between remote systems from your local system
If you have the automounter running, you can perform these remote operations with
the cp command. However, the range of cp is constrained to the virtual file system
created by the automounter and to operations relative to a user’s home directory
and, since rcp performs the same operations without these constraints, this section
will describe only the rcp versions of these tasks.

Security Considerations for Copy Operations

To copy files or directories between systems, you must have permission to log in and
copy files.

Caution - Both the cp and rcp commands can overwrite files without warning.
Make sure file names are correct before executing the command.

Specifying Source and Target

With the rcp command in the C-shell, you can specify source (the file or directory
you want to copy) and target (the location into which you will copy the file or
directory) with either absolute or abbreviated pathnames.
Absolute Pathnames Abbreviated Pathnames

From Local System mars:/home/jones/[Link] ~jones/[Link]

After Remote Login /home/jones/[Link] ~jones/[Link]

Working With Remote Systems (Tasks) 191

 Absolute pathnames identify files or directories mounted on a particular system. In
the example above, the first absolute pathname identifies a file ([Link]) on the
mars system. Abbreviated pathnames identify files or directories relative to a user’s
home directory, wherever that may reside. In the first example above, the
abbreviated pathname identifies the same file, [Link], but uses “~” symbol to
indicate the jones home directory. In effect . . .
~ = mars:/home/jones
The examples on the second line, above, demonstrate the user of absolute and
abbreviated pathnames after a remote login. There is no difference for the
abbreviated pathname, but because the remote login operation mounted the jones
home directory onto the local system (parallel to the local user’s home directory), the
absolute pathname no longer requires the system name mars. For more information
about how a remote login operation mounts another user’s home directory, see
“What Happens After You Log In Remotely” on page 178.
Table 8–3 provides a representative sample of absolute and abbreviated pathnames
recognized by the C shell. It uses the following terminology:
4 working directory—The directory from which the rcp command is entered. Can
be remote or local.
4 current user—The user name under which the rcp command is entered.

TABLE 8–3 Allowed Syntaxes for Directory and File Names

Logged in to Syntax Description

Local system . The local working directory

path/filename The path and filename in the local working

directory

~ The current user’s home directory

~/path/filename The path and filename beneath the current

user’s home directory

~user The home directory of user

~user/path/filename The path and filename beneath the home

directory of user

remote-system:path/filename The path and filename in the remote working

directory

Remote . The remote working directory

system

192 System Administration Guide, Volume II ♦ October 1998

TABLE 8–3 Allowed Syntaxes for Directory and File Names (continued)

Logged in to Syntax Description

filename The filename in the remote working directory

path/filename The path and filename in the remote working

directory

~ The current user’s home directory

~/path/filename The path and filename in the current user’s

home directory

~user The home directory of user

~/user/path/filename The path and filename beneath the home

directory of user

local-system:path/filename The path and filename in the local working

directory

How to Copy Files Between a Local and a Remote

System (rcp)
1. Be sure you have permission to copy.
You should at least have read permission on the source system and write
permission on the target system.

2. Determine the location of the source and target.

If you don’t know the path of the source or target, you can first log into the remote
system with the rlogin command, as described in “How to Log In to a Remote
System (rlogin) ” on page 181. Then, navigate through the remote system until
you find the location. You can then perform the next step without logging out.

3. Copy the file or directory.

$ rcp [-r]source-file|directory target-file|directory

Working With Remote Systems (Tasks) 193

 rcp (No options) Copies a single file from the source to the target.

-r Copies a directory from the source to the target.

This syntax applies whether you are logged in to the remote system or in to the
local system. Only the pathname of the file or directory changes, as described in
Table 8–3 and as illustrated in the examples below.
You can use the “~” and “.” characters to specify the path portions of the local
file or directory names. Note, however, that “~” applies to the current user, not
the remote system, and that “.” applies to system you are logged into. For
explanations of these symbols, see Table 8–3.

Examples—Copying Files Between a Local and a Remote

System (rcp)
Here are a few examples. In the first two, the source is remote; in the last two, the
source is local.
In this example, rcp copies the file [Link] from the /home/jones directory
of the remote system pluto to the working directory (/home/smith) on the local
system, earth:

earth(/home/smith): rcp pluto:/home/jones/[Link] .

earth pluto

rcp pluto ...

/home/jones
/home/smith

[Link] [Link]

Since the rcp operation is performed without a remote login, the “.” symbol applies
to the local system, not the remote system.

194 System Administration Guide, Volume II ♦ October 1998

The working directory happens to be the local user’s home directory, so it could have
been specified with the “~” symbol as well:

earth(home/smith): rcp pluto:/home/jones/[Link] ~

In the following example, rcp is used —while logged in to the remote system— to
perform the same operation. Although the flow of the operation is the same, the
paths change to take into account the remote login:

earth(/home/smith): rlogin pluto

.
.
.
pluto(/home/jones): rcp [Link] ~

earth (logged in to pluto) pluto

rcp ...

/home/jones
/home/smith

[Link] [Link]

Use of the “.” symbol would be inappropriate in this instance because of the remote
login; it would simply apply to the remote system, essentially directing rcp to create
a duplicate file. The “~” symbol, however, refers to the current user’s home directory,
even when logged in to a remote system.
In the following example, rcp copies the file [Link] from the home directory
(/home/smith) of the local system earth to the /home/jones directory of the
remote system, pluto:

earth(/home/smith): rcp [Link] pluto:/home/jones

Working With Remote Systems (Tasks) 195

 earth pluto

rcp pluto ...

/home/jones
/home/smith

[Link] [Link]

Because no remote filename is provided, the file [Link] is copied into the
/home/jones directory with the same name.
In this example, the operation is repeated, but rcp is entered from a different
working directory on the local system (/tmp). Note the use of the “~” symbol to
refer to the current user’s home directory:

earth(/tmp): rcp ~/[Link] pluto:/home/jones

In this example, rcp is used —while logged in to the remote system— to perform
the same operation as in the previous example. Although the flow of the operation is
the same, the paths change the take into account the remote login:

earth(/home/smith): rlogin pluto

.
.
.
pluto(/home/jones): rcp ~/[Link] .

196 System Administration Guide, Volume II ♦ October 1998

 earth (logged in to pluto) pluto

rcp ...

/home/jones
/home/smith

[Link] [Link]

In this instance, the “~” symbol can be used to denote the current user’s home
directory, even though it is on the local system. The “.” symbol refers to the working
directory on the remote system because the user is logged in to the remote system.
Here is an alternative syntax that performs the same operation:

pluto(/home/jones): rcp earth:/home/smith/[Link] /home/jones

Working With Remote Systems (Tasks) 197

198 System Administration Guide, Volume II ♦ October 1998
PART III Managing Terminals and Modems

This part provides instructions for managing terminals and modems. This part
contains these chapters.

Provides overview information about terminals and

Chapter 9
modems.

Provides step-by-step instructions for setting up

Chapter 10
terminals and modems.

Provides step-by-step instructions for using SAF

Chapter 11
commands to set up terminals and modems.
CHAPTER 9

Managing Terminals and Modems

(Overview)

This chapter provides the overview information for managing terminals and
modems. This is a list of the overview information in this chapter.
4 “Terminals, Modems, Ports, and Services” on page 201
4 “Tools for Managing Terminals and Modems” on page 204
4 “Admintool” on page 205
4 “Service Access Facility” on page 206
For step-by-step instructions about how to set up terminals and modems with
Admintool, see Chapter 10.
For step-by-step instructions about how to set up terminals and modems with the
Service Access Facility (SAF), see Chapter 11.

Terminals, Modems, Ports, and Services

Terminals and modems provide both local and remote access to system and network
resources. Setting up terminals and modem access is an important responsibility of a
system administrator. This section explains some of the concepts behind modem and
terminal management in the Solaris environment.

201
 Terminals
Your system’s bit-mapped graphics display is not the same as an alphanumeric
terminal, which connects to a serial port and displays only text. You don’t have to
perform any special steps to administer the graphics display.

Modems
Modems can be set up in three basic configurations:
4 Dial-out
4 Dial-in
4 Bidirectional
A modem connected to your home computer might be set up to provide dial-out
service, meaning you can access other computers from your own home, but nobody
outside can gain access to your machine.
Dial-in service is just the opposite. It allows people to access a system from remote
sites, but it does not permit calls to the outside world.
Bidirectional access, as the name implies, provides both dial-in and dial-out
capabilities.

Ports
A port is a channel through which a device communicates with the operating system.
From a hardware perspective, a port is a “receptacle” into which a terminal or
modem cable may be plugged.
However, a port is not strictly a physical receptacle, but an entity with hardware
(pins and connectors) and software (a device driver) components. A single physical
receptacle often provides multiple ports, allowing connection of two or more devices.
Common types of ports include serial, parallel, small computer systems interface
(SCSI), and Ethernet.
A serial port, using a standard communications protocol, transmits a byte of
information bit-by-bit over a single line.
Devices that have been designed according to RS-232-C or RS-423 standards (this
includes most modems, alphanumeric terminals, plotters, and some printers) can be
plugged interchangeably (using standard cables) into serial ports of computers that
have been similarly designed.
When many serial port devices must be connected to a single computer, it may be
necessary to add an adapter board to the system. The adapter board, with its driver

202 System Administration Guide, Volume II ♦ October 1998

software, provides additional serial ports for connecting more devices than could
otherwise be accommodated.

Services
Modems and terminals gain access to computing resources via the serial port
software. The serial port software must be set up to provide a particular “service” for
the device attached to the port. For example, you can set up a serial port to provide
bidirectional service for a modem.

Port Monitors
The main mechanism for gaining access to a service is through a port monitor. A port
monitor is a program that continuously monitors for requests to log in or access
printers or files.
When a port monitor detects a request, it sets whatever parameters are required to
establish communication between the operating system and the device requesting
service. Then the port monitor transfers control to other processes that provide the
services needed.
Table 9–1 describes the two types of port monitors included in the Solaris
environment.

TABLE 9–1 Port Monitor Types

Port Monitor Description

Controls access to network services, such as handling

listen(1M) remote print rquests prior to the Solaris 2.6 release. The
default Solaris operating environment no longer uses this
port monitor type.

Provides access to the login services needed by modems

ttymon(1M) and alphanumeric terminals. Solstice Serial Port Manager
automatically sets up a ttymon port monitor to process
login requests from these devices. Using Solstice Serial
Port Manager to set up terminals and modems is
described in Chapter 10.

You may be familiar with an older port monitor called getty(1M). The new
ttymon is more powerful; a single ttymon can replace multiple occurrences of
getty. Otherwise, these two programs serve the same function.

Managing Terminals and Modems (Overview) 203

 Tools for Managing Terminals and
Modems
Table 9–2 lists the recommended tools for managing terminals and modems. Table
9–3 lists specific differences in functionality between the Service Access Facility (SAF)
and the SolsticeTM Serial Port Manager.

TABLE 9–2 Recommended Tools For Managing Terminals and Modems

If You Want The Tool Then Use ... To Start This Tool See ...
That Is ...

The most comprehensive Service Access Facility (SAF)

“Service Access Facility”
commands
on page 206

The quickest setup Admintool graphical user interface

Chapter 10
(for local systems only)

Solstice AdminSuite’s Serial Port Solstice AdminSuite 2.3

Manager graphical user interface Administration Guide
(for local and remote systems in a
networked, name service
environment)

TABLE 9–3 Functionality Differences Between Solstice Serial Port Manager and Service

204 System Administration Guide, Volume II ♦ October 1998

TABLE 9–3 Functionality Differences Between Solstice Serial Port Manager and Service
Access Facility (continued)

Access Facility

If You Need To ... Then Use ... Comment

Inform users that a Service Access ttyadmin -i specifies the inactive

port is disabled Facility ttyadm -i (disabled) response message. The message is
sent to a terminal or modem when a user
attempts to log in when the port is disabled.
This functionality is not provided when a
port is disabled using Solstice Serial Port
Manager.

Keep the modem Service Access ttyadm -h specifies that the system will not
connection when a Facility ttyadm -h hang up on a modem before setting or
user logs off a host resetting to the default or specified value. If
ttyadm -h is not used, when the user logs
out of a host, the host will hang up the
modem.

Require the user to Service Access ttyadm -r specifies that ttymon should
type a character Facility ttyadm -r require the user to type a character or press
before the system Return a specified number of times before
displays a prompt the login prompt appears. When -r is not
specified, pressing Return one or more times
will print the prompt anyway. This option
prevents a terminal server from issuing a
welcome message that the Solaris host might
misinterpret to be a user trying to log in.
Without the -r option, the host and terminal
server might begin looping and printing
prompts to each other.

Admintool
Admintool sets up the serial port software to work with terminals and modems by
calling the pmadm command with the appropriate information. It also provides:
4 Templates for common terminal and modem configurations
4 Multiple port setup, modification, or deletion
4 Quick visual status of each port

Managing Terminals and Modems (Overview) 205

 Service Access Facility
The SAF is the tool used for administering terminals, modems, and other network
devices. In particular, SAF enables you to set up:
4 ttymon and listen port monitors (using the sacadm command)
4 ttymon port monitor services (using the pmadm and ttyadm commands)
4 listen port monitor services (using the pmadm and nlsadmin commands)
4 And troubleshoot tty devices
4 And troubleshoot incoming network requests for printing service
4 And troubleshoot the Service Access Controller (using the sacadm command)
The SAF is an open-systems solution that controls access to system and network
resources through tty devices and local-area networks (LANs). SAF is not a
program. It is a hierarchy of background processes and administrative commands.

206 System Administration Guide, Volume II ♦ October 1998

CHAPTER 10

Setting Up Terminals and Modems

(Tasks)

This chapter provides step-by-step instructions for setting up terminals and modems
using Admintool. This is a list of the step-by-step instructions in this chapter.
4 “How to Start Admintool” on page 213
4 “How to Set Up a Terminal” on page 214
4 “How to Set Up a Modem” on page 215
4 “How to Set Up a Modem for Use With UUCP” on page 217
4 “How to Initialize a Port” on page 218
4 “How to Disable a Port” on page 219
4 “ How to Remove a Port Service” on page 220
For overview information about terminals and modems, see Chapter 9.

Setting Up Terminals and Modems

When setting up serial port information, start Admintool, and select Serial Ports
from the Browse menu. Select a serial port from the Serial Ports window and then
choose Modify from the Edit menu to bring up the Modify Serial Port window. This
window provides access to the port templates and provides information on the port
in three levels of detail—Basic, More, and Expert.

207
 Note - The Modify Serial Port window appears in the Basic detail mode. To view
More or Expert details, select the More or Expert option from the Detail menu.

The descriptions of each item in the Modify Serial window are listed in Table 10–1.

TABLE 10–1 Modify Serial Port Window Items

Detail Item Description

Basic Port Lists the port or ports you selected from Serial Ports
main window.

Service Specifies that the service for the port is turned on

(enabled).

Baud Rate Specifies the line speed used to communicate with the
terminal. The line speed represents an entry in the /
etc/ttydefs file.

208 System Administration Guide, Volume II ♦ October 1998

TABLE 10–1 Modify Serial Port Window Items (continued)

Detail Item Description

Terminal Type Shows the abbreviation for the type of terminal, for
example, ansi or vt100. Similar abbreviations are
found in /etc/termcap. This value is set in the
$TERM environment variable.

More Option: Initialize Specifies that the port software is initialized but not
Only configured.

Option: Bidirectional Specifies that the port line is used in both directions.

Option: Software Specifies that the software carrier detection feature is

Carrier used. If the option is not checked, the hardware carrier
detection signal is used.

Login Prompt Shows the prompt displayed to a user after a

connection is made.

Comment Shows the comment field for the service.

Service Tag Lists the service tag associated with this

port—typically an entry in the /dev/term directory.

Port Monitor Tag Specifies the name of the port monitor to be used for
this port. Note: The default monitor is typically correct.

Expert Create utmp Entry Specifies that a utmp entry is created in the accounting
files upon login. Note: This item must be selected if a
login service is used. See the Service item.

Connect on Carrier Specifies that a port’s associated service is invoked

immediately when a connect indication is received.

Service Shows the program that is run upon connection.

Streams Modules Shows the STREAMS modules that are pushed before
the service is invoked.

Timeout (secs) Specifies the number of seconds before a port is closed

if the open process on the port succeeds and no input
data is received.

Setting Up Terminals and Modems (Tasks) 209

 Setting Up Terminals
Table 10–2 describes the menu items (and their default values) when setting up a
terminal using Serial Ports.

TABLE 10–2 Terminal - Hardwired Default Values

Detail Item Default Value

Basic Port —

Service Enabled

Baud Rate 9600

Terminal Type —

More Option: Initialize Only no

Option: Bidirectional no

Option: Software Carrier yes

Login Prompt login:

Comment Terminal - Hardwired

Service Tag —

Port Monitor Tag zsmon

Expert Create utmp Entry yes

Connect on Carrier no

Service /usr/bin/login

Streams Modules ldterm,ttcompat

Timeout (secs) Never

210 System Administration Guide, Volume II ♦ October 1998

Setting Up Modems
Table 10–3 describes the three modem templates available when setting up a modem
using Serial Ports.

TABLE 10–3 Modem Templates

Modem Configuration Description

Dial-In Only Users may dial in to the modem but cannot dial out.

Dial-Out Only Users may dial out from the modem but cannot dial in.

Bidirectional Users may either dial in or out from the modem.

Table 10–4 describes the default values of each template.

TABLE 10–4 Modem Template Default Values

Modem - Dial-In Modem - Modem -

Detail Item Only Dial-Out Only Bidirectional

Basic Port — — —

Service Enabled Enabled Enabled

Baud Rate 9600 9600 9600

Terminal — — —
Type

More Option: yes no no

Initialize
Only

Option: no no yes
Bidirectional

Option: no no no
Software
Carrier

Login login: login: login:

Prompt

Setting Up Terminals and Modems (Tasks) 211

 TABLE 10–4 Modem Template Default Values (continued)

Modem - Dial-In Modem - Modem -

Detail Item Only Dial-Out Only Bidirectional

Comment Modem - Dial-In Modem - Modem -

Only Dial-Out Only Bidirectional

Service Tag — — —

Port zsmon zsmon zsmon

Monitor
Tag

Expert Create yes yes yes

utmp Entry

Connect on no no no
Carrier

Service /usr/bin/login /usr/bin/ /usr/sbin/login

login

Streams ldterm,ttcompat ldterm,ttcompat ldterm,ttcompat

Modules

Timeout Never Never Never

(secs)

Table 10–5 describes the default values for the Initialize Only template.

TABLE 10–5 Initialize Only - No Connection Default Values

Detail Item Default Value

Basic Port —

Service Enabled

Baud Rate 9600

Terminal Type —

More Option: Initialize Only yes

Option: Bidirectional no

212 System Administration Guide, Volume II ♦ October 1998

TABLE 10–5 Initialize Only - No Connection Default Values (continued)

Detail Item Default Value

Option: Software Carrier no

Login Prompt login:

Comment Initialize Only - No Connection

Service Tag —

Port Monitor Tag zsmon

Expert Create utmp Entry yes

Connect on Carrier no

Service /usr/bin/login

Streams Modules ldterm,ttcompat

Timeout (secs) Never

How to Start Admintool

1. Verify that the following prerequisites are met. To use Admintool, you must:
4 Have a bit-mapped display monitor. The Admintool software can be used only
on a system with a console that is a bit-mapped screen such as a standard
display monitor that comes with a Sun workstation.
4 Be running an X Window System, such as the OpenWindowsTM environment.
4 Be a member of the sysadmin group (group 14).
If you want to perform administration tasks on a system with an ASCII terminal
as the console, use Solaris commands instead.

Note - The system being configured must be your local system. Use Solstice
AdminSuite Serial Port Manager to configure serial ports on a remote system.

2. Start Admintool.

$ admintool &

Setting Up Terminals and Modems (Tasks) 213

 The Users main window is displayed.

How to Set Up a Terminal

1. Start Admintool, if it’s not already running.
See “How to Start Admintool” on page 213 for more information on starting
Admintool.

2. Select Serial Ports from the Browse menu.

The Serial Ports menu is displayed.

3. Select the port or ports that will be used with a terminal.

4. Choose Modify from the Edit menu.

The Modify Serial Port window appears in the Basic Detail mode. To enter
additional details, select either the More or Expert Detail modes.

5. Choose Terminal-Hardwired from the Use Template menu.

See Table 10–2 for a description of the Terminal–Hardware menu items.

6. Change values of template entries if desired.

7. Click on OK to configure the port.

8. Use the pmadm command to verify the terminal service has been added.

$ pmadm -l -s ttya

214 System Administration Guide, Volume II ♦ October 1998

Example—Completed Modify Window to Set Up a Terminal

How to Set Up a Modem

1. Start Admintool, if it’s not already running.
See “How to Start Admintool” on page 213 for more information on starting
Admintool.

2. Select Serial Ports from the Browse menu.

The Serial Ports menu is displayed.

3. Select the port or ports that will be used with a modem.

4. Choose Modify from the Edit menu.

The Modify Serial Port window appears in the Basic Detail mode. To enter
additional details, select either the More or Expert Detail modes.

Setting Up Terminals and Modems (Tasks) 215

 5. Choose the modem configuration template from the Use Template menu that
meets or most closely matches your modem service.
See Table 10–3 for a description of each template.
See Table 10–4 for the default values of each template. If a UUCP service will be
used to dial in to your modem on a Solaris system, see “How to Set Up a Modem
for Use With UUCP” on page 217 for the rest of the procedure.

6. Change values of template entries if desired.

7. Click on OK to configure the port.

8. Use the pmadm command to verify the modem service has been configured for
use with UUCP.

$ pmadm -l -s ttyb

216 System Administration Guide, Volume II ♦ October 1998

Example—Completed Modify Window to Set Up a Modem

How to Set Up a Modem for Use With UUCP

UUCP sends information to a service using seven bits and even parity. Solaris
modem configurations use eight bits and no parity for internationalization purposes.
To set up your modem service to work with UUCP, follow these instructions.
1. Start Admintool, if it’s not already running.
See “How to Start Admintool” on page 213 for more information on starting
Admintool.

2. Select Serial Ports from the Browse menu.

The Serial Ports menu is displayed.

3. Select the port or ports that will be used with a modem.

4. Choose Modify from the Edit menu.

Setting Up Terminals and Modems (Tasks) 217

 The Modify Serial Port window appears in the Basic Detail mode. For additional
details, select either the More or Expert Detail modes.

5. Select Other from the Baud Rate menu.

A window listing baud rates from the /etc/ttydefs file is displayed.

6. Enter a baud rate that provides seven bit, even parity service. Click on OK.

7. Change values of other template entries if desired.

8. Click on OK to configure the port.

9. Use the pmadm command to verify the modem service has been configured for
use with UUCP.

$ pmadm -l -s ttya

Example—Completed Modify Window to Set Up a Modem

for Use With UUCP
In this example, the 9600E baud rate was selected. This provides a service with a
9600 baud rate, seven bits, and even parity.

How to Initialize a Port

1. Start Admintool, if it’s not already running.
See “How to Start Admintool” on page 213 for more information on starting
Admintool.

218 System Administration Guide, Volume II ♦ October 1998

2. Select Serial Ports from the Browse menu.
The Serial Ports menu is displayed.

3. Select the port or ports that you want to initialize.

4. Choose Modify from the Edit menu.

The Modify Serial Port window appears in the Basic Detail mode. To enter
additional details, select either the More or Expert Detail modes.

5. Choose Initialize Only - No Connection from the Use Template menu.

See Table 10–5 for a description of the Initialize Only - No Connection template.

6. Click on OK to initialize the port.

7. Use the pmadm command to verify the port has been disabled.

$ pmadm -l -s ttyb

Example—Completed Modify Window to Initialize a Port

How to Disable a Port

1. Start Admintool, if it’s not already running.
See “How to Start Admintool” on page 213 for more information on starting
Admintool.

2. Select Serial Ports from the Browse menu.

Setting Up Terminals and Modems (Tasks) 219

 The Serial Ports menu is displayed.

3. Select the port or ports that you want to disable.

4. Choose Modify from the Edit menu.

5. Click on the Service Enable button to disable the port service in the Modify
window.
This button acts as a toggle switch to enable or disable a port service.

6. Click on OK to disable the port.

7. Use the pmadm command to verify the port service has been disabled.

$ pmadm -l -s ttya

Example—Completed Modify Window to Disable a Port

How to Remove a Port Service

1. Start Admintool, if it’s not already running.
See “How to Start Admintool” on page 213 for more information on starting
Admintool.

2. Select the port or ports that has a service you want to delete.

3. Choose Delete from the Edit menu.

220 System Administration Guide, Volume II ♦ October 1998

 You are asked if you really want to delete the service for the specified port or
ports. You may cancel the delete operation or continue with it.

4. Use the pmadm command to verify the port service has been deleted.

$ pmadm -l -s ttya

Troubleshooting Terminal and Modem

Problems
If users are unable to log in over serial port lines after you have added a terminal or
modem and set up the proper services, consider the following possible causes of
failure.

1. Begin by checking with the user.

Malfunctions in terminals and modem use are typically reported by a user who
has failed to log in or dial in. For this reason, it is best to begin troubleshooting by
checking for a problem on the desktop.
Some common reasons for login failure include:
4 Login ID or password is incorrect.
4 Terminal is waiting for X-ON flow control key (Control-q).
4 Serial cable is loose or unplugged.
4 Terminal configuration is incorrect.
4 Terminal is shut off or otherwise has no power.
2. Check the terminal.

Continue to troubleshoot by checking the configuration of the terminal or modem.

Determine the proper ttylabel for communicating with the terminal or modem.
Verify that the terminal or modem settings match those of the ttylabel.
3. Check the terminal server.

If the terminal checks out, continue to search for the source of the problem on the
terminal or modem server. Use the pmadm command to verify that a port monitor
has been configured to service the terminal or modem and that it has the correct
ttylabel associated with it.

$ pmadm -l -t ttymon

Setting Up Terminals and Modems (Tasks) 221

 Examine /etc/ttydefs and double check the label definition against the
terminal configuration. Use sacadm to check the port monitor’s status. Use
pmadm to check the service associated with the port the terminal uses.
4. Check the serial connection.
If the Service Access Controller is starting the TTY port monitor and pmadm
reports that the service for the terminal’s port is enabled, and if the terminal’s
configuration matches the port monitor’s, then continue to search for the problem
by checking the serial connection. A serial connection comprises serial ports,
cables, and terminals. Test each of these parts by using it with two other parts
that are known to be reliable.
Test all of the following:
4 Serial ports
4 Modems
4 Cables
4 Connectors
5. Do not use Admintool or SolsticeTM AdminSuiteTM Serial Port Manager to modify
serial port settings if the serial port is being used as a console. The correct
procedure for changing console settings is by modifying the following line in the
/etc/inittab file:

co:234:respawn:/usr/lib/saf/ttymon -g -h -p "‘uname -n‘ console

login: " -T terminal_type -d /dev/console -l console -m
ldterm,ttcompat

222 System Administration Guide, Volume II ♦ October 1998

CHAPTER 11

Setting Up Terminals and Modems With

the Service Access Facility (Tasks)

This chapter explains in detail what a system or network administrator needs to

know about the Service Access Facility (SAF) in the Solaris environment.
If you want to see examples of specific SAF commands, skip the first section, “Using
the Service Access Facility” on page 223, and use the following list to find the
instructions you need.
4 “Using the Service Access Facility” on page 223
4 “Overall Administration: sacadm Command” on page 225
4 “Port Monitor Service Administrator: pmadm Command” on page 226
4 “Port Monitors: TTY Monitor and Network Listener” on page 228
4 “Administering ttymon Port Monitors” on page 231
4 “Administering ttymon Services” on page 234
4 “Reference Material for Service Access Facility Administration” on page 239
For overview information about terminals and modems, see Chapter 9.

Using the Service Access Facility

The SAF is the tool used for administering terminals, modems, and other network
devices. The top-level SAF program is the Service Access Controller (SAC). The SAC
controls port monitors which you administer through the sacadm command. Each
port monitor can manage one or more ports.

223
 You administer the services associated with ports through the pmadm command.
While services provided through SAC may differ from network to network, SAC and
the administrative programs sacadm and pmadm are network independent.
Table 11–1 illustrates the SAF control hierarchy. The sacadm command is used to
administer the SAC which controls the ttymon and listen port monitors.
The services of ttymon and listen are in turn controlled by pmadm. One instance
of ttymon can service multiple ports and one instance of listen can provide
multiple services on a network interface.

TABLE 11–1 SAF Control Hierarchy

Function Program Description

Overall Administration sacadm Command for adding and removing port

monitors

Service Access Controller sac SAF’s master program

Port Monitors ttymon Monitors serial port login requests

Monitors requests for network services
listen

Port Monitor Service pmadm Command for controlling port monitors

Administrator services

Services logins; remote Services to which SAF provides access

procedure calls;
other

Console Administration console login The console is automatically set up via an

entry in the /etc/inittab file using
ttymon-express mode. Do not use the
pmadm or sacadm to manage the console
directly. See “ttymon and the Console Port”
on page 229 for more information.

224 System Administration Guide, Volume II ♦ October 1998

Overall Administration: sacadm
Command
The sacadm command is the top level of the SAF. The sacadm command primarily
is used to add and remove port monitors such as ttymon and listen. Other
sacadm functions include listing the current status of port monitors and
administering port monitor configuration scripts.

Service Access Controller: SAC Program

The Service Access Controller program (SAC) oversees all port monitors. A system
automatically starts SAC upon entering multiuser mode.
When SAC is invoked, it first looks for, and interprets, each system’s configuration
script, by which SAC customizes its environment. The modifications made to the
SAC environment are inherited by all the “children” of the SAC. This inherited
environment may be modified by the children.
After it has interpreted the per-system configuration script, the SAC program reads
its administrative file and starts the specified port monitors. For each port monitor,
SAC runs a copy of itself (SAC forks a child process). Each child then interprets its
per-port monitor configuration script, if such a script exists.
Any modifications to the environment specified in the per-port monitor configuration
script affect the port monitor and will be inherited by all its children. Finally, the
child process runs the port monitor program using the command found in the SAC
administrative file.

SAC Initialization Process

The following steps summarize what happens when SAC is first started:
1. The SAC program is spawned by init at run level two.
2. The SAC program reads /etc/saf/_safconfig, the per-system configuration
script.
3. The SAC program reads /etc/saf/_sactab, the SAC administrative file.
4. The SAC program forks a child process for each port monitor it starts.
5. Each port monitor reads /etc/saf/pmtag/_config, the per-port monitor
configuration script.

Setting Up Terminals and Modems With the Service Access Facility (Tasks) 225
 Port Monitor Service Administrator:
pmadm Command
The pmadm command enables you to administer port monitors’ services. In
particular, you use the pmadm command to add or remove a service and to enable or
disable a service. You can also install or replace per-service configuration scripts, or
print information about a service.
Each instance of a service must be uniquely identified by a port monitor and a port.
When you use the pmadm command to administer a service, you specify a particular
port monitor via the pmtag argument, and a particular port via the svctag argument.
For each port monitor type, the SAF requires a specialized command to format port
monitor-specific configuration data. This data is used by the pmadm command. For
ttymon and listen type port monitors, these specialized commands are ttyadm
and nlsadmin, respectively.

A Port Monitor at Work: ttymon

Whenever you attempt to log in via a directly connected modem or alphanumeric
terminal, ttymon goes to work, as follows.
As shown in Figure 11–1, the init program is the first process to be started at boot
time. Consulting its administrative file (/etc/inittab), init starts other processes
as they are needed. Listed among those processes is the SAC.
SAC, in turn, automatically starts up the port monitors designated in its
administrative file (/etc/saf/_sactab). Figure 11–1 shows only a single ttymon
port monitor.
After ttymon has been started, it monitors the serial port lines for service requests.

226 System Administration Guide, Volume II ♦ October 1998

 Power On
init

SAC

Login Request

ttymon Set Baud Rate

Administrative
Files

Login Prompt
login
Valid Name & Password

Login Complete
shell

Figure 11–1 How ttymon Helps Process a Login Request

When someone attempts to log in via an alphanumeric terminal or a modem, the
serial port driver passes the activity to the operating system. The ttymon port
monitor notes the serial port activity, and attempts to establish a communications
link. ttymon determines what data transfer rate, line discipline, and handshaking
protocol are required to communicate with the device.
Having established the proper parameters for communication with the modem or
terminal, ttymon passes these parameters to the login program and transfers control
to it.

Port Initialization Process

When an instance of ttymon is invoked by SAC, ttymon starts to monitor its ports.
For each port, ttymon first initializes the line disciplines, if they are specified, and
the speed and terminal settings. The values used for initialization are taken from the
appropriate entry in /etc/ttydefs.

Setting Up Terminals and Modems With the Service Access Facility (Tasks) 227
 The ttymon port monitor then writes the prompt and waits for user input. If the
user indicates that the speed is inappropriate by pressing the Break key, ttymon tries
the next speed and writes the prompt again.
If autobaud is enabled for a port, ttymon will try to determine the baud rate on the
port automatically. Users must press Return before ttymon can recognize the baud
rate and print the prompt.
When valid input is received, ttymon interprets the per-service configuration file for
the port, creates a /etc/utmp entry if required, establishes the service environment,
and invokes the service associated with the port.
After the service terminates, ttymon cleans up the /etc/utmp entry, if one exists,
and returns the port to its initial state.

Bidirectional Service
If a port is configured for bidirectional service, ttymon will:
4 Allow users to connect to a service
4 Allow uucico, cu, or ct to use the port for dialing out (if the port’s free)
4 Wait to read a character before printing a prompt
4 Invoke the port’s associated service—without sending the prompt message—when
a connection is requested (if the connect-on-carrier flag is set)

Port Monitors: TTY Monitor and

Network Listener
Though SAF provides a generic means for administering any future or third-party
port monitors, only two are implemented in the Solaris environment—ttymon and
listen.

TTY Port Monitor: ttymon

The ttymon port monitor is STREAMS-based. It monitors ports; sets terminal modes,
baud rates, and line disciplines; and invokes the login process. (It provides Solaris
users the same services that getty did under previous versions of SunOS 4.1
software.)
The ttymon port monitor runs under the SAC program. It is configured using the
sacadm command. Each instance of ttymon can monitor multiple ports. These ports

228 System Administration Guide, Volume II ♦ October 1998

 are specified in the port monitor’s administrative file. The administrative file is
configured using the pmadm and ttyadm commands.

ttymon and the Console Port

Console services are not managed by the Service Access Controller nor any explicit
ttymon administration file. An entry in the /etc/inittab file is used to manage
the console port using ttymon in express mode, which is a special ttymon mode that
is invoked directly by a command that requires login service.
The default console entry in the /etc/inittab file looks like this:

co:234:respawn:/usr/lib/saf/ttymon -g -h -p "‘uname -n‘ console login: "

-T terminal_type -d /dev/console -l console -m ldterm,ttcompat

co:234:respawn: co identifies the entry as the console; 234

identifies the run levels for the action,
respawn, which means the console entry
should be restarted if it fails or doesn’t exist
at run levels 2, 3, and 4.

/usr/lib/saf/ttymon -g -h The −g option is used so the correct baud

rate and terminal setting can be set on a port
and connect to a login service without being
preconfigured by the SAC. The −h option
forces a line hangup by setting the line
speed to zero before setting the default or
specified speed.

Identifies the prompt string for the console

−p "‘uname -n‘ console login:
port.

Identifes the terminal type of the console.

−t terminal_type

The −d option identifies the console device;

−d /dev/console -l console -m
the −l option identifies the ttylabel in the
ldterm,ttcompat
/etc/ttydefs file; and the −m option
identifies the STREAMS modules to be
pushed.

Setting Up Terminals and Modems With the Service Access Facility (Tasks) 229
 Special ttymon-Specific Administrative
Command: ttyadm
The ttymon administrative file is updated by sacadm and pmadm, as well as by the
ttyadm command. The ttyadm command formats ttymon-specific information and
writes it to the standard output, providing a means for presenting formatted
ttymon-specific data to the sacadm and pmadm commands.
Thus, ttyadm does not administer ttymon directly; rather, it complements the
generic administrative commands, sacadm and pmadm. See ttyadm(1M) for more
details.

Network Listener Service: listen

The listen port monitor runs under SAC. It monitors the network for service
requests, accepts requests when they arrive, and invokes servers in response to those
service requests.
The listen port monitor is configured using the sacadm command. Each instance
of listen can provide multiple services. These services are specified in the port
monitor’s administrative file. This administrative file is configured using the pmadm
and nlsadmin commands.
The network listener process may be used with any connection-oriented transport
provider that conforms to the Transport Layer Interface (TLI) specification. In the
Solaris environment, listen port monitors can provide additional network services
not provided by inetd.

Special listen-Specific Administrative

Command: nlsadmin
The listen port monitor’s administrative file is updated by sacadm and pmadm, as
well as by the nlsadmin command. The nlsadmin command formats
listen-specific information and writes it to the standard output, providing a means
of presenting formatted listen-specific data to the sacadm and pmadm commands.
Thus, nlsadmin does not administer listen directly; rather, it complements the
generic administrative commands, sacadm and pmadm.
Each network can have at least one instance of the network listener process
associated with it. Each network is configured separately. The nlsadmin command
controls the operational states of listen port monitors.
The nlsadmin command can establish a listen port monitor for a given network,
configure the specific attributes of that port monitor, and start and kill the monitor.

230 System Administration Guide, Volume II ♦ October 1998

 The nlsadmin command can also report on the listen port monitors on a
machine.
See nlsadmin(1M) for more details.

Administering ttymon Port Monitors

Use the sacadm command to add, list, remove, kill, start, enable, disable, enable, and
remove a ttymon port monitor.

Note - You must be superuser to perform the following procedures.

How to Add a ttymon Port Monitor

To add a ttymon port monitor, type:

# sacadm -a -p mbmon -t ttymon -c /usr/lib/saf/ttymon -v ‘ttyadm

-V‘ -y "TTY Ports a & b"

-a The add port monitor flag

-p Specifies the pmtag mbmon as the port monitor tag

-t Specifies the port monitor type as ttymon

-c Defines the command string used to start the port monitor

-v Specifies the version number of the port monitor

-y Defines a comment to describe this instance of the port monitor

How to View ttymon Port Monitor Status

To see the status of a ttymon port monitor, type:

# sacadm -l -p mbmon

Setting Up Terminals and Modems With the Service Access Facility (Tasks) 231
 -l The list port monitor status flag

-p Specifies the pmtag mbmon as the port monitor tag

Example—Viewing ttymon Port Monitor Status

# sacadm -l -p mbmon
PMTAG PMTYPE FLGS RCNT STATUS COMMAND
mbmon ttymon - 0 STARTING /usr/lib/saf/ttymon #TTY Ports a & b

PMTAG Identifies the port monitor name, mbmon.

mbmon

PMTYPE Identifies the port monitor type, ttymon.

ttymon

FLGS Indicates whether the following two flags are set:

d, do not enable the new port monitor, or

-
x, do not start the new port monitor. There are no flags set in
this example.

RCNT Indicates the return count value. A return count of 0

indicates that the port monitor is not to be restarted if it fails.
0

STATUS Indicates the current status of the port monitor.

STARTING

COMMAND Identifies the command used to start the port monitor.

/usr/lib/saf ...

#TTY Ports a & b Identifies any comment used to describe the port monitor.

232 System Administration Guide, Volume II ♦ October 1998

 How to Stop a ttymon Port Monitor
To kill a ttymon port monitor, type:

# sacadm -k -p mbmon

-k The kill port monitor status flag

-p Specifies the pmtag mbmon as the port monitor tag

How to Start a ttymon Port Monitor

To start a killed ttymon port monitor, type:

# sacadm -s -p mbmon

-s The start port monitor status flag

-p Specifies the pmtag mbmon as the port monitor tag

How to Disable a ttymon Port Monitor

Disabling a port monitor prevents new services from starting, without affecting
existing services.
To disable a ttymon port monitor, type:

# sacadm -d -p mbmon

-d The disable port monitor status flag

-p Specifies the pmtag mbmon as the port monitor tag

How to Enable a ttymon Port Monitor

Enabling a ttymon port monitor allows it to service new requests.

Setting Up Terminals and Modems With the Service Access Facility (Tasks) 233
 To enable a ttymon port monitor, type:

# sacadm -e -p mbmon

-e The enable port monitor status flag

-p Specifies the pmtag mbmon as the port monitor tag

How to Remove a ttymon Port Monitor

To remove a ttymon port monitor, type:

# sacadm -r -p mbmon

-r The remove port monitor status flag

-p Specifies the pmtag mbmon as the port monitor tag

Note - Removing a port monitor deletes all the configuration files associated with it.
Port monitor configuration files cannot be updated or changed using sacadm. To
reconfigure a port monitor, remove it and add a new one.

Administering ttymon Services

Use pmadm to add services, list the services of one or more ports associated with a
port monitor, and enable or disable a service.

Note - You must be superuser to perform the following procedures.

How to Add a Service

To add a standard terminal service to the mbmon port monitor, type:

234 System Administration Guide, Volume II ♦ October 1998

# pmadm -a -p mbmon -s a -i root -v ‘ttyadm -V‘ -m "‘ttyadm -i ’Terminal disabled’
-l contty -m ldterm,ttcompat -S y -d /dev/term/a -s /usr/bin/login‘"

Note - In this example, the input wraps to the next line. Do not put a Return or line
feed after contty.

-a The add port monitor status flag

-p Specifies the pmtag mbmon as the port monitor tag

-s Specifies the svctag a as the port monitor service tag

-i Specifies the identity to be assigned to svctag when it runs

-v Specifies the version number of the port monitor

-m Specifies the ttymon-specific configuration data formatted by ttyadm

The above pmadm command contains an embedded ttyadm command. The options
in this embedded command are as follows:

-b The bidirectional port flag

-i Specifies the inactive (disabled) response message

-l Specifies which TTY label in /etc/ttydefs to use

-m Specifies the STREAMS modules to push before invoking this service

-d Specifies the full path name to the device to use for the TTY port

-s Specifies the full path name of the service to invoke when a connection request is
received; if arguments are required, enclose the command and its arguments in
quotation marks (")

Setting Up Terminals and Modems With the Service Access Facility (Tasks) 235
 How to View the Status of a TTY Port Service
Use the pmadm command as shown to list the status of a TTY port, or all the ports
associated with a port monitor.

Listing One Service

To list one service of a port monitor, type:

# pmadm -l -p mbmon -s a

-l Lists service information

-p Specifies the pmtag mbmon as the port monitor tag

-s Specifies the svctag a as the port monitor service tag

Listing All Services of All Port Monitors

To list all services of all port monitors, type:

# pmadm -l

-l Lists service information

Listing All Services of a Port Monitor

To list all services of a port monitor, type:

# pmadm -l -p mbmon

-l Lists service information

-p Specifies the pmtag mbmon as the port monitor tag

236 System Administration Guide, Volume II ♦ October 1998

 Example—Viewing the Status of a TTY Port
Monitor Service
# pmadm -l -p mbmon
PMTAG PMTYPE SVCTAG FLAGS ID <PMSPECIFIC>
mbmon ttymon a - root /dev/term/a - - /usr/bin/login - contty
ldterm,ttcompat login: Terminal disabled - y #

mbmon Identifies the port monitor name, mbmon, set by using the
pmadm -p command.

ttymon Identifies the port monitor type, ttymon.

Indicates the service tag value set by using the pmadm -s

a command.

- Identifies whether the following flags are set by using the

pmadm -f command:

x, which means do not enable the service;

u, which means create a utmp entry for the service. No

flags are set in this example.

root Identifies the ID assigned to the service when its started.

This value is set by using the pmadm -i command.

<PMSPECIFIC> Information

Indicates the TTY port pathname set by using the ttyadm

/dev/term/a -d command.

- Indicates whether the following flags are set by using the

ttadm -c -b -h -I -r command:

c, sets the connect on carrier flag for the port

b, sets the port as bidirectional, allowing both incoming

and outgoing traffic

h, supresses an automatic hangup immediately after an

incoming call is received

I, initializes the port

r, forces ttymon to wait until it receives a character from

the port before it prints the login: message.

Setting Up Terminals and Modems With the Service Access Facility (Tasks) 237
 - Indicates a value set by using the ttyadm -r option. This
option determines when ttymon displays a prompt after
receiving data from a port. If count is 0, ttymon will wait
until it receives any character. If count is greater than 0,
ttymon will wait until count new lines have been
received. No value is set in this example.

/usr/bin/login Identifies the full pathname of the service to be invoked

when a connected is received. This value is set by using
ttyadm -s command.

- Identifies the ttyadm -t command’s (timeout) value. This

option specifies that ttymon should close a port if the
open on the port succeeds, and no input data is received in
timeout seconds. There is no timeout value in this example.

contty Identifies the TTY label in the /etc/ttydefs file. This

value is set by using the ttyadm -l command.

ldterm,ttcompat Identifies the STREAMS modules to be pushed. These

modules are set by using the ttyadmin -m command.

login: Terminal disabled Identifies an inactive message to be displayed when the

port is disabled. This message is set by using the ttyadm
-i command.

tvi925 Identifies the terminal type, if set, by using the ttyadm

-Tcommand. The terminal type is tvi925 in this example .

y Identifies the software carrier value set by using the

ttyadm -S command; n will turn software carrier off, y
will turn software carrier on. Software carrier is turned on
in this example.

# Identifies any comment specified with the pmadm -y

command. (There is no comment in this example).

How to Enable a Port Monitor Service

To enable a disabled port monitor service, type:

# pmadm -e -p mbmon -s a

238 System Administration Guide, Volume II ♦ October 1998

 -e The enable flag

-p Specifies the pmtag mbmon as the port monitor tag

-s Specifies the svctag a as the port monitor service tag

How to Disable a Port Monitor Service

To disable a port monitor service, type:

# pmadm -d -p mbmon -s a

-d The disable flag

-p Specifies the pmtag mbmon as the port monitor tag

-s Specifies the svctag a as the port monitor service tag

Reference Material for Service Access

Facility Administration
Files Associated With SAF
SAF uses configuration files which can be modified by using the sacadm and pmadm
commands. You should not need to edit them manually.

File Name Description

/etc/saf/_sysconfig Per-system configuration script

/etc/saf/_sactab SAC’s administrative file; contains

configuration data for the port monitors that
the SAC controls

/etc/saf/pmtag Home directory for port monitor pmtag

Setting Up Terminals and Modems With the Service Access Facility (Tasks) 239
 File Name Description

/etc/saf/pmtag/_config Per-port monitor configuration script for

port monitor pmtag if it exists

/etc/saf/pmtag/_pmtab Port monitor pmtag’s administrative file;

contains port monitor-specific configuration
data for the services pmtag provides

/etc/saf/pmtag/svctag Per-service configuration script for service

svctag

/var/saf/log SAC’s log file

/var/saf/pmtag Directory for files created by pmtag, for

example, log files

The /etc/saf/_sactab File

The /etc/saf/_sactab looks like this:

# VERSION=1
zsmon:ttymon::0:/usr/lib/saf/ttymon #

# VERSION=1 Indicates the Service Access Facility version

number.

zsmon Is the name of the port monitor.

ttymon Is the type of port monitor.

:: Indicates whether the following two flags are set:

d, do not enable the port monitor

x, do not start the port monitor. No flags are set

in this example.

0 Indicates the return code value. A return count of

0 indicates that the port monitor is not be
restarted if it fails.

/usr/lib/saf/ttymon Indicates the port monitor pathname

240 System Administration Guide, Volume II ♦ October 1998

 The /etc/saf/pmtab/_pmtab File
The /etc/saf/pmtab/_pmtab file, such as /etc/saf/zsmon/_pmtab, looks like this:

# VERSION=1
ttya:u:root:reserved:reserved:reserved:/dev/term/a:I::/usr/bin/login::9600:ldterm,
ttcompat:ttya login\: ::tvi925:y:#

# VERSION=1 Indicates the Service Access Facility version number.

ttya Indicates the service tag.

x,u Identifies whether the following flags are set:

x, which means do not enable the service

u, which means create a utmp entry for the service

root Indicates the identity assigned to the service tag.

reserved This field is reserved.

reserved This field is reserved.

reserved This field is reserved.

/dev/term/a Indicates the TTY port pathname.

/usr/bin/login Identifies the full pathname of the service to be

invoked when a connection is received.

:c,b,h,I,r: Indicates whether the following flags are set

c, sets the connect on carrier flag for the port

b, sets the port as bidirectional, allowing both

incoming and outgoing traffic

h, supresses an automatic hangup immediately after

an incoming call is received

I, initializes the port

r, forces ttymon to wait until it receives a character

fromt he port before it prints the login: message.

9600 Identifies the TTY label defined in /etc/ttydefs file

Setting Up Terminals and Modems With the Service Access Facility (Tasks) 241
 ldterm,ttcompat Identifies the STREAMS modules to be pushed

ttya login\: Identifies the prompt to be displayed

:y/n:

message Identifies any inactive (disabled) response message

tvi925 Identifies the terminal type.

y Indicates whether software carrier is set (y/n).

Service States
The sacadm command controls the states of services. The possible states are shown
below.

State Notes

Enabled Default state – When the port monitor is added, the service operates.

Disabled Default state – When the port monitor is removed, the service stops.

To determine the state of any particular service, use the following:

# pmadm -l -p portmon_name -s svctag

Port Monitor States

The sacadm command controls the states of ttymon and listen port monitors. The
possible states are shown below.

State Notes

Started Default state – When the port monitor is added, it is automatically

started.

Enabled Default state – When the port monitor is added, it is automatically

ready to accept requests for service.

Stopped Default state – When the port monitor is removed, it is automatically

stopped.

242 System Administration Guide, Volume II ♦ October 1998

 State Notes

Disabled Default state – When the port monitor is removed, it automatically

continues existing services and refuses to add new services.

Starting Intermediate state – The port monitor is in the process of starting.

Stopping Intermediate state – The port monitor has been manually terminated,
but it has not completed its shutdown procedure. It is on the way to
becoming stopped.

Notrunning Inactive state – The port monitor has been killed. All ports previously
monitored are inaccessible. An external user cannot tell whether a
port is disabled or notrunning.

Failed Inactive state – The port monitor is unable to start and remain running.

To determine the state of any particular port monitor, use the following:

# sacadm -l -p portmon_name

Port States
Ports may be enabled or disabled depending on the state of the port monitor that
controls them.

State Notes

Serial (ttymon) Port States

Enabled The ttymon port monitor sends a prompt message to

the port and provides login service to it.

Disabled Default state of all ports if ttymon is killed or disabled.

If you specify this state, ttymon will send out the
disabled message when it receives a connection
request.

Setting Up Terminals and Modems With the Service Access Facility (Tasks) 243
244 System Administration Guide, Volume II ♦ October 1998
PART IV Managing System Security

This part provides instructions for managing system security in the Solaris 7
environment. This part contains these chapters.

Provides overview information about file, system, and

Chapter 12
network security.

Provides step-by-step instructions to display file

Chapter 13
information, change file ownership and permissions,
and set special permissions.

Provides step-by-step instructions to check login status,

Chapter 14
set up dial-up passwords, restrict root access, and
monitor root access and su attempts.

Provides step-by-step instructions for setting up

Chapter 15
Kerberos login authentication and Pluggable
Autentication Module (PAM).

Provides overview information about Automated

Chapter 16
Security Enhancement Tool (ASET) and step-by-step
instructions to run ASET interactively or periodically
(by using a cron job). It also includes information
about collecting client ASET reports on a server.
CHAPTER 12

Managing System Security (Overview)

Keeping a system’s information secure is an important system administration

responsibility. This chapter provides overview information about managing system
security at the file, system, and network level.
This is a list of the overview information in this chapter.
4 “Where to Find System Security Tasks” on page 247
4 “Granting Access to a Computer System” on page 248
4 “File Security” on page 251
4 “System Security” on page 252
4 “Network Security” on page 256
At the file level, the SunOS 5.7 operating system provides some standard security
features that you can use to protect files, directories, and devices. At the system and
network levels, the security issues are mostly the same. In the workplace, a number
of systems connected to a server can be thought of as one large multifaceted system.
The system administrator is responsible for the security of this larger system or
network. Not only is it important to defend the network from outsiders trying to
gain access to the network, but it is also important to ensure the integrity of the data
on the systems within the network.

Where to Find System Security Tasks

Use these references to find step-by-step instructions for setting up system security.
4 Chapter 13
4 Chapter 14

247
 4 Chapter 15
4 Chapter 16

Granting Access to a Computer System

The first line of security defense is to control access to your system. You can control
and monitor system access by:
4 Maintaining physical site security
4 Maintaining login control
4 Restricting access to data in files
4 Maintaining network control
4 Monitoring system usage
4 Setting the path variable correctly
4 Securing files
4 Tracking superuser (root) login
4 Installing a firewall
4 Using Automated Security Enhancement Tool (ASET)

Maintaining Physical Site Security

To control access to your system, you must maintain the physical security of your
computer environment. For instance, if a system is logged in and left unattended,
anyone who can use that system can gain access to the operating system and the
network. You need to be aware of your computer’s surroundings and physically
protect it from unauthorized access.

Maintaining Login and Access Control

You also must restrict unauthorized logins to a system or the network, which you
can do through password and login control. All accounts on a system should have a
password. An account without a password makes your entire network accessible to
anyone who can guess a user name.
Solaris 7 system software restricts control of certain system devices to the user login
account. Only a process running as superuser or console user can access a system
mouse, keyboard, frame buffer, or audio device unless /etc/logindevperm is
edited. See logindevperm(4) for more information.

248 System Administration Guide, Volume II ♦ October 1998

Restricting Access to Data in Files
After you have established login restrictions, you can control access to the data on
your system. You may want to allow some people to read some files, and give other
people permission to change or delete some files. You may have some data that you
do not want anyone else to see. Chapter 13 discusses how to set file permissions.

Maintaining Network Control

Computers are often part of a configuration of systems called a network. A network
allows connected systems to exchange information and access data and other
resources available from systems connected to the network. Networking has created
a powerful and sophisticated way of computing. However, networking has also
jeopardized computer security.
For instance, within a network of computers, individual systems are open to allow
sharing of information. Also, because many people have access to the network, there
is more chance for allowing unwanted access, especially through user error (for
example, through a poor use of passwords).

Monitoring System Usage

As system administrator, you need to monitor system activity, being aware of all
aspects of your systems, including the following:
4 What is the normal load?
4 Who has access to the system?
4 When do individuals access the system?
With this kind of knowledge, you can use the available tools to audit system use and
monitor the activities of individual users. Monitoring is very useful when there is a
suspected breach in security.

Setting the Correct Path

It is important to set your path variable correctly; otherwise, you may accidently run
a program introduced by someone else that harms your data or your system. This
kind of program, which creates a security hazard, is referred to as a “Trojan horse.”
For example, a substitute su program could be placed in a public directory where
you, as system administrator, might run it. Such a script would look just like the
regular su command; since it removes itself after execution, it is hard to tell that you
have actually run a Trojan horse.

Managing System Security (Overview) 249

 The path variable is automatically set at login time through the startup files: .login,
.profile, and .cshrc. Setting up the user search path so that the current directory
(.) comes last prevents you or your users from running this type of Trojan horse. The
path variable for superuser should not include the current directory at all. The ASET
utility examines the startup files to ensure that the path variable is set up correctly
and that it does not contain a dot (.) entry.

Securing Files
Since the SunOS 5.7 operating system is a multiuser system, file system security is
the most basic, and important, security risks on a system. You can use both the
traditional UNIX file protection or the more secure access control lists (ACLs) to
protect your files.
Also, many executable programs have to be run as root (that is, as superuser) to
work properly. These executables run with the user ID set to 0 (setuid=0). Anyone
running these programs runs them with the root ID, which creates a potential
security problem if the programs are not written with security in mind.
Except for the executables shipped with setuid to root, you should disallow the use
of setuid programs, or at least restrict and keep them to a minimum.

Installing a Firewall
Another way to protect your network is to use a firewall or secure gateway system.
A firewall is a dedicated system separating two networks, each of which approaches
the other as untrusted. You should consider this setup as mandatory between your
internal network and any external networks, such as Internet, with which you want
internal network users to communicate.
A firewall can also be useful between some internal networks. For example, the
firewall or secure gateway computer will not send a packet between two networks
unless the gateway computer is the origin or the destination address of the packet. A
firewall should also be set up to forward packets for particular protocols only. For
example, you may allow packets for transferring mail, but not those for telnet or
rlogin. The ASET utility, when run at high security, disables the forwarding of
Internet Protocol (IP) packets.

Reporting Security Problems

If you experience a suspected security breach, you can contact the Computer
Emergency Response Team/Coordination Center (CERT/CC), which is a Defense
Advanced Research Projects Agency (DARPA) funded project located at the Software
Engineering Institute at Carnegie Mellon University. It can assist you with any

250 System Administration Guide, Volume II ♦ October 1998

security problems you are having. It can also direct you to other Computer
Emergency Response Teams that may be more appropriate to your particular needs.
You can call CERT/CC at its 24-hour hotline: (412) 268-7090, or contact the team via
email to cert@[Link].

File Security
The SunOS 5.7 operating system is a multiuser system, which means that all the
users logged in to a system can read and use files belonging to one another, as long
as they have permission to do so. Table 12–1 describes file system administration
commands. See Chapter 13 for step-by-step instructions on securing files.

File Administration Commands

Table 12–1 lists the file administration commands that you can use on files or
directories.

TABLE 12–1 File Administration Commands

Command Description

Lists the files in a directory and information about them.

ls(1)

Changes the ownership of a file.

chown(1)

Changes the group ownership of a file.

chgrp(1)

Changes permissions on a file. You can use either symbolic

chmod(1) mode (letters and symbols) or absolute mode (octal numbers) to
change permissions on a file.

File Encryption
Placing a sensitive file into an inaccessible directory (700 mode) and making the file
unreadable by others (600 mode) will keep it secure in most cases. However,
someone who guesses your password or the root password can read and write to

Managing System Security (Overview) 251

 that file. Also, the sensitive file is preserved on backup tapes every time you back up
the system files to tape.
Fortunately, an additional layer of security is available to all SunOS 5.7 system
software users in the United States—the optional file encryption kit. The encryption
kit includes the crypt(1) command which scrambles the data to disguise the text.

Access Control Lists (ACLs)

ACLs (ACLs, pronounced “ackkls”) can provide greater control over file permissions
when the traditional UNIX file protection in the SunOS operating system is not
enough. The traditional UNIX file protection provides read, write, and execute
permissions for the three user classes: owner, group, and other. An ACL provides
better file security by enabling you to define file permissions for the owner, owner’s
group, others, specific users and groups, and default permissions for each of those
categories. See “Using Access Control Lists (ACLs)” on page 280 for step–by–step
instructions on using ACLs.
Table 12–2 lists the ACL commands that you can use on files or directories.

TABLE 12–2 ACL Commands

Command Description

Sets, adds, modifies, and deletes ACL entries

setfacl(1)

Displays ACL entries

getfacl(1)

System Security
This section describes how to safeguard your system against unauthorized access,
such as how to prevent an intruder from logging in to your system, how to maintain
the password files, and how to prevent unauthorized superuser access to sensitive
system files and programs.

252 System Administration Guide, Volume II ♦ October 1998

You can set up two security barriers on a system. The first security barrier is the
login program. To cross this barrier and gain access to a system, a user must supply
a user name and a corresponding password known by the local system or by the
name service (NIS or NIS+).
The second security barrier is ensuring that the system files and programs can be
changed or removed by superuser only. A would-be superuser must supply the root
user name and its correct password.

Login Access Restrictions

When a user logs in to a system, the login program consults the appropriate
database according to the information listed in the /etc/[Link] file. The
entries in this file can include files (designating the /etc files), nis (designating
the NIS database), and nisplus (designating the NIS+ database). See the Solaris
Naming Administration Guide or [Link](4) for a description of this file.
The login program verifies the user name and password entered. If the user name is
not in the password file or the password is not correct for the user name, the login
program denies access to the system. When the user supplies a name from the
password file and the correct password for the name, the system grants the user
access to the system.

Special Logins
There are two common ways to access a system—by using a conventional user login
or by using the root login. In addition, a number of special system logins allow a user
to perform administrative commands without using the root account. The
administrator assigns password to these login accounts.
Table 12–3 lists the system login accounts and their uses. The system logins perform
special functions, and each has its own group identifier number (GID). Each of these
logins should have its own password, which should be distributed on a
need-to-know basis.

Managing System Security (Overview) 253

 TABLE 12–3 System Logins

Login Account GID Use

root 0 Has almost no restrictions and overrides all other logins,

protections, and permissions. The root account has access
to the entire system. The password for the root login
should be very carefully protected.

daemon 1 Controls background processing.

bin 2 Owns most of the commands.

sys 3 Owns many system files.

adm 4 Owns certain administrative files.

lp 71 Owns the object and spooled data files for the printer.

uucp 5 Owns the object and spooled data files for UUCP, the
UNIX-to-UNIX copy program.

nuucp 9 Is used by remote systems to log in to the system and start

file transfers.

You should also set the security of the eeprom command to require a password. See
eeprom(1M) for more information.

Managing Password Information

When logging in to a system, users must enter both a user name and a password.
Although logins are publicly known, passwords must be kept secret, and known
only to users. You should ask your users to choose their passwords carefully, and
change them often.
Passwords are initially created when you set up a user account. To maintain security
on user accounts, you can set up password aging to force users to routinely change
their passwords, and you can also disable a user account by locking the password.
See “Managing User Accounts and Groups (Overview)” in System Administration
Guide, Volume I for detailed information about setting up and maintaining
passwords.

254 System Administration Guide, Volume II ♦ October 1998

NIS+ Password File
If your network uses NIS+, the password information is kept in the NIS+ database.
Information in the NIS+ database can be protected by restricting access to authorized
users. You can use Solstice User Manager or the passwd(1) command to change a
user’s NIS+ password.

NIS Password File

If your network uses NIS, the password information is kept in the NIS password
map. NIS does not support password aging. You can use SolsticeTM User Manager or
the passwd(1) command to change a user’s NIS password.

/etc Files
If your network uses /etc files, the password information is kept in the system’s
/etc/passwd and /etc/shadow files. The user name and other information are
kept in the password file /etc/passwd, while the encrypted password itself is kept
in a separate shadow file, /etc/shadow. This is a security measure that prevents a
user from gaining access to the encrypted passwords. While the /etc/passwd file is
available to anyone who can log in to a machine, only superuser can read the
/etc/shadow file. You can use Solstice AdminSuite’s User Manager, Admintool, or
the passwd(1) command to change a user’s password on a local system.

Using the Restricted Shell

The standard shell allows a user to open files, execute commands, and so on. The
restricted shell can be used to limit the ability of a user to change directories, and
execute commands. The restricted shell (rsh) is located in the /usr/lib directory.
(Note that this is not the remote shell, which is /usr/sbin/rsh.) The restricted
shell differs from the normal shell in these ways:
4 The user is limited to the home directory (can’t use cd to change directories).
4 The user can use only commands in the PATH set by the system administrator
(can’t change the PATH variable).
4 The user can access only files in the home directory and its subdirectories (can’t
name commands or files using a complete path name).
4 The user cannot redirect output with > or >>.
The restricted shell allows the system administrator to limit a user’s ability to stray
into the system files, and is intended mainly to set up a user who needs to perform
specific tasks. The rsh is not completely secure, however, and is only intended to
keep unskilled users from getting into (or causing) trouble.
See sh(1) for information about the restricted shell.

Managing System Security (Overview) 255

 Tracking Superuser (Root) Login
Your system requires a root password for superuser mode. In the default
configuration, a user cannot remotely log in to a system as root. When logging in
remotely, a user must log in as himself and then use the su command to become
root. This enables you to track who is using superuser privileges on your system.

Monitoring Who is Becoming Superuser or Other Users

You have to use the su command to change to another user, for example, if you
want to become superuser. For security reasons, you may want to monitor who has
been using the su command, especially those user’s who are trying to gain superuser
access.
See “How to Monitor Who Is Using the su Command” on page 301 for detailed
instructions.

Network Security
The more available access is across a network, the more advantageous it is for
networked systems. However, free access and sharing of data and resources create
security problems. Network security is usually based on limiting or blocking
operations from remote systems. Figure 12–1 describes the security restrictions you
can impose on remote operations.

256 System Administration Guide, Volume II ♦ October 1998

 The firewall restricts the
types of remote
firewall operations that the
systems at a
particular site can
perform with systems
outside the firewall

Can I log in?

Remote systems use

Authentication authentication to restrict
Depends . .
who are you? access to specific users

local system remote system

Can I copy that file?

Authorization Remote systems use
authorization to restrict
authenticated users from
Sure, go ahead. performing
operations on their
local file system remote file system file systems

Figure 12–1 Security Restrictions for Remote Operations

Firewall Systems
You can set up a firewall system to protect the resources in your network from
outside access. A firewall system is a secure host that acts as a barrier between your
internal network and outside networks.
The firewall has two functions. It acts as a gateway which passes data between the
networks, and it acts as a barrier which blocks the free passage of data to and from
the network. The firewall requires a user on the internal network to log in to the
firewall system to access hosts on remote networks. Similarly, a user on an outside
network must log in to the firewall system before being granted access to a host on
the internal network.
In addition, all electronic mail sent from the internal network is sent to the firewall
system for transfer to a host on an external network. The firewall system receives all
incoming electronic mail, and distributes it to the hosts on the internal network.

Managing System Security (Overview) 257

 Caution - A firewall prevents unauthorized users from accessing hosts on your
network. You should maintain strict and rigidly enforced security on the firewall, but
security on other hosts on the network can be more relaxed. However, an intruder
who can break into your firewall system can then gain access to all the other hosts
on the internal network.

A firewall system should not have any trusted hosts. (A trusted host is one from
which a user can log in without being required to type in a password.) It should not
share any of its file systems, or mount any file systems from other servers.
ASET can be used to make a system into a firewall, and to enforce high security on a
firewall system, as described in Chapter 16.

Packet Smashing
Most local-area networks transmit data between computers in blocks called packets.
Through a procedure called packet smashing, unauthorized users can harm or destroy
data. Packet smashing involves capturing packets before they reach their destination,
injecting arbitrary data into the contents, then sending the packets back on their
original course. On a local-area network, packet smashing is impossible because
packets reach all systems, including the server, at the same time. Packet smashing is
possible on a gateway, however, so make sure all gateways on the network are
protected.
The most dangerous attacks are those that affect the integrity of the data. Such
attacks involve changing the contents of the packets or impersonating a user. Attacks
that involve eavesdropping—recording conversations and replaying them later
without impersonating a user—do not compromise data integrity. These attacks do
affect privacy, however. You can protect the privacy of sensitive information by
encrypting data that goes over the network.

Authentication and Authorization

Authentication is a way to restrict access to specific users when accessing a remote
system, which can be set up at both the system or network level. Once a user gains
access to a remote system, authorization is a way to restrict operations that the user
can perform on the remote system. Table 12–4 lists the types of authentications and
authorizations that can help protect your systems on the network against
unauthorized use.

258 System Administration Guide, Volume II ♦ October 1998

TABLE 12–4 Types of Authentication and Authorization

Where to Find
Type Description Information

NIS+ The NIS+ name service can provide

Solaris Naming
both authentication and authorization
Administration Guide
at the network level.

Remote Login Programs The remote login programs (rlogin,

Chapter 8
rcp, ftp) enable users to log in to a
remote system over the network and
use its resources. If you are a “trusted
host,” authentication is automatic;
otherwise, you are asked to
authenticate yourself.

Secure RPC Secure RPC improves the security of

NFS Administration
network environments by
Guide
authenticating users who make
requests on remote systems. You can
use either the UNIX, DES, or Kerberos
authentication system for Secure RPC.

Secure RPC can also be used to provide

TM “NFS Services and
additional security to the NFS
Secure RPC” on page
environment, called Secure NFS.
304

DES Encryption The Data Encryption Standard (DES)

“DES Encryption” on
encryption functions use a 56-bit key to
page 304
encrypt a secret key.

Diffie-Hellman This authentication method is based on

“Diffie-Hellman
Authentication the ability of the sending system to use
Authentication” on
the common key to encrypt the current
page 305
time, which the receiving system can
decrypt and check against its current
time.

Kerberos Version 4 Kerberos uses DES encryption to

“Kerberos Version 4”
authenticate a user when logging in to
on page 308
the system.

Solstice AdminSuite The Solstice AdminSuite product Solstice AdminSuite

provides authentication and 2.3 Administration
authorization mechanisms to remotely Guide
manage systems with the AdminSuite
tools.

Managing System Security (Overview) 259

 Sharing Files
A network file server can control which files are available for sharing. It can also
control which clients have access to the files, and what type of access is permitted to
those clients. In general, the file server can grant read/write or read-only access
either to all clients or to specific clients. Access control is specified when resources
are made available with the share command.
A server can use the /etc/dfs/dfstab file to list the file systems it makes
available to clients on the network. See the NFS Administration Guide for more
information about sharing files.

Restricting Superuser (Root) Access

In general, superuser is not allowed root access to file systems shared across the
network. Unless the server specifically grants superuser privileges, a user who is
logged in as superuser on a client cannot gain root access to files that are remotely
mounted on the client. The NFS system implements this by changing the user ID of
the requester to the user ID of the user name, nobody; this is generally 60001. The
access rights of user nobody are the same as those given to the public (or a user
without credentials) for a particular file. For example, if the public has only execute
permission for a file, then user nobody can only execute that file.
An NFS server can grant superuser privileges on a shared file system on a per-host
basis, using the root=hostname option to the share command.

Using Privileged Ports

If you do not want to run Secure RPC, a possible substitute is the Solaris “privileged
port” mechanism. A privileged port is built up by the superuser with a port number
of less than 1024. After a client system has authenticated the client’s credential, it
builds a connection to the server via the privileged port. The server then verifies the
client credential by examining the connection’s port number.
Non-Solaris clients however may not be able to communicate via the privileged port.
If they cannot, you will see error messages such as these:

‘‘Weak Authentication
NFS request from unprivileged port’’

260 System Administration Guide, Volume II ♦ October 1998

Using Automated Security Enhancement Tool
(ASET)
The ASET security package provides automated administration tools that enable you
to control and monitor your system’s security. You specify a security level—low,
medium, or high—at which ASET will run. At each higher level, ASET’s file-control
functions increase to reduce file access and tighten your system security.

See Chapter 16 for more information.

Managing System Security (Overview) 261

262 System Administration Guide, Volume II ♦ October 1998
CHAPTER 13

Securing Files (Tasks)

This chapter describes the procedures for securing files. This is a list of the
step-by-step instructions in this chapter.
4 “How to Display File Information” on page 267
4 “How to Change the Owner of a File” on page 269
4 “How to Change Group Ownership of a File” on page 270
4 “How to Change Permissions in Absolute Mode” on page 274
4 “How to Change Permissions in Symbolic Mode” on page 276
4 “How to Change Special Permissions in Absolute Mode” on page 275
4 “How to Find Files With setuid Permissions” on page 277
4 “How to Set an ACL on a File” on page 283
4 “How to Disable Programs From Using Executable Stacks” on page 279
4 “How to Check If a File Has an ACL” on page 285
4 “How to Modify ACL Entries on a File” on page 286
4 “How to Delete ACL Entries From a File” on page 287
4 “How to Display ACL Entries for a File” on page 288

File Security Features

This section describes the features that constitute a file’s security.

263
 User Classes
For each file, there are three classes of users that specify the levels of security:
4 The file or directory owner—usually the user who created the file. The owner of a
file can decide who has the right to read it, to write to it (make changes to it), or, if
it is a command, to execute it.
4 Members of a group.
4 All others who are not the file or group owner.
Only the owner of the file or root can assign or modify file permissions.

File Permissions
Table 13–1 lists and describes the permissions you can give to each user class for a
file.

TABLE 13–1 File Permissions

Symbol Permission Means Designated Users ...

r Read Can open and read the contents of a file.

w Write Can write to the file (modify its contents), add to it, or
delete it.

x Execute Can execute the file (if it is a program or shell script),

or run it with one of the exec(1) system calls.

- Denied Cannot read, write, or execute the file.

These file permissions apply to special files such as devices, sockets, and named
pipes (FIFOs), as they do to regular files.
For a symbolic link, the permissions that apply are those of the file the link points to.

Directory Permissions
Table 13–2 lists and describes the permissions you can give to each user class for a
directory.

264 System Administration Guide, Volume II ♦ October 1998

TABLE 13–2 Directory Permissions

Symbol Permission Means Designated Users Can ...

r Read List files in the directory.

w Write Add or remove files or links in the directory.

x Execute Open or execute files in the directory. Also can make

the directory and the directories beneath it current.

You can protect the files in a directory (and in its subdirectories) by disallowing
access to that directory. Note, however, that superuser has access to all files and
directories on the system.

Special File Permissions (setuid, setgid and

Sticky Bit)
Three special types of permissions are available for executable files and public
directories. When these permissions are set, any user who runs that executable file
assumes the user ID of the owner (or group) of the executable file.
You must be extremely careful when setting special permissions, because special
permissions constitute a security risk. For example, a user can gain superuser
permission by executing a program that sets the user ID to root. Also, all users can
set special permissions for files they own, which constitutes another security concern.
You should monitor your system for any unauthorized use of the setuid and
setgid permissions to gain superuser privileges. See “How to Find Files With
setuid Permissions” on page 277 to search for the file systems and print out a list
of all programs using these permissions. A suspicious listing would be one that
grants ownership of such a program to a user rather than to bin or sys.

setuid Permission
When set-user identification (setuid) permission is set on an executable file, a
process that runs this file is granted access based on the owner of the file (usually
root), rather than the user who is running the executable file. This allows a user to
access files and directories that are normally only available to the owner. For
example, the setuid permission on the passwd command makes it possible for a
user to change passwords, assuming the permissions of the root ID:

-r-sr-sr-x 1 root sys 10332 May 3 08:23 /usr/bin/passwd

Securing Files (Tasks) 265

 This presents a security risk, because some determined users can find a way to
maintain the permissions granted to them by the setuid process even after the
process has finished executing.

Note - Using setuid permissions with the reserved UIDs (0-99) from a program
may not set the effective UID correctly. Use a shell script instead or avoid using the
reserved UIDs with setuid permissions.

setgid Permission
The set-group identification (setgid) permission is similar to setuid, except that
the process’s effective group ID (GID) is changed to the group owner of the file, and
a user is granted access based on permissions granted to that group. The
/usr/bin/mail program has setgid permissions:

-r-x--s--x 1 bin mail 62504 May 3 07:58 /usr/bin/mail

When setgid permission is applied to a directory, files created in this directory

belong to the group the directory belongs to, not the group the creating process
belongs to. Any user who has write and execute permissions in the directory can
create a file there—however, the file will not belong to the group of the user, but will
belong to the group of the directory.
You should monitor your system for any unauthorized use of the setuid and
setgid permissions to gain superuser privileges. See “How to Find Files With
setuid Permissions” on page 277 to search for the file systems and print out a list
of all programs using these permissions. A suspicious listing would be one that
grants ownership of such a program to a user rather than to bin or sys.

Sticky Bit
The sticky bit is a permission bit that protects the files within a directory. If the
directory has the sticky bit set, a file can be deleted only by the owner of the file, the
owner of the directory, or by root. This prevents a user from deleting other users’
files from public directories such as /tmp:

drwxrwxrwt 7 sys sys 517 Mar 6 02:01 tmp

Be sure to set the sticky bit manually when you set up a public directory on a
TMPFS file system.

266 System Administration Guide, Volume II ♦ October 1998

Default umask
When you create a file or directory, it has a default set of permissions. These default
permissions are determined by the value of umask(1) in the system file
/etc/profile, or in your .cshrc or .login file. By default, the system sets the
permissions on a text file to 666, granting read and write permission to user, group,
and others, and to 777 on a directory or executable file.
The value assigned by umask is subtracted from the default. This has the effect of
denying permissions in the same way that chmod grants them. For example, while
the command chmod 022 grants write permission to group and others, umask 022
denies write permission for group and others.
Table 13–3 shows some typical umask settings, and the effect on an executable file.

TABLE 13–3 umask Settings for Different Security Levels

Level of Security umask Disallows

Permissive (744) 022 w for group and others

Moderate (740) 027 w for group, rwx for others

Moderate (741) 026 w for group, rw for others

Severe (700) 077 rwx for group and others

Displaying File Information

This section describes how to display file information.

How to Display File Information

Display information about all the files in a directory by using the ls command.

$ ls -la

Securing Files (Tasks) 267

 Displays the long format.
−l

Displays all files, including hidden files that begin with a dot (.).
−a

Each line in the display has the following information about a file:

4 Type of file
A file can be one of six types. Table 13–4 lists the possible file types.

TABLE 13–4 File Types

Symbol Type

- Text or program

d Directory

b Block special file

c Character special file

p Named pipe (FIFO)

l Symbolic link

4 Permissions; see Table 13–1 and Table 13–2 for descriptions

4 Number of hard links
4 Owner of the file
4 Group of the file
4 Size of the file, in bytes
4 Date the file was created or the last date it was changed
4 Name of the file

Example—Displaying File Information

The following example displays the partial list of the files in the /sbin directory.

268 System Administration Guide, Volume II ♦ October 1998

 $ cd /sbin
$ ls -la
total 11652
drwxrwxr-x 2 root sys 512 Jun 2 11:47 ./
drwxr-xr-x 30 root root 512 Jun 3 14:13 ../
-r-xr-xr-x 1 bin bin 199224 May 6 21:23 autopush*
lrwxrwxrwx 1 root root 21 Jun 2 11:47 bpgetfile -> ...
-r-xr-xr-x 1 bin bin 467856 May 6 21:23 dhcpagent*
-r-xr-xr-x 1 bin bin 430172 May 6 21:23 dhcpinfo*
-r-xr-xr-x 1 bin bin 251500 May 6 21:23 fdisk*
-r-xr-xr-x 1 bin bin 762136 May 6 21:29 hostconfig*
-r-xr-xr-x 1 bin bin 533272 May 6 21:30 ifconfig*
-r-xr-xr-x 1 root sys 515296 May 6 21:25 init*
-r-xr-xr-x 2 bin root 256272 May 6 21:27 jsh*
-r-xr-xr-x 1 bin bin 223448 May 7 20:06 mount*
-r-xr-xr-x 1 root sys 6935 Jan 1 1970 mountall*
.
.
.

Changing File Ownership

This section describes how to change the ownership of a file.

How to Change the Owner of a File

1. Become superuser.
By default, the owner cannot use the chown command to change the owner of a
file or directory. However, you can enable the owner to use chown by adding the
following line to the system’s /etc/system file and rebooting the system.

set rstchown = 0

See chown(1) for more details. Also, be aware that there may be other restrictions
on changing ownership on NFS-mounted file systems.

2. Change the owner of a file by using the chown command.

# chown newowner filename

Securing Files (Tasks) 269

 newowner Specifies the user name or UID of the new owner of the file or
directory.

filename Specifies the file or directory.

3. Verify the owner of the file is changed.

# ls -l filename

Example—Changing the Owner of a File

The following example sets the ownership on myfile to the user rimmer.

# chown rimmer myfile

# ls -l myfile
-rw-r--r-- 1 rimmer scifi 112640 May 24 10:49 myfile

How to Change Group Ownership of a File

1. Become superuser.
By default, the owner can only use the chgrp command to change the group of a
file to a group in which the owner belongs. For example, if the owner of a file
only belongs to the staff and sysadm groups, the owner can only change the
group of a file to staff or sysadm group.
However, you can enable the owner to change the group of a file to a group in
which the owner doesn’t belong by adding the following line to the system’s
/etc/system file and rebooting the system.

set rstchown = 0

See chgrp(1) for more details. Also, be aware that there may be other restrictions
on changing groups on NFS-mounted file systems.

2. Change the group owner of a file by using the chgrp command.

$ chgrp group filename

270 System Administration Guide, Volume II ♦ October 1998

 group Specifies the group name or GID of the new group of the file or
directory.

filename Specifies the file or directory.

See Chapter 13 for information about how to edit group accounts.

3. Verify the group owner of the file is changed.

$ ls -l filename

Example—Changing Group Ownership of a File

The following example sets the group ownership on myfile to the group scifi.

$ chgrp scifi myfile

$ ls -l myfile
-rwxrw-- 1 rimmer scifi 12985 Nov 12 16:28 myfile

Changing File Permissions

The chmod command enables you to change the permissions on a file. You must be
superuser or the owner of a file or directory to change its permissions.

You can use the chmod command to set permissions in either of two modes:

4 Absolute Mode - Use numbers to represent file permissions (the method most
commonly used to set permissions). When you change permissions by using the
absolute mode, represent permissions for each triplet by an octal mode number.

4 Symbolic Mode - Use combinations of letters and symbols to add or remove

permissions.

Table 13–5 lists the octal values for setting file permissions in absolute mode. You use
these numbers in sets of three to set permissions for owner, group, and other (in that
order). For example, the value 644 sets read/write permissions for owner, and
read-only permissions for group and other.

Securing Files (Tasks) 271

 TABLE 13–5 Setting File Permissions in Absolute Mode

Octal Value File Permissions Set Permissions Description

0 --- No permissions

1 --x Execute permission only

2 -w- Write permission only

3 -wx Write and execute permissions

4 r-- Read permission only

5 r-x Read and execute permissions

6 rw- Read and write permissions

7 rwx Read, write, and execute permissions

You can set special permissions on a file in absolute or symbolic modes. In absolute
mode, you set special permissions by adding a new octal value to the left of the
permission triplet. Table 13–6 lists the octal values to set special permissions on a file.

TABLE 13–6 Setting Special Permissions in Absolute Mode

Octal Value Special Permissions Set

1 Sticky bit

2 setguid

4 setuid

Table 13–7 lists the symbols for setting file permissions in symbolic mode. Symbols
can specify whose permissions are to be set or changed, the operation to be
performed, or the permissions being assigned or changed.

272 System Administration Guide, Volume II ♦ October 1998

TABLE 13–7 Setting File Permissions in Symbolic Mode

Symbol Function Description

u Who User (owner)

g Who Group

o Who Others

a Who All

= Operation Assign

+ Operation Add

- Operation Remove

r Permission Read

w Permission Write

x Permission Execute

l Permission Mandatory locking, setgid bit is on, group execution bit

is off

s Permission setuid or setgid bit is on

S Permission suid bit is on, user execution bit is off

t Permission Sticky bit is on, execution bit for others is on

T Permission Sticky bit is on, execution bit for others is off

The who operator permission designations in the function column specifies the symbols
that change the permissions on the file or directory.

Securing Files (Tasks) 273

 who Specifies whose permissions are changed.

operator Specifies the operation to perform.

permissions Specifies what permissions are changed.

How to Change Permissions in Absolute Mode

1. If you are not the owner of the file or directory, become superuser.
Only the current owner or superuser can use the chmod command to change file
permissions on a file or directory.

2. Change permissions in absolute mode by using the chmod command.

$ chmod nnn filename

nnn Specifies the octal values that represent the permissions for
the file owner, file group, and others, in that order. See Table
13–5 for the list of valid octal values.

filename Specifies the file or directory.

Note - If you use chmod to change the file group permissions on a file with ACL
entries, both the file group permissions and the ACL mask are changed to the
new permissions. Be aware that the new ACL mask permissions may change the
effective permissions for additional users and groups who have ACL entries on
the file. Use the getfacl(1) command to make sure the appropriate permissions
are set for all ACL entries.

3. Verify the permissions of the file have changed.

$ ls -l filename

274 System Administration Guide, Volume II ♦ October 1998

Example—Changing Permissions in Absolute Mode
The following example shows changing the permissions of a public directory from
744 (read/write/execute, read-only, and read-only) to 755 (read/write/execute,
read/execute, and read/execute).

$ ls -ld public_dir
drwxr--r-- 1 ignatz staff 6023 Aug 5 12:06 public_dir
$ chmod 755 public_dir
$ ls -ld public_dir
drwxr-xr-x 1 ignatz staff 6023 Aug 5 12:06 public_dir

The following example show changing the permissions of an executable shell script
from read/write to read/write/execute.

$ ls -l my_script
-rw------- 1 ignatz staff 6023 Aug 5 12:06 my_script
$ chmod 700 my_script
$ ls -l my_script
-rwx------ 1 ignatz staff 6023 Aug 5 12:06 my_script

How to Change Special Permissions in Absolute

Mode
1. If you are not the owner of the file or directory, become superuser.
Only the current owner or superuser can use the chmod command to change the
special permissions on a file or directory.

2. Change special permissions in absolute mode by using the chmod command.

$ chmod nnnn filename

nnnn Specifies the octal values that change the permissions on the file or
directory. The first octal value on the left sets the special
permissions on the file. See Table 13–6for the list of valid octal
values for the special permissions.

filename Is the file or directory.

Securing Files (Tasks) 275

 Note - If you use chmod to change the file group permissions on a file with ACL
entries, both the file group permissions and the ACL mask are changed to the
new permissions. Be aware that the new ACL mask permissions may change the
effective permissions for additional users and groups who have ACL entries on
the file. Use the getfacl(1) command to make sure the appropriate permissions
are set for all ACL entries.

3. Verify the permissions of the file have changed.

$ ls -l filename

Examples—Setting Special Permissions in Absolute Mode

The following example sets setuid permission on the dbprog file.

$ chmod 4555 dbprog

$ ls -l dbprog
-r-sr-xr-x 1 db staff 12095 May 6 09:29 dbprog

The following example sets setgid permission on the dbprog2 file.

$ chmod 2551 dbprog2

$ ls -l dbprog2
-r-xr-s--x 1 db staff 24576 May 6 09:30 dbprog2

The following example sets sticky bit permission on the pubdir directory.

$ chmod 1777 pubdir

How to Change Permissions in Symbolic Mode

1. If you are not the owner of the file or directory, become superuser.
Only the current owner or superuser can use the chmod command to change file
permissions on a file or directory.

2. Change permissions in symbolic mode by using the chmod command.

$ chmod who operator permission filename

276 System Administration Guide, Volume II ♦ October 1998

 who operator permission who specifies whose permissions are changed, operator
specifies the operation to perform, and permission specifies
what permissions are changed.
See Table 13–7 for the list of valid symbols.

filename Is the file or directory.

3. Verify the permissions of the file have changed.

$ ls -l filename

Examples—Changing Permissions in Symbolic Mode

The following example takes away read permission from others.

$ chmod o-r filea

The following example adds read and execute permissions for user, group, and
others.

$ chmod a+rx fileb

The following example assigns read, write, and execute permissions to group.

$ chmod g=rwx filec

Searching for Special Permissions

You should monitor your system for any unauthorized use of the setuid and
setgid permissions to gain superuser privileges. A suspicious listing would be one
that grants ownership of such a program to a user rather than to bin or sys.

How to Find Files With setuid Permissions

1. Become superuser.

Securing Files (Tasks) 277

 2. Find files with setuid permissions set by using the find command.

# find directory -user root -perm -4000 -exec ls -ldb {}\; >/tmp/filename

find directory Checks all mounted paths starting at the specified

directory, which can be root (/), sys, bin, or mail.

-user root Displays files only owned by root.

-perm -4000 Displays files only with permissions set to 4000.

-exec ls -ldb Displays the output of the find command in ls -ldb

format.

>/tmp/filename Writes results to this file.

3. Display the results in /tmp/filename.

If you need background information about setuid permissions, see “setuid
Permission” on page 265.

Example—Finding Files With setuid Permissions

# find / -user root -perm -4000 -exec ls -ldb { }\; > /tmp/ckprm
# cat /tmp/ckprm
-r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at
-r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab
---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct
-r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir
-r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin
-r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched
---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh
-r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df
-rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp
-r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd
-r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su
#

An unauthorized user (rar) has made a personal copy of /usr/bin/sh, and has
set the permissions as setuid to root. This means that rar can execute
/usr/rar/bin/sh and become the privileged user. If you want to save this output
for future reference, move the file out of the /tmp directory.

278 System Administration Guide, Volume II ♦ October 1998

Executable Stacks and Security
A number of security bugs are related to default executable stacks when their
permissions are set to read, write and execute. While stacks with execute permissions
set are mandated by the SPARC ABI and Intel ABI, most programs can function
correctly without using executable stacks.
The noexec_user_stack variable is available starting in the Solaris 2.6 release
which enables you to specify whether stack mappings are executable or not. By
default, the variable is zero, which provides ABI-compliant behavior. If the variable
is set to non-zero, the system will mark the stack of every process in the system as
readable and writable, but not executable.
Once this variable is set, programs that attempt to execute code on their stack will
be sent a SIGSEGV signal, which usually results in the program terminating with a
core dump. Such programs also generate a warning message that includes the name
of the offending program, the process ID, and real UID of the user who ran the
program. For example:

[Link][347] attempt to execute code on stack by uid 555

The message is logged by the syslogd(1M) daemon when the syslog kern
facility is set to notice level. This logging is set by default in the [Link](4)
file, which means the message is sent to both the console and to the
/var/adm/messages file.
This message is useful both for observing potential security problems, as well as to
identify valid programs that depend upon executable stacks which have been
prevented from correct operation by setting this variable. If the administrator does
not want any messages logged, then the noexec_user_stack_log variable can be
set to zero to disable it in the /etc/system file, though the SIGSEGV signal may
continue to cause the executing program to core dump.
You can use mprotect(2) if you want programs to explicitly mark their as stack
executable.
Because of hardware limitations, the capability of catching and reporting executable
stack problems is only available on sun4m, sun4d and sun4u platforms.

How to Disable Programs From Using Executable

Stacks
1. Become superuser.

2. Edit the /etc/system file and add the following line.

set noexec_user_stack=1

Securing Files (Tasks) 279

 3. Reboot the system.

# init 6

How to Disable Executable Stack Message Logging

1. Become superuser.

2. Edit the /etc/system file and add the following line.

set noexec_user_stack_log=0

3. Reboot the system.

# init 6

Using Access Control Lists (ACLs)

The traditional UNIX file protection provides read, write, and execute permissions
for the three user classes: file owner, file group, and other. An ACL provides better
file security by enabling you to define file permissions for the file owner, file group,
other, specific users and groups, and default permissions for each of those categories.
For example, if you wanted everyone in a group to be able to read a file, you would
simply give group read permissions on that file. Now, assume you wanted only one
person in the group to be able to write to that file. Standard UNIX doesn’t provide
that level of file security. However, this dilemma is perfect for ACLs.

ACL entries are the way to define an ACL on a file, and they are set through the
setfacl(1) command. ACL entries consist of the following fields separated by
colons:

entry_type:[uid|gid]:perms

280 System Administration Guide, Volume II ♦ October 1998

 entry_type Type of ACL entry on which to set file permissions. For
example, entry_type can be user (the owner of a file) or mask
(the ACL mask).

uid User name or identification number.

gid Group name or identification number.

perms Represents the permissions that are set on entry_type. perms can
be indicated by the symbolic characters rwx or a number (the
same permissions numbers used with the chmod command).

The following example shows an ACL entry that sets read/write permissions for the
user nathan.

user:nathan:rw-

Caution - UFS file system attributes such as ACLs are supported in UFS file systems
only. This means that if you restore or copy files with ACL entries into the /tmp
directory, which is usually mounted as a TMPFS file system, the ACL entries will be
lost. Use the /var/tmp directory for temporary storage of UFS files.

ACL Entries for Files

Table 13–8 lists the valid ACL entries. The first three ACL entries provide the basic
UNIX file protection.

TABLE 13–8 ACL Entries for Files

ACL Entry Description

u[ser]::perms File owner permissions.

g[roup]::perms File group permissions.

o[ther]:perms Permissions for users other than the file

owner or members of file group.

Securing Files (Tasks) 281

 TABLE 13–8 ACL Entries for Files (continued)

ACL Entry Description

m[ask]:perms The ACL mask. The mask entry indicates the

maximum permissions allowed for users
(other than the owner) and for groups. The
mask is a quick way to change permissions
on all the users and groups.
For example, the mask:r-- mask entry
indicates that users and groups cannot have
more than read permissions, even though
they may have write/execute permissions.

u[ser]:uid:perms Permissions for a specific user. For uid, you

can specify either a user name or a numeric
UID.

g[roup]:gid:perms Permissions for a specific group. For gid, you

can specify either a group name or a
numeric GID.

ACL Entries for Directories

In addition to the ACL entries described in Table 13–8, you can set default ACL
entries on a directory. Files or directories created in a directory that has default ACL
entries will have the same ACL entries as the default ACL entries. Table 13–9 lists
the default ACL entries for directories.
When you set default ACL entries for specific users and groups on a directory for
the first time, you must also set default ACL entries for the file owner, file group,
others, and the ACL mask (these are required and are the first four default ACL
entries in Table 13–9).

TABLE 13–9 Default ACL Entries for Directories

Default ACL Entry Description

d[efault]:u[ser]::perms Default file owner permissions.

d[efault]:g[roup]::perms Default file group permissions.

d[efault]:o[ther]:perms Default permissions for users other than the

file owner or members of the file group.

282 System Administration Guide, Volume II ♦ October 1998

 TABLE 13–9 Default ACL Entries for Directories (continued)

Default ACL Entry Description

d[efault]:m[ask]:perms Default ACL mask.

d[efault]:u[ser]:uid:perms Default permissions for a specific user. For

uid, you can specify either a user name or a
numeric UID.

d[efault]:g[roup]:gid:perms Default permissions for a specific group. For

gid, you can specify either a group name or a
numeric GID.

How to Set an ACL on a File

1. Set an ACL on a file by using the setfacl command.

$ setfacl -s user::perms,group::perms,other:perms,mask:perms,acl_entry_list
filename ...

Sets an ACL on the file. If a file already has an ACL, it is

−s
replaced. This option requires at least the file owner, file
group, and other entries.

user::perms Specifies the file owner permissions.

group::perms Specifies the file group permissions.

other:perms Specifies the permissions for users other than the file
owner or members of the file group.

mask:perms Specifies the permissions for the ACL mask. The mask
indicates the maximum permissions allowed for users
(other than the owner) and for groups.

Securing Files (Tasks) 283

 acl_entry_list Is the list of one or more ACL entries to set for specific
users and groups on the file or directory. You can also set
default ACL entries on a directory. Table 13–8 and Table
13–9 show the valid ACL entries.

filename File or directory on which to set the ACL.

2. To verify that an ACL was set on the file, see “How to Check If a File Has an
ACL” on page 285. To verify which ACL entries were set on the file, use the
getfacl command.

$ getfacl filename

Caution - If an ACL already exists on the file, the −s option will replace the entire
ACL with the new ACL.

Examples—Setting an ACL on a File

The following example sets the file owner permissions to read/write, file group
permissions to read only, and other permissions to none on the [Link] file. In
addition, the user george is given read/write permissions on the file, and the ACL
mask permissions is set to read/write, which means no user or group can have
execute permissions.

$ setfacl -s user::rw-,group::r--,other:---,mask:rw-,user:george:rw- [Link]

$ ls -l
total 124
-rw-r-----+ 1 nathan sysadmin 34816 Nov 11 14:16 [Link]
-rw-r--r-- 1 nathan sysadmin 20167 Nov 11 14:16 [Link]
-rw-r--r-- 1 nathan sysadmin 8192 Nov 11 14:16 notes
$ getfacl [Link]
# file: [Link]
# owner: nathan
# group: sysadmin
user::rw-
user:george:rw- #effective:rw-
group::r-- #effective:r--
mask:rw-
other:---

284 System Administration Guide, Volume II ♦ October 1998

The following example sets the file owner permissions to read/write/execute, file
group permissions to read only, other permissions to none, and the ACL mask
permissions to read on the [Link] file. In addition, the user george is given
read/write permissions; however, due to the ACL mask, the effective permissions for
george is only read.

$ setfacl -s u::7,g::4,o:0,m:4,u:george:7 [Link]

$ getfacl [Link]

# file: [Link]
# owner: nathan
# group: sysadmin
user::rwx
user:george:rwx #effective:r--
group::r-- #effective:r--
mask:r--
other:---

How to Copy an ACL

Copy a file’s ACL to another file by redirecting the getfacl output.

$ getfacl filename1 | setfacl −-f - filename2

file1 Specifies the file from which to copy the ACL.

file2 Specifies the file on which to set the copied ACL.

Example—Copying an ACL
The following example copies the ACL on [Link] to [Link].

$ getfacl [Link] | setfacl -f - [Link]

How to Check If a File Has an ACL

Check if a file has an ACL by using the ls command.

$ ls -l filename

Securing Files (Tasks) 285

 filename Specifies the file or directory.

A ‘+’ to the right of the mode field indicates the file has an ACL.

Note - Unless you have added ACL entries for additional users or groups on a file, a
file is considered to be a “trivial” ACL and the ’+’ will not display.

Example—Checking If a File Has an ACL

The following example shows that [Link] has an ACL, because the listing has. a
‘+’ to the right of the mode field.

$ ls -l [Link]
-rwxr-----+ 1 nathan sysadmin 167 Nov 11 11:13 [Link]

How to Modify ACL Entries on a File

1. Modify ACL entries on a file by using the setfacl command.

$ setfacl -m acl_entry_list filename1 [filename2 ...]

−m Modifies the existing ACL entry.

acl_entry_list Specifies the list of one or more ACL entries to modify on the
file or directory. You can also modify default ACL entries on
a directory. Table 13–8 and Table 13–9 show the valid ACL
entries.

filename ... Specifies the file or directory.

2. To verify that the ACL entries were modified on the file, use the getfacl
command.

$ getfacl filename

Examples—Modifying ACL Entries on a File

The following example modifies the permissions for the user george to read/write.

286 System Administration Guide, Volume II ♦ October 1998

 $ setfacl -m user:george:6 [Link]
$ getfacl [Link]

# file: [Link]
# owner: nathan
# group: staff
user::rw-
user::george:rw- #effective:r--
group::r- #effective:r--
mask:r--
other:r-

The following example modifies the default permissions for the group staff to read
and the default ACL mask permissions to read/write on the book directory..

$ setfacl -m default:group:staff:4,default:mask:6 book

How to Delete ACL Entries From a File

1. Delete ACL entries from a file by using the setfacl command.

$ setfacl -d acl_entry_list filename1 ...

-d Deletes the specified ACL entries.

acl_entry_list Specifies the list of ACL entries (without specifying the

permissions) to delete from the file or directory. You can only delete
ACL entries and default ACL entries for specific users and groups.
Table 13–8 and Table 13–9 show the valid ACL entries.

filename ... Specifies th file or directory.

Alternately, you can use the setfacl -s command to delete all the ACL entries
on a file and replace them with the new ACL entries specified.

2. To verify that the ACL entries were deleted from the file, use the getfacl
command.

$ getfacl filename

Securing Files (Tasks) 287

 Example—Deleting ACL Entries on a File
The following example deletes the user george from the [Link] file.

$ setfacl -d user:george [Link]

How to Display ACL Entries for a File

Display ACL entries for a file by using the getfacl command.

$ getfacl [-a | -d] filename1 ...

Displays the file name, file owner, file group, and ACL entries for the
−a
specified file or directory.

Displays the file name, file owner, file group, and default ACL entries
−d
for the specified directory.

filename ... Specifies the file or directory.

If you specify multiple file names on the command line, the ACL entries are
separated by a blank line.

Examples—Displaying ACL Entries for a File

The following example shows all the ACL entries for the [Link] file. The
#effective: note beside the user and group entries indicates what the permissions
are after being modified by the ACL mask.

$ getfacl [Link]

# file: [Link]
# owner: nathan
# group: sysadmin
user::rw-
user:george:r-- #effective:r--
group::rw- #effective:rw-
mask:rw-
other:---

The following example shows the default ACL entries for the book directory.

288 System Administration Guide, Volume II ♦ October 1998

$ getfacl -d book

# file: book
# owner: nathan
# group: sysadmin
user::rwx
user:george:r-x #effective:r-x
group::rwx #effective:rwx
mask:rwx
other:---
default:user::rw-
default:user:george:r--
default:group::rw-
default:mask:rw-
default:other:---

Securing Files (Tasks) 289

290 System Administration Guide, Volume II ♦ October 1998
CHAPTER 14

Securing Systems (Tasks)

This chapter describes the procedures for securing systems. This is a list of the
step-by-step instructions in this chapter.
4 “How to Display a User’s Login Status” on page 291
4 “How to Display Users Without Passwords” on page 293
4 “How to Temporarily Disable User Logins” on page 294
4 “How to Save Failed Login Attempts” on page 295
4 “How to Create a Dial-Up Password” on page 298
4 “How to Temporarily Disable Dial-up Logins” on page 300
4 “How to Restrict Superuser (root) Login to the Console” on page 300
4 “How to Monitor Who Is Using the su Command” on page 301
4 “How to Display Superuser (root) Access Attempts to the Console” on page 302
For overview information about securing systems, see “System Security” on page 252.

Displaying Security Information

This section describes how to display user login information.

How to Display a User’s Login Status

1. Become superuser.

2. Display a user’s login status by using the logins command.

291
 # logins -x -l username

Displays an extended set of login status information.

−x

Displays login status for the specified user. username is a

−l username
user’s login name. Multiple login names must be specified as
a comma-separated list.

The logins(1M) command uses the local /etc/passwd file and the NIS or
NIS+ password databases to obtain a user’s login status.

Example—Displaying a User’s Login Status

The following example displays login status for the user rimmer.

# logins -x -l rimmer
rimmer 500 staff 10 Arnold J. Rimmer
/export/home/rimmer
/bin/sh
PS 010170 10 7 -1

In this example,

rimmer Identifies the user’s login name.

500 Identifies the UID (user ID).

staff Identifies the user’s primary group.

10 Identifies the GID (group ID).

Arnold J. Rimmer Identifies the comment.

/export/home/rimmer Identifies the user’s home directory.

292 System Administration Guide, Volume II ♦ October 1998

 /bin/sh Identifies the login shell.

PS 010170 10 7 -1 Specifies the password aging information:

• Last date password was changed
• Number of days required between changes
• Number of days allowed before a change is required
• Warning period

How to Display Users Without Passwords

You should make sure that all users have a valid password.
1. Become superuser.

2. Display users who have no passwords by using the logins command.

# logins -p

Displays a list of users with no passwords.

−p

The logins command uses the local /etc/passwd file and the NIS or NIS+
password databases to obtain a user’s login status.

Example—Displaying Users With No Passwords

The following example displays that the user pmorph does not have a password.

# logins -p
pmorph 501 other 1 Polly Morph
#

Temporarily Disabling User Logins

You can temporarily disable user logins by:
4 Creating the /etc/nologin file.
4 Bringing the system to run level 0 (single-user mode). See “Shutting Down a
System (Tasks)” in System Administration Guide, Volume I for information on
bringing the system to single-user mode.

Securing Systems (Tasks) 293

 Creating the /etc/nologin File
Create this file to disallow user logins and notify users when a system will be
unavailable for an extended period of time due to a system shut down or routine
maintenance.
If a user attempts to log in to a system where this file exists, the contents of the
nologin(4) file is displayed, and the user login is terminated. Superuser logins are
not affected.

How to Temporarily Disable User Logins

1. Become superuser.

2. Create the /etc/nologin file using an editor.

# vi /etc/nologin

3. Include a message regarding system availability.

4. Close and save the file.

Example—Disabling User Logins

This example shows how to notify users of system unavailability.

# vi /etc/nologin
(Add system message here)

# cat /etc/nologin
***No logins permitted.***

***The system will be unavailable until 12 noon.***

Saving Failed Login Attempts

You can save failed login attempts by creating the /var/adm/loginlog file with
read and write permission for root only. After you create the loginlog file, all
failed login activity will be written to this file automatically after five failed attempts.
See “How to Save Failed Login Attempts” on page 295 for detailed instructions.
The loginlog file contains one entry for each failed attempt. Each entry contains
the user’s login name, tty device, and time of the failed attempt. If a person makes
fewer than five unsuccessful attempts, none of the attempts are logged.

294 System Administration Guide, Volume II ♦ October 1998

The loginlog file may grow quickly. To use the information in this file and to
prevent the file from getting too large, you must check and clear its contents
occasionally. If this file shows a lot of activity, it may suggest an attempt to break
into the computer system. For more information about this file, see loginlog(4).

How to Save Failed Login Attempts

1. Become superuser.

2. Create the loginlog file in the /var/adm directory.

# touch /var/adm/loginlog

3. Set read and write permissions for root on the loginlog file.

# chmod 600 /var/adm/loginlog

4. Change group membership to sys on the loginlog file.

# chgrp sys /var/adm/loginlog

5. Make sure the log works by attempting to log into the system five times with
the wrong password after the loginlog file is created. Then display the
/var/adm/loginlog file.

# more /var/adm/loginlog
pmorph:/dev/pts/4:Mon Jun 8 [Link] 1998
pmorph:/dev/pts/4:Mon Jun 8 [Link] 1998
pmorph:/dev/pts/4:Mon Jun 8 [Link] 1998
pmorph:/dev/pts/4:Mon Jun 8 [Link] 1998
pmorph:/dev/pts/4:Mon Jun 8 [Link] 1998
#

Password Protection Using Dial-Up Passwords

You can add a layer of security to your password mechanism by requiring a dial-up
password for users who access a system through a modem or dial-up port. A dial-up
password is an additional password that a user must enter before being granted
access to the system.

Securing Systems (Tasks) 295

 Only superuser can create or change a dial-up password. To ensure the integrity of
the system, the password should be changed about once a month. The most effective
use of this mechanism is to require a dial-up password to gain access to a gateway
system.
Two files are involved in creating a dial-up password, /etc/dialups and
/etc/d_passwd. The first contains a list of ports that require a dial-up password,
and the second contains a list of shell programs that require an encrypted password
as the additional dial-up password.
The dialups(4) file is a list of terminal devices, for example:

/dev/term/a
/dev/term/b

The d_passwd(4) file has two fields. The first is the login shell that will require a
password, and the second is the encrypted password. The /etc/dialups and
/etc/d_passwd files work like this:
When a user attempts to log in on any of the ports listed in /etc/dialups, the
login program looks at the user’s login entry stored in /etc/passwd, and compares
the login shell to the entries in /etc/d_passwd. These entries determine whether
the user will be required to supply the dial-up password.

/usr/lib/uucp/uucico:encrypted_password:
/usr/bin/csh:encrypted_password:
/usr/bin/ksh:encrypted_password:
/usr/bin/sh:encrypted_password:

The basic dial-up password sequence is shown in Figure 14–1.

296 System Administration Guide, Volume II ♦ October 1998

 User mrdh logs in on
/dev/term/b
/etc/dialups
/dev/term/a
/dev/term/b
The login port is in /dev/term/c
/etc/dialups
/etc/passwd
mrdh:x:205:1000:mark:/usr/mrdh:/usr/bin/ksh:

Check login shell field

of /etc/passwd and
look for match in
/etc/d_passwd /etc/d_passwd

/usr/bin/csh:<encrypted_password >:
/usr/bin/ksh:<encrypted_password >:
Matching entry for /usr/bin/sh:<encrypted_password >:
/usr/bin/ksh found;
prompt for password
found in /etc/d_passwd
Figure 14–1 Basic Dial-Up Password Sequence

The /etc/d_passwd File

Because most users will be running a shell when they log in, all shell programs
should have entries in /etc/d_passwd. Such programs include uucico, sh, ksh,
and csh. If some users run something else as their login shell, include that login
shell in the file, too.
If the user’s login program (as specified in /etc/passwd) is not found in
/etc/d_passwd, or if the login shell field in /etc/passwd is null, the password
entry for /usr/bin/sh is used.
4 If the user’s login shell in /etc/passwd matches an entry in /etc/d_passwd,
the user must supply a dial-up password.
4 If the user’s login shell in /etc/passwd is not found in /etc/d_passwd, the
user must supply the default password. The default password is the entry for
/usr/bin/sh.
4 If the login shell field in /etc/passwd is empty, the user must supply the default
password (the entry for /usr/bin/sh).
4 If /etc/d_passwd has no entry for /usr/bin/sh, then those users whose login
shell field in /etc/passwd is empty or does not match any entry in
/etc/d_passwd will not be prompted for a dial-up password.

Securing Systems (Tasks) 297

 4 Dial-up logins are disabled if /etc/d_passwd has only the following entry:
/usr/bin/sh:*:

How to Create a Dial-Up Password

Caution - When you first establish a dial-up password, be sure to remain logged in
on at least one terminal while testing the password on a different terminal. If you
make a mistake while installing the extra password and log off to test the new
password, you might not be able to log back on. If you are still logged in on another
terminal, you can go back and fix your mistake.

1. Become superuser.

2. Create an /etc/dialups file containing a list of terminal devices, including

all the ports that will require dial-up password protection.
The /etc/dialups file should look like this:

/dev/term/a

/dev/term/b

/dev/term/c

3. Create an /etc/d_passwd file containing the login programs that will require
a dial-up password, and the encrypted dial-up password.
Include shell programs that a user could be running at login, for example,
uucico, sh, ksh, and csh. The /etc/d_passwd file should look like this:

/usr/lib/uucp/uucico:encrypted_password:

/usr/bin/csh:encrypted_password:

/usr/bin/ksh:encrypted_password:

/usr/bin/sh:encrypted_password:

4. Set ownership to root on the two files.

# chown root /etc/dialups /etc/d_passwd

298 System Administration Guide, Volume II ♦ October 1998

5. Set group ownership to root on the two files.

# chgrp root /etc/dialups /etc/d_passwd

6. Set read and write permissions for root on the two files.

# chmod 600 /etc/dialups /etc/d_passwd

7. Create the encrypted passwords.

a. Create a temporary user.

# useradd user-name

b. Create a password for the temporary user.

# passwd user-name

c. Capture the encrypted password.

# grep user-name /etc/shadow > [Link]

d. Edit the [Link] file.

Delete all fields except the encrypted password (the second field).
For example, in the following line, the encrypted password is
U9gp9SyA/JlSk.

temp:U9gp9SyA/JlSk:7967:::::7988:

e. Delete the temporary user.

# userdel user-name

8. Copy the encrypted password from [Link] file into the

/etc/d_passwd file.
You can create a different password for each login shell, or use the same one for
each.

Securing Systems (Tasks) 299

 How to Temporarily Disable Dial-up Logins
1. Become superuser.

2. Put the following entry by itself into the /etc/d_passwd file:

/usr/bin/sh:*:

Restricting Superuser (root) Access on the Console

The superuser account is used by the operating system to accomplish basic functions,
and has wide-ranging control over the entire operating system. It has access to and
can execute essential system programs. For this reason, there are almost no security
restraints for any program that is run by superuser.
You can protect the superuser account on a system by restricting access to a specific
device through the /etc/default/login file. For example, if superuser access is
restricted to the console, you can log in to a system as superuser only from the
console. If anybody remotely logs in to the system to perform an administrative
function, they must first log in with their user login and then use the su(1M)
command to become superuser. See “How to Restrict Superuser (root) Login to the
Console” on page 300 for detailed instructions.

Note - Restricting superuser login to the console is set up by default when you
install a system.

How to Restrict Superuser (root) Login to the

Console
1. Become superuser.

2. Edit the /etc/default/login file.

3. Uncomment the following line.

CONSOLE=/dev/console

Any users who try to remotely log in to this system must first log in with their
user login, and then use the su command to become superuser.

4. Attempt to log in remotely as superuser to this system, and verify that the
operation fails.

300 System Administration Guide, Volume II ♦ October 1998

Monitoring Who Is Using the su Command
You can start monitoring su attempts through the /etc/default/su file. Through
this file, you can enable the /var/adm/sulog file to monitor each time the su
command is used to change to another user. See “How to Monitor Who Is Using the
su Command” on page 301 for step-by-step instructions.
The sulog file lists all uses of the su command, not only those used to switch user
to superuser. The entries show the date and time the command was entered, whether
or not it was successful (+ or -), the port from which the command was issued, and
finally, the name of the user and the switched identity.
Through the /etc/default/su file, you can also set up the system to display on
the console each time an attempt is made to use the su command to gain superuser
access from a remote system. This is a good way to immediately detect someone
trying to gain superuser access on the system you are currently working on. See
“How to Display Superuser (root) Access Attempts to the Console” on page 302 for
detailed instructions.

How to Monitor Who Is Using the su Command

1. Become superuser.

2. Edit the /etc/default/su file.

3. Uncomment the following line.

SULOG=/var/adm/sulog

4. After modifying the /etc/default/su file, use the su command several times
and display the /var/adm/sulog file. You should see an entry for each time
you used the su command.

# more /var/adm/sulog
SU 12/20 16:26 + pts/0 nathan-root
SU 12/21 10:59 + pts/0 nathan-root
SU 01/12 11:11 + pts/0 root-joebob
SU 01/12 14:56 + pts/0 pmorph-root
SU 01/12 14:57 + pts/0 pmorph-root

Securing Systems (Tasks) 301

 How to Display Superuser (root) Access Attempts
to the Console
1. Become superuser.

2. Edit the /etc/default/su file.

3. Uncomment the following line.

CONSOLE=/dev/console

4. Use the su command to become root, and verify that a message is printed on
the system console.

302 System Administration Guide, Volume II ♦ October 1998

CHAPTER 15

Using Authentication Services (Tasks)

The first section of this chapter provides information about the authentication
mechanisms that may be used with Secure RPC. Both Diffie-Hellman and Kerberos
Version 4 authentication are supported. The second section covers the Pluggable
Authentication Module (PAM) framework. PAM provides a method to “plug-in”
authentication services and provides support for multiple authentication services.
This is a list of the step-by-step instructions in this chapter.
4 “How to Set Up NIS+ Credentials for Diffie-Hellman Authentication” on page 310
4 “How to Set Up NIS Credentials with Diffie-Hellman Authentication” on page 312
4 “How to Share and Mount Files With Diffie-Hellman Authentication” on page 314
4 “How to Share and Mount Files With Kerberos Authentication” on page 315
4 “How to Acquire a Kerberos Ticket for Superuser on a Client” on page 315
4 “How to Log In to Kerberos Service” on page 316
4 “How to Access a Directory With Kerberos Authentication” on page 317
4 “How to Add a PAM Module” on page 329
4 “How to Prevent Unauthorized Access from Remote Systems with PAM” on page
329
4 “How to Initiate PAM Error Reporting” on page 329

Overview of Secure RPC

Secure RPC is a method of authentication that authenticates both the host and the
user making a request. Secure RPC uses either Diffie-Hellman or Kerberos

303
 authentication. Both of these authentication mechanisms use DES encryption.
Applications that use Secure RPC include NFS and the NIS+ name service.

NFS Services and Secure RPC

The NFS software enables several hosts to share files over the network. Under the
NFS system, a server holds the data and resources for several clients. The clients
have access to the file systems that the server exports to the clients. Users logged in
to the client machine can access the file systems by mounting them from the server.
To the user on the client machine, it appears as if the files were local to the client.
One of the most common uses of the NFS environment is to allow systems to be
installed in offices, while keeping all user files in a central location. Some features of
the NFS system, such as the mount −nosuidoption, can be used to prohibit the
opening of devices as well as file systems by unauthorized users.
The NFS environment uses Secure RPC to authenticate users who make requests
over the network. This is known as Secure NFS. The authentication mechanism,
AUTH_DH, uses DES encryption with Diffie-Hellman authentication to ensure
authorized access. The AUTH_DH mechanism has also been called AUTH_DES. The
AUTH_KERB4 mechanism uses DES encryption with Kerberos authentication. This
mechanism is has also been called AUTH_KERB.
The NFS Administration Guide describes how to set up and administer Secure NFS.
Setting up the NIS+ tables and entering names in the cred table are discussed in
Solaris Naming Administration Guide. See “Implementation of Diffie-Hellman
Authentication” on page 305 for an outline of the steps involved in RPC
authentication.

DES Encryption
The Data Encryption Standard (DES) encryption functions use a 56-bit key to encrypt
a secret key. If two credential users (or principals) know the same DES key, they can
communicate in private, using the key to encipher and decipher text. DES is a
relatively fast encryption mechanism. A DES chip makes the encryption even faster;
but if the chip is not present, a software implementation is substituted.
The risk of using just the DES key is that, with enough time, an intruder can collect
enough cipher-text messages encrypted with the same key to be able to discover the
key and decipher the messages. For this reason, security systems such as Secure NFS
change the keys frequently.

304 System Administration Guide, Volume II ♦ October 1998

Diffie-Hellman Authentication
The Diffie-Hellman method of authenticating a user is non-trivial for an intruder to
crack. The client and the server each has its own private key (sometimes called a
secret key) which they use together with the public key to devise a common key.
They use the common key to communicate with each other, using an agreed-upon
encryption/decryption function (such as DES). This method was identified as DES
authentication in previous Solaris releases.
Authentication is based on the ability of the sending system to use the common key
to encrypt the current time, which the receiving system can decrypt and check against
its current time. Make sure you synchronize the time on the client and the server.
The public and private keys are stored in an NIS or NIS+ database. NIS stores the
keys in the publickey map, and NIS+ stores the keys in the cred table. These files
contain the public key and the private key for all potential users.
The system administrator is responsible for setting up NIS or NIS+ tables and
generating a public key and a private key for each user. The private key is stored
encrypted with the user’s password. This makes the private key known only to the
user.

Implementation of Diffie-Hellman Authentication

This section describes the series of transactions in a client-server session using DH
authorization (AUTH_DH).

Generating the Public and Secret Keys

Sometime prior to a transaction, the administrator runs either the newkey or
nisaddcred commands that generates a public key and a secret key. (Each user has
a unique public key and secret key.) The public key is stored in a public database;
the secret key is stored in encrypted form in the same database. To change the key
pair, use the chkey command.

Running the keylogin Command

Normally, the login password is identical to the secure RPC password. In this case, a
keylogin is not required. If the passwords are different, the users have to log in,
and then do a keylogin explicitly.
The keylogin program prompts the user for a secure RPC password and uses the
password to decrypt the secret key. The keylogin program then passes the
decrypted secret key to a program called the keyserver. (The keyserver is an RPC
service with a local instance on every computer.) The keyserver saves the decrypted
secret key and waits for the user to initiate a secure RPC transaction with a server.

Using Authentication Services (Tasks) 305

 If the passwords are the same, the login process passes the secret key to the
keyserver. If the passwords are required to be different and the user must always run
keylogin, then the keylogin program may be included in the user’s environment
configuration file, such as ~/.login, ~/.cshrc, or ~/.profile, so that it runs
automatically whenever the user logs in.

Generating the Conversation Key

When the user initiates a transaction with a server:
1. The keyserver randomly generates a conversation key.
2. The kernel uses the conversation key to encrypt the client’s time stamp (among
other things).
3. The keyserver looks up the server’s public key in the public-key database (see the
publickey(4) man page).
4. The keyserver uses the client’s secret key and the server’s public key to create a
common key.
5. The keyserver encrypts the conversation key with the common key.
First Contact with the Server
The transmission including the encrypted time stamp and the encrypted
conversation key is then sent to the server. The transmission includes a credential
and a verifier. The credential contains three components:
4 The client’s net name
4 The conversation key, encrypted with the common key
4 A “window,” encrypted with the conversation key
The window is the difference the client says should be allowed between the server’s
clock and the client’s time stamp. If the difference between the server’s clock and the
time stamp is greater than the window, the server would reject the client’s request.
Under normal circumstances this will not happen because the client first
synchronizes with the server before starting the RPC session.
The client’s verifier contains:
4 The encrypted time stamp
4 An encrypted verifier of the specified window, decremented by 1
The window verifier is needed in case somebody wants to impersonate a user and
writes a program that, instead of filling in the encrypted fields of the credential and
verifier, just stuffs in random bits. The server will decrypt the conversation key into
some random key and use it to try to decrypt the window and the time stamp. The
result will be random numbers. After a few thousand trials, however, there is a good
chance that the random window/time stamp pair will pass the authentication system.
The window verifier makes guessing the right credential much more difficult.

306 System Administration Guide, Volume II ♦ October 1998

Decrypting the Conversation Key
When the server receives the transmission from the client:
1. The keyserver local to the server looks up the client’s public key in the publickey
database.
2. The keyserver uses the client’s public key and the server’s secret key to deduce
the common key—the same common key computed by the client. (Only the server
and the client can calculate the common key because doing so requires knowing
one secret key or the other.)
3. The kernel uses the common key to decrypt the conversation key.
4. The kernel calls the keyserver to decrypt the client’s time stamp with the
decrypted conversation key.
Storing Information on the Server
After the server decrypts the client’s time stamp, it stores four items of information
in a credential table:
4 The client’s computer name
4 The conversation key
4 The window
4 The client’s time stamp
The server stores the first three items for future use. It stores the time stamp to protect
against replays. The server accepts only time stamps that are chronologically greater
than the last one seen, so any replayed transactions are guaranteed to be rejected.

Note - Implicit in these procedures is the name of the caller, who must be
authenticated in some manner. The keyserver cannot use DES authentication to do
this because it would create a deadlock. To solve this problem, the keyserver stores
the secret keys by UID and grants requests only to local root processes.

Verifier Returned to the Client

The server returns a verifier to the client, which includes:
4 The index ID, which the server records in its credential cache
4 The client’s time stamp minus 1, encrypted by conversation key
The reason for subtracting 1 from the time stamp is to ensure that the time stamp is
invalid and cannot be reused as a client verifier.

Using Authentication Services (Tasks) 307

 Client Authenticates the Server
The client receives the verifier and authenticates the server. The client knows that
only the server could have sent the verifier because only the server knows what time
stamp the client sent.

Additional Transactions
With every transaction after the first, the client returns the index ID to the server in
its second transaction and sends another encrypted time stamp. The server sends
back the client’s time stamp minus 1, encrypted by the conversation key.

Kerberos Version 4
Kerberos is an authentication system that was developed at the Massachusetts
Institute of Technology. Kerberos uses DES encryption to authenticate a user when
logging in to the system. Authentication is based on the ability of the sending system
to use the common key to encrypt the current time, which the receiving system can
decrypt and check against its current time. Kerberos Version 4 is supported starting
in the Solaris 2.6 release.
Kerberos works by authenticating the user’s login password. A user enters the
kinit command, which acquires a ticket that is valid for the time of the session (or
eight hours, the default session time) from the Kerberos authentication server. When
the user logs out, the ticket can be destroyed (using the kdestroy command).
The Kerberos software is available from MIT project Athena, and is not part of the
SunOS 5.7 software. SunOS 5.7 software provides:
4 Commands and APIs used by the client to create, acquire, and verify tickets
4 An authentication option to Secure RPC
4 A client-side daemon, kerbd(1M)
“Implementation of Kerberos Authentication with NFS” on page 309 gives an
overview of how the Kerberos authentication procedure works.

Note - Solaris provides the ability to connect to the Kerberos functionality. It does
not provide the Kerberos package. However, you can ftp Kerberos 4 source from
[Link] using anonymous as a username and your email address
as a password. The source is located in the pub/kerberos directory.

308 System Administration Guide, Volume II ♦ October 1998

Implementation of Kerberos Authentication with NFS
The following process assumes that the Kerberos key distribution center (KDC) is
already installed on the network, using publicly available sources from MIT project
Athena.
1. The /usr/sbin/kerbd daemon must be running on the NFS client and server.
This daemon is normally started when needed by inetd. The rpcinfo
command can be used to make sure that the kerbd service is registered. kerbd is
the user-mode daemon. It interfaces with the kernel RPC and the KDC. It
generates and validates authentication tickets.
2. The system administrator sets up the NFS server to use Kerberos authentication.
The MIT Kerberos software is used to register the principal names in the Kerberos
key distribution center (KDC) on the Kerberos server. The following entries are
required:
4 [Link] (required for each NFS client)
4 [Link] (required for each NFS server)
3. The user mounts the shared file system.
The user on the client must get a ticket for root on the client to mount the shared
file system.
4. The user logs in to the Kerberos service, using the kinit command.
The Kerberos authentication server authenticates the request, and grants a ticket
for the ticket-granting service.
5. The user accesses the mounted directory.
The kerbd daemon automatically secures a ticket on behalf of the client for the
NFS server exporting the file system. At this point, there are two valid tickets, the
original ticket-granting ticket and one for the server.
6. The user destroys the tickets at the end of the session to prevent them from being
compromised.
The kdestroy command destroys the user’s active Kerberos authorization tickets
by writing zeros to the file that contains the tickets. You can put the kdestroy
command in your .logout file, so that all Kerberos tickets are automatically
destroyed when you log out of the system.
7. If tickets have been destroyed before the session has finished, the user must
request a new ticket with the kinit command.

Using Authentication Services (Tasks) 309

 Administering Diffie-Hellman
Authentication
A system administrator can implement policies that help secure the network. The
level of security required will differ with each site. This section provides instructions
for some tasks associated with network security.

How to Restart the Keyserver

1. Become superuser.

2. Verify that the keyserv daemon (the keyserver) is not running.

# ps -ef | grep keyserv

root 100 1 16 Apr 11 ? 0:00 /usr/sbin/keyserv
root 2215 2211 5 [Link] pts/0 0:00 grep keyserv

3. Start the keyserver if it isn’t running.

# /usr/sbin/keyserv

How to Set Up NIS+ Credentials for

Diffie-Hellman Authentication
For detailed description of NIS+ security, see Solaris Naming Administration Guide.

To set up a new key for root on an NIS+ client:

1. Become superuser.

2. Edit the /etc/[Link] file and add the following line:

publickey: nisplus

3. Initialize the NIS+ client.

310 System Administration Guide, Volume II ♦ October 1998

 # nisinit -cH hostname

hostname is the name of a trusted NIS+ server that contains an entry in its tables
for the client machine.

4. Add the client to the cred table by typing the following commands.

# nisaddcred local
# nisaddcred des

5. Verify the setup by using the keylogin command.

If you are prompted for a password, the procedure has succeeded.

Example of Setting Up a New Key for root on a NIS+ Client

The following example uses the host pluto to set up earth as an NIS+ client. You
can ignore the warnings. The keylogin command is accepted, verifying that earth
is correctly set up as a secure NIS+ client.

# nisinit -cH pluto

NIS Server/Client setup utility.
This machine is in the [Link]. directory.
Setting up NIS+ client ...
All done.
# nisaddcred local
# nisaddcred des
DES principal name : [Link]@[Link]
Adding new key for [Link]@[Link] ([Link].)

Network password: xxx <Press Return>

Warning, password differs from login password.
Retype password: xxx <Press Return>

# keylogin
Password:
#

To set up a new key for an NIS+ user:

1. Add the user to the cred table on the root master server by typing the
following command:

# nisaddcred -p [Link]@domainname -P [Link]. des

Using Authentication Services (Tasks) 311

 Note that, in this case, the username-domainname must end with a dot (.)

2. Verify the setup by logging in as the client and typing the keylogin command.

Example of Setting Up a New Key for an NIS+ User

The following example gives DES security authorization to user george.

# nisaddcred -p unix.1234@[Link] -P [Link]. des

DES principal name : unix.1234@[Link]
Adding new key for unix.1234@[Link] ([Link].)

Password:
Retype password:

# rlogin rootmaster -l george

# keylogin
Password:
#

How to Set Up NIS Credentials with

Diffie-Hellman Authentication
To create a new key for sueruser on a client:
1. Become superuser on the client.

2. Edit the /etc/[Link] file and add the following line:

publickey: nis

3. Create a new key pair by using the newkey command.

# newkey -h hostname

hostname is the name of the client.

Example of Setting Up an NIS+ Client to Use Diffie-Hellman

Security
The following example sets up earth as a secure NIS client.

312 System Administration Guide, Volume II ♦ October 1998

 # newkey -h earth
Adding new key for [Link]@[Link]
New Password:
Retype password:
Please wait for the database to get updated...
Your new key has been successfully stored away.
#

To create a new key for a user:

1. Log in to the server as superuser.
Only the system administrator, logged in to the NIS+ server, can generate a new
key for a user.

2. Create a new key for a user.

# newkey -u username

username is the name of the user. The system prompts for a password. The system
administrator can type a generic password. The private key is stored encrypted
with the generic password.

# newkey -u george
Adding new key for unix.12345@[Link]
New Password:
Retype password:
Please wait for the database to get updated...
Your new key has been successfully stored away.
#

3. Tell the user to log in and type the chkey -p command.

This allows the user to re-encrypt their private key with a password known only
to the user.

earth% chkey -p
Updating nis publickey database.
Reencrypting key for unix.12345@[Link]
Please enter the Secure-RPC password for george:
Please enter the login password for george:
Sending key change request to pluto...
#

Using Authentication Services (Tasks) 313

 Note - The chkey command can be used to create a new key-pair for a user.

How to Share and Mount Files With

Diffie-Hellman Authentication
Prerequisite
The Diffie-Hellman publickey authentication must be enabled on the network. See
“How to Set Up NIS+ Credentials for Diffie-Hellman Authentication” on page 310
and “How to Set Up NIS Credentials with Diffie-Hellman Authentication” on page
312.

To share a file system with Diffie-Hellman authentication:

1. Become superuser.

2. Share the file system with Diffie-Hellman authentication.

# share -F nfs -o sec=dh /filesystem

To mount a file system with Diffie-Hellman authentication:

1. Become superuser.

2. Mount the file system with Diffie-Hellman authentication.

# mount -F nfs -o sec=dh server:resource mountpoint

The -o sec=dh option mounts the file system with AUTH_DH authentication.

314 System Administration Guide, Volume II ♦ October 1998

Administering Kerberos Version 4
Authentication
A system administrator can implement policies that help secure the network. The
level of security required will differ with each site. This section provides instructions
for some tasks associated with network security.

How to Share and Mount Files With Kerberos

Authentication
Prerequisite
Kerberos Version 4 authentication must be enabled on the network.

To share a file system with Kerberos authentication:

1. Become superuser.

2. Share the file system with Kerberos authentication.

# share -F nfs -o sec=krb4 /filesystem

To mount a file system with Kerberos authentication:

1. Become superuser.

2. Mount the file system with Kerberos authentication.

# mount -F nfs -o sec=krb4 server:resource mountpoint

The -o sec=krb4 option mounts the file system with AUTH_KERB

authentication.

How to Acquire a Kerberos Ticket for Superuser

on a Client
If the NFS file system that you need to access has not been mounted, you need to
acquire a ticket for superuser on the client before mounting it.

Using Authentication Services (Tasks) 315

 To acquire a ticket for a not-yet-mounted file system:
1. Become superuser.

2. Acquire a Kerberos ticket on the client.

# kinit [Link]

hostname is the name of the client system.

# kinit [Link]
Password:
#

To acquire a ticket for a mounted file system:

If the entry [Link] for the client has been entered into the /etc/srvtab
configuration file, you can use the ksrvtgt command to get a ticket for superuser.
In this case, you are not required to give a superuser password. Consult the MIT
documentation for information about initializing the /etc/srvtab file.

1. Become superuser.

2. Acquire a ticket for a mounted file system.

# ksrvtgt [Link]

Example—Acquiring a Kerberos Ticket for Superuser on a

Client
# ksrvtgt [Link]
#

How to Log In to Kerberos Service

Log in to the Kerberos service by using the kinit -l username command.

earth% kinit -l username

316 System Administration Guide, Volume II ♦ October 1998

The kinit command prompts you for the ticket lifetime (-l option), and your
password. It prints out ticket status using the verbose mode (-v option).

Example of Logging In to Kerberos Service

earth% kinit -l jjones
SunOS (earth)
Kerberos Initialization for ‘‘jjones’’
Kerberos ticket lifetime (minutes): 480
Password:
earth%

How to List Kerberos Tickets

earth% klist

Example of Listing Kerberos Tickets

earth% klist
Ticket file: /tmp/tkt8516
Principal: jjones@[Link]
Issued Expires Principal
Jan 14 [Link] Jan
[Link] [Link]@[Link]

How to Access a Directory With Kerberos

Authentication
Type cd /mountpoint.
Access the mounted directory, just as you would any other mounted directory. You
can list the files in the directory with the ls command, or list the Kerberos tickets
with the klist command.

Example of Accessing a Directory With Kerberos

Authentication
In the following example, user jjones can change to the mounted mntkrb directory
and list the files in this directory.

Using Authentication Services (Tasks) 317

 The kerbd daemon has automatically secured a ticket on the user’s behalf for the
NFS server exporting the file system. At this point there are two valid tickets—the
original ticket-granting ticket, and the server ticket. These two tickets are listed by
klist.

earth% cd /mntkrb
earth% ls -l /mntkrb
-rw-r--r-- 1 marks staff 29 Jul 14 12:22 sports
drwxr-xr-x 3 jjones staff 512 Sep 13 13:44 market

earth% klist
Ticket file: /tmp/tkt8516
Principal: jjones@[Link]
Issued Expires Principal
Jan 14 [Link] Jan
[Link] [Link]@[Link]
Jan 14 [Link] Jan [Link] [Link]@[Link]

How to Destroy a Kerberos Ticket

Enter kdestroy.
Destroy Kerberos tickets when the session is over, so that an unauthorized user
cannot to gain access to it. If you want to reinitiate Kerberos authentication, use the
kinit command.

Example of Destroying a Kerberos Ticket

The following example shows how to destroy the Kerberos ticket. If the user then
tries to change to or list a Kerberos-protected directory, the ticket server denies access.

earth% kdestroy
Tickets destroyed
earth% ls /mntkrb
Can’t get Kerberos key: No ticket file (tf_util)
NFS getattr failed for server pluto: RPC: Authentication error
can not access directory /mntkrb.

Introduction to PAM
The Pluggable Authentication Module (PAM) framework lets you “plug in” new
authentication technologies without changing system entry services such as login,

318 System Administration Guide, Volume II ♦ October 1998

ftp, telnet, and so on. You can also use PAM to integrate UNIX login with other
security mechanisms like DCE or Kerberos. Mechanisms for account, session, and
password management can also be “plugged-in” using this framework.

Benefits of Using PAM

The PAM framework allows a system administrator to choose any combination of
system entry services (ftp, login, telnet, or rsh, for example) for user
authentication. Some of the benefits PAM provides are:
4 Flexible configuration policy

4 Per application authentication policy.

4 The ability to choose a default authentication mechanism.
4 Multiple passwords on high-security systems.

4 Ease of use for the end user

4 No retyping of passwords if they are the same for different mechanisms.

4 The ability to use a single password for multiple authentication methods with
the password mapping feature, even if the passwords associated with each
authentication method are different.
4 The ability to prompt the user for passwords for multiple authentication
methods without having the user enter multiple commands.

4 The ability to pass optional parameters to the user authentication services

Overview of PAM
PAM employs run-time pluggable modules to provide authentication for system
entry services. These modules are broken into four different types based on their
function: authentication, account management, session management, and password
management. A stacking feature is provided to let you authenticate users through
multiple services, as well as a password-mapping feature to not require that users
remember multiple passwords.

PAM Module Types

It is important to understand the PAM module types because the module type defines
the interface to the module. These are the four types of run-time PAM modules:

Using Authentication Services (Tasks) 319

 4 The authentication modules provide authentication for the users and allow for
credentials to be set, refreshed, or destroyed. They provide a valuable
administration tool for user identification.
4 The account modules check for password aging, account expiration, and access hour
restrictions. After the user is identified through the authentication modules, the
account modules determine if the user should be given access.
4 The session modules manage the opening and closing of an authentication session.
They can log activity or provide for clean-up after the session is over.
4 The password modules allow for changes to the actual password.

Stacking Feature
The PAM framework provides a method for authenticating users with multiple
services using stacking. Depending on the configuration, the user can be prompted
for passwords for each authentication method. The order in which the authentication
services are used is determined through the PAM configuration file.

Password-Mapping Feature
The stacking method can require that a user remember several passwords. With the
password-mapping feature, the primary password is used to decrypt the other
passwords, so the user doesn’t need to remember or enter multiple passwords. The
other option is to synchronize the passwords across each authentication mechanism.
Note that this could increase the security risk, since the security of each mechanism
is limited by the least secure password method used in the stack.

PAM Functionality
The PAM software consists of a library, several modules, and a configuration file.
New versions of several system entry commands or daemons which take advantage
of the PAM interfaces are also included.
Figure 15–1 illustrates the relationship between the applications, the PAM library, the
[Link] file, and the PAM modules.

320 System Administration Guide, Volume II ♦ October 1998

Figure 15–1 How PAM Works
The applications (ftp, telnet, and login) use the PAM library to access the
appropriate module. The [Link] file defines which modules to use, and in what
order they are to be used with each application. Responses from the modules are
passed back through the library to the application.
The following sections describe this relationship.

PAM Library
The PAM library, /usr/lib/libpam, provides the framework to load the
appropriate modules and manage the stacking process. It provides a generic
structure to which all of the modules can plug in.

PAM Modules
Each PAM module implements a specific mechanism. When setting up PAM
authentication, you need to specify both the module and the module type, which

Using Authentication Services (Tasks) 321

 defines what the module will do. More than one module type (auth, account, session,
or password) may be associated with each module.
The following list describes each of the PAM modules.
4 The pam_unix module, /usr/lib/security/pam_unix.so.1, provides
support for authentication, account management, session management, and
password management. Any of the four module type definitions can be used with
this module. It uses UNIX passwords for authentication. In the Solaris
environment, the selection of appropriate name services to get password records is
controlled through the /etc/[Link] file. See pam_unix(5) for more
information
4 The dial_auth module, /usr/lib/security/pam_dial_auth.so.1, can
only be used for authentication. It uses data stored in the /etc/dialups and
/etc/d_passwd files for authentication. This is mainly used by login. See
pam_dial_auth(5) for more information.
4 The rhosts_auth module, /usr/lib/security/pam_rhosts_auth.so.1,
can also only be used for authentication. It uses data stored in the ~/.rhosts and
/etc/[Link] files through ruserok( ). This is mainly used by the rlogin
and rsh commands. See pam_rhosts_auth(5) for more information.
For security reasons, these module files must be owned by root and must not be
writable through group or other permissions. If the file is not owned by root,
PAM will not load the module.

PAM Configuration File

The PAM configuration file, /etc/[Link], determines the authentication services
to be used, and in what order they are used. This file can be edited to select
authentication mechanisms for each system-entry application.

Configuration File Syntax

The PAM configuration file consists of entries with the following syntax:

service_name module_type control_flag module_path module_options

322 System Administration Guide, Volume II ♦ October 1998

 service_name Name of the service (for example, ftp, login, telnet).

module_type Module type for the service.

control_flag Determines the continuation or failure semantics for the

module.

module_path Path to the library object that implements the service

functionality.

module_options Specific options that are passed to the service modules.

You can add comments to the [Link] file by starting the line with a # (pound
sign). Use white space to delimit the fields.

Note - An entry in the PAM configuration file is ignored if one of the following
conditions exist: the line has less than four fields, an invalid value is given for
module_type or control_flag, or the named module is not found.

Valid Service Names

Table 15–1 lists some of the valid service names, the module types that can be used
with that service, and the daemon or command associated with the service name.

There are several module types that are not appropriate for each service. For
example, the password module type is only specified to go with the passwd
command. There is no auth module type associated with this command since it is
not concerned with authentication.

TABLE 15–1 Valid Service Names for /etc/[Link]

Service Name Daemon or Command Module Type

dtlogin /usr/dt/bin/dtlogin auth, account, session

ftp /usr/sbin/[Link] auth, account, session

init /usr/sbin/init session

login /usr/bin/login auth, account, session

Using Authentication Services (Tasks) 323

 TABLE 15–1 Valid Service Names for /etc/[Link] (continued)

Service Name Daemon or Command Module Type

passwd /usr/bin/passwd password

rexd /usr/sbin/[Link] auth

rlogin /usr/sbin/[Link] auth, account, session

rsh /usr/sbin/[Link] auth, account, session

sac /usr/lib/saf/sac session

su /usr/bin/su auth, account, session

telnet /usr/sbin/[Link] auth, account, session

ttymon /usr/lib/saf/ttymon session

uucp /usr/sbin/[Link] auth, account, session

Control Flags
To determine continuation or failure behavior from a module during the
authentication process, you must select one of four control flags for each entry. The
control flags indicate how a successful or a failed attempt through each module are
handled. Even though these flags apply to all module types, the following
explanation assumes that these flags are being used for authentication modules. The
control flags are as follows:

4 required - This module must return success in order to have the overall result be
successful.

If all of the modules are labeled as required, then authentication through all
modules must succeed for the user to be authenticated.

If some of the modules fail, then an error value from the first failed module is
reported.

If a failure occurs for a module flagged as required, all modules in the stack are
still tried but failure is returned.

324 System Administration Guide, Volume II ♦ October 1998

 If none of the modules are flagged as required, then at least one of the entries
for that service must succeed for the user to be authenticated.
4 requisite - This module must return success for additional authentication to
occur.
If a failure occurs for a module flagged as requisite, an error is immediately
returned to the application and no additional authentication is done. If the stack
does not include prior modules labeled as required that failed, then the error
from this module is returned. If a earlier module labeled as required has failed,
the error message from the required module is returned.
4 optional - If this module fails, the overall result can be successful if another
module in this stack returns success.
The optional flag should be used when one success in the stack is enough for a
user to be authenticated. This flag should only be used if it is not important for
this particular mechanism to succeed.
If your users need to have permission associated with a specific mechanism to get
their work done, then you should not label it as optional.
4 sufficient - If this module is successful, skip the remaining modules in the
stack, even if they are labeled as required.
The sufficient flag indicates that one successful authentication will be enough
for the user to be granted access.
More information about these flags is provided in “Configuring PAM” on page
328 which describes the default /etc/[Link] file.

Generic [Link] File

The following is an example of a generic [Link] file:

# PAM configuration
# Authentication management
#
login auth required /usr/lib/security/pam_unix.so.1
login auth required /usr/lib/security/pam_dial_auth.so.1
rlogin auth sufficient /usr/lib/security/pam_rhost_auth.so.1
rlogin auth required /usr/lib/security/pam_unix.so.1
dtlogin auth required /usr/lib/security/pam_unix.so.1
telnet auth required /usr/lib/security/pam_unix.so.1
su auth required /usr/lib/security/pam_unix.so.1
ftp auth required /usr/lib/security/pam_unix.so.1
uucp auth required /usr/lib/security/pam_unix.so.1
rsh auth required /usr/lib/security/pam_rhost_auth.so.1
OTHER auth required /usr/lib/security/pam_unix.so.1
#
# Account management
#

(continued)

Using Authentication Services (Tasks) 325

 (Continuation)

login account required /usr/lib/security/pam_unix.so.1

rlogin account required /usr/lib/security/pam_unix.so.1
dtlogin account required /usr/lib/security/pam_unix.so.1
telnet account required /usr/lib/security/pam_unix.so.1
ftp account required /usr/lib/security/pam_unix.so.1
OTHER account required /usr/lib/security/pam_unix.so.1
#
# Session management
#
login session required /usr/lib/security/pam_unix.so.1
rlogin session required /usr/lib/security/pam_unix.so.1
dtlogin session required /usr/lib/security/pam_unix.so.1
telnet session required /usr/lib/security/pam_unix.so.1
uucp session required /usr/lib/security/pam_unix.so.1
OTHER session required /usr/lib/security/pam_unix.so.1
#
# Password management
#
passwd password required /usr/lib/security/pam_unix.so.1
OTHER password required /usr/lib/security/pam_unix.so.1

This generic [Link] file specifies:

1. When running login, authentication must succeed for both the pam_unix and
the pam_dial_auth modules.
2. For rlogin, authentication through the pam_unix module must succeed, if
authentication through pam_rhost_auth fails.
3. The sufficient control flag indicates that for rlogin the successful
authentication provided by the pam_rhost_auth module is sufficient and the
next entry will be ignored.
4. Most of the other commands requiring authentication require successful
authentication through the pam_unix module.
5. Authentication for rsh must succeed through the pam_rhost_auth module.
The OTHER service name allows a default to be set for any other commands
requiring authentication that are not included in the file. The OTHER option makes it
easier to administer the file, since many commands that are using the same module
can be covered using only one entry. Also, the OTHER service name, when used as a
“catch-all,” can ensure that each access is covered by one module. By convention, the
OTHER entry is included at the bottom of the section for each module type.
The rest of the entries in the file control the account, session and password
management.
With the use of the default service name, OTHER, the generic PAM configuration file
is simplified to:

326 System Administration Guide, Volume II ♦ October 1998

 # PAM configuration
#
# Authentication management
#
login auth required /usr/lib/security/pam_unix.so.1
login auth required /usr/lib/scurty/pam_dial_auth.so.1
rlogin auth sufficient /usr/lib/security/pam_unix.so.1
rlogin auth required /usr/lib/security/pam_rhost_auth.so.1
rsh auth required /usr/lib/security/pam_rhost_auth.so.1
OTHER auth required /usr/lib/security/pam_unix.so.1
#
# Account management
#
OTHER account required /usr/lib/security/pam_unix.so.1
#
# Session management
#
OTHER session required /usr/lib/security/pam_unix.so.1
#
# Password management
#
OTHER password required /usr/lib/security/pam_unix.so.1

Normally, the entry for the module_path is “root-relative.” If the filename you enter
for module_path does not begin with a slash (/), the path /usr/lib/security/ is
prepended to the filename. A full pathname must be used for modules located in
other directories.
The values for the module_options can be found in the man pages for the module. (For
example, pam_unix(5)).
The use_first_pass and try_first_pass options, which are supported by the
pam_unix module, let users reuse the same password for authentication without
retyping it.
If login specifies authentication through both pam_local and pam_unix, then the
user is prompted to enter a password for each module. In situations where the
passwords are the same, the use_first_pass module option prompts for only one
password and uses that password to authenticate the user for both modules. If the
passwords are different, the authentication fails. In general, this option should be
used with an optional control flag, as shown below, to make sure that the user can
still log in.

# Authentication management
#
login auth required /usr/lib/security/pam_unix.so.1
login auth optional /usr/lib/security/pam_local.so.1 use_first_pass

If the try_first_pass module option is used instead, the local module prompts
for a second password if the passwords do not match or if an error is made. If both
methods of authentication are necessary for a user to get access to all the tools they

Using Authentication Services (Tasks) 327

 need, using this option could cause some confusion for the user since the user could
get access with only one type of authentication.

Configuring PAM
The section below discusses some of the tasks that may be required to make the
PAM framework fully functional. In particular, you should be aware of some of the
security issues associated with the PAM configuration file.

Planning for PAM

When deciding how best to employ PAM in your environment, start by focusing on
these issues:
4 Determine what your needs are, especially which modules you should select.
4 Identify the services that need special attention; use OTHER if appropriate.
4 Decide on the order in which the modules should be run.
4 Select the control flag for that module.
4 Choose any options necessary for the module.

Here are some suggestions to consider before changing the configuration file:
4 Use the OTHER entry for each module type so that every application does not have
to be included.
4 Make sure to consider the security implications of the sufficient and
optional control flags.
4 Review the man pages associated with the modules to understand how each
module will function, what options are available, and the interactions between
stacked modules.

Warning - If the PAM configuration file is misconfigured or gets corrupted, it is

possible that even the superuser would be unable to log in. Since sulogin does not
use PAM, the superuser would then be required to boot the machine into single user
mode and fix the problem.

After changing the /etc/[Link] file, review it as much as possible while still
logged in as superuser. Test all of the commands that might have been affected by
your changes. For example, if you added a new module to the telnet service, use
the telnet command and verify that the changes you made behave as expected.

328 System Administration Guide, Volume II ♦ October 1998

How to Add a PAM Module
1. Become superuser.

2. Determine which control flags and other options should be used.

Refer to “PAM Modules” on page 321 information on the module.

3. Copy the new module to /usr/lib/security.

4. Set the permissions so that the module file is owned by root and permissions
are 555.

5. Edit the PAM configuration file, /etc/[Link], and add this module to the
appropriate services.

Verification

It is very important to do some testing before the system is rebooted in case the
configuration file is misconfigured. Run rlogin, su, and telnet before rebooting
the system. If the service is a daemon spawned only once when the system is booted,
it may be necessary to reboot the system before you can verify that the module has
been added.

How to Prevent Unauthorized Access from

Remote Systems with PAM
Remove the rlogin auth rhosts_auth.so.1 entry from the PAM configuration
file. This prevents reading the ~/.rhosts files during an rlogin session and
therefore prevents unauthenticated access to the local system from remote systems.
All rlogin access requires a password, regardless of the presence or contents of any
~/.rhosts or /etc/[Link] files.

Note - To prevent other unauthenticated access to the ~/.rhosts files, remember to

disable the rsh service. The best way to disable a service is to remove the service
entry from /etc/[Link]. Changing the PAM configuration file does not
prevent the service from being started.

How to Initiate PAM Error Reporting

1. Edit the /etc/[Link] to add any of the following PAM error reporting
entries:
4 [Link] — messages about conditions that should be fixed immediately
4 [Link] — critical messages

Using Authentication Services (Tasks) 329

 4 [Link] — error messages
4 [Link] — informational messages
4 [Link] — debugging messages

2. Restart the syslog daemon or send a SIGHUP signal to it to activate the PAM
error reporting.

Example—Initiating PAM Error Reporting

The example below displays all alert messages on the console. Critical messages are
mailed to root. Informational and debug messages are added to the
/var/log/pamlog file.

[Link] /dev/console
[Link] ’root’
[Link];[Link] /var/log/pamlog

Each line in the log contains a time stamp, the name of the system that generated the
message, and the message itself. The pamlog file is capable of logging a large
amount of information.

330 System Administration Guide, Volume II ♦ October 1998

CHAPTER 16

Using Automated Security

Enhancement Tool (Tasks)

This chapter describes how to use the Automated Security Enhancement Tool (ASET)
to monitor or restrict access to system files and directories.
This is a list of step-by-step instructions in this chapter.
4 “How to Run ASET Interactively” on page 350
4 “How to Run ASET Periodically” on page 351
4 “How to Stop Running ASET Periodically” on page 352
4 “How to Collect Reports on a Server” on page 352

Automated Security Enhancement Tool

(ASET)
SunOS 5.7 system software includes the Automated Security Enhancement Tool
(ASET). ASET helps you monitor and control system security by automatically
performing tasks that you would otherwise do manually.
The ASET security package provides automated administration tools that enable you
to control and monitor your system’s security. You specify a security level—low,
medium, or high—at which ASET will run. At each higher level, ASET’s file-control
functions increase to reduce file access and tighten your system security.
There are seven tasks involved with ASET, each performing specific checks and
adjustments to system files. The ASET tasks tighten file permissions, check the
contents of critical system files for security weaknesses, and monitor crucial areas.
ASET can safeguard a network by applying the basic requirements of a firewall

331
 system to a system that serves as a gateway system. (See “Firewall Setup” on page
598.)
ASET uses master files for configuration. Master files, reports, and other ASET files
are in the /usr/aset directory. These files can be changed to suit the particular
requirements of your site.
Each task generates a report noting detected security weaknesses and changes the
task has made to the system files. When run at the highest security level, ASET will
attempt to modify all system security weaknesses. If it cannot correct a potential
security problem, ASET reports the existence of the problem.
You can initiate an ASET session by using the /usr/aset command interactively, or
you can also set up ASET to run periodically by putting an entry into the crontab
file.
ASET tasks are disk-intensive and can interfere with regular activities. To minimize
the impact on system performance, schedule ASET to run when system activity level
is lowest, for example, once every 24 or 48 hours at midnight.

ASET Security Levels

ASET can be set to operate at one of three security levels: low, medium, or high. At
each higher level, ASET’s file-control functions increase to reduce file access and
heighten system security. These functions range from monitoring system security
without limiting users’ file access, to increasingly tightening access permissions until
the system is fully secured.
The three levels are outlined below:
4 Low security – This level ensures that attributes of system files are set to standard
release values. ASET performs several checks and reports potential security
weaknesses. At this level, ASET takes no action and does not affect system
services.
4 Medium security – This level provides adequate security control for most
environments. ASET modifies some of the settings of system files and parameters,
restricting system access to reduce the risks from security attacks. ASET reports
security weaknesses and any modifications it makes to restrict access. At this level,
ASET does not affect system services.
4 High security – This level renders a highly secure system. ASET adjusts many
system files and parameter settings to minimum access permissions. Most system
applications and commands continue to function normally, but at this level,
security considerations take precedence over other system behavior.

Note - ASET does not change the permissions of a file to make it less secure, unless
you downgrade the security level or intentionally revert the system to the settings
that existed prior to running ASET.

332 System Administration Guide, Volume II ♦ October 1998

ASET Tasks
This section discusses what ASET does. You should understand each ASET
task—what its objectives are, what operations it performs, and what system
components it affects—to interpret and use the reports effectively.
ASET report files contain messages that describe as specifically as possible any
problems discovered by each ASET task. These messages can help you diagnose and
correct these problems. However, successful use of ASET assumes that you possess a
general understanding of system administration and system components. If you are a
new administrator, you can refer to other SunOS 5.7 system administration
documentation and related manual pages to prepare yourself for ASET
administration.
The taskstat utility identifies the tasks that have been completed and the ones that
are still running. Each completed task produces a report file. For a complete
description of the taskstat utility, refer to taskstat(1M).

System Files Permissions Verification

This task sets the permissions on system files to the security level you designate. It is
run when the system is installed. If you decide later to alter the previously
established levels, run this task again. At low security, the permissions are set to
values that are appropriate for an open information-sharing environment. At
medium security, the permissions are tightened to produce adequate security for
most environments. At high security, they are tightened to severely restrict access.
Any modifications that this task makes to system files permissions or parameter
settings are reported in the [Link] file. “Tune Files” on page 348 shows an
example of the files that ASET consults when setting permissions.

System Files Checks

This task examines system files and compares each one with a description of that file
listed in a master file. The master file is created the first time ASET runs this task.
The master file contains the system file settings enforced by checklist for the
specified security level.
A list of directories whose files are to be checked is defined for each security level.
You can use the default list, or you can modify it, specifying different directories for
each level.
For each file, the following criteria are checked:
4 Owner and group
4 Permission bits
4 Size and checksum
4 Number of links

Using Automated Security Enhancement Tool (Tasks) 333

 4 Last modification time
Any discrepancies found are reported in the [Link] file. This file contains the
results of comparing system file size, permission, and checksum values to the master
file.

User/Group Checks
This task checks the consistency and integrity of user accounts and groups as defined
in the passwd and group files. It checks the local, and NIS or NIS+ password files.
NIS+ password file problems are reported but not corrected. This task checks for the
following violations:
4 Duplicate names or IDs
4 Entries in incorrect format
4 Accounts without a password
4 Invalid login directories
4 The nobody account
4 Null group password
4 A plus sign (+) in the /etc/passwd file on an NIS (or NIS+) server
Discrepancies are reported in the [Link] file.

System Configuration Files Check

During this task, ASET checks various system tables, most of which are in the /etc
directory. These files are:
4 /etc/default/login
4 /etc/[Link]
4 /etc/[Link]
4 /etc/aliases
4 /var/adm/utmp
4 /var/adm/utmpx
4 /.rhosts
4 /etc/vfstab
4 /etc/dfs/dfstab
4 /etc/ftpusers
ASET performs various checks and modifications on these files, and reports all
problems in the [Link] file.

334 System Administration Guide, Volume II ♦ October 1998

Environment Check
This task checks how the PATH and UMASK environment variables are set for root,
and other users, in the /.profile, /.login, and /.cshrc files.
The results of checking the environment for security are reported in the [Link]
file.

eeprom Check
This task checks the value of the eeprom security parameter to ensure that it is set to
the appropriate security level. You can set the eeprom security parameter to none,
command, or full.
ASET does not change this setting, but reports its recommendations in the
[Link] file.

Firewall Setup
This task ensures that the system can be safely used as a network relay. It protects an
internal network from external public networks by setting up a dedicated system as
a firewall, which is described in “Firewall Systems” on page 257. The firewall system
separates two networks, each of which approaches the other as untrusted. The
firewall setup task disables the forwarding of Internet Protocol (IP) packets and hides
routing information from the external network.
The firewall task runs at all security levels, but takes action only at the highest level.
If you want to run ASET at high security, but find that your system does not require
firewall protection, you can eliminate the firewall task by editing the asetenv file.
Any changes made are reported in the [Link] file.

ASET Execution Log

ASET generates an execution log whether it runs interactively or in the background.
By default, ASET generates the log file on standard output. The execution log
confirms that ASET ran at the designated time, and also contains any execution error
messages. The aset -n command directs the log to be delivered by electronic mail
to a designated user. For a complete list of ASET options, refer to aset(1M).

Example of an Execution Log File

ASET running at security level low

Machine=example; Current time = 0325_08:00

Using Automated Security Enhancement Tool (Tasks) 335

 aset: Using /usr/aset as working directory

Executing task list...

firewall
env
sysconfig
usrgrp
tune
cklist
eeprom
All tasks executed. Some background tasks may still be running.

Run /usr/aset/util/taskstat to check their status:

$/usr/aset/util/taskstat aset_dir
Where aset_dir is ASET’s operating directory, currently=/usr/aset

When the tasks complete, the reports can be found in:

/usr/aset/reports/latest/*.rpt
You can view them by:
more /usr/aset/reports/latest/*.rpt

The log first shows the system and time that ASET was run. Then it lists each task as
it is started.
ASET invokes a background process for each of these tasks, which are described in
“ASET Tasks” on page 333. The task is listed in the execution log when it starts; this
does not indicate that it has been completed. To check the status of the background
tasks, use the taskstat utility.

ASET Reports
All report files generated from ASET tasks are in subdirectories under the
/usr/aset/reports directory. This section describes the structure of the
/usr/aset/reports directory, and provides guidelines on managing the report
files.
ASET places the report files in subdirectories that are named to reflect the time and
date when the reports are generated. This enables you to keep an orderly trail of
records documenting the system status as it varies between ASET executions. You
can monitor and compare these reports to determine the soundness of your system’s
security.
Figure 16–1 shows an example of the reports directory structure.

336 System Administration Guide, Volume II ♦ October 1998

 /usr/aset

masters reports util

0124_01:00 0125_01:00 latest

[Link] [Link] [Link] [Link]

[Link] [Link] [Link]

Figure 16–1 reports Directory Structure

Two report subdirectories are shown in this example:
4 0124_01:00
4 0125_01:00
The subdirectory names indicate the date and time the reports were generated. Each
report subdirectory name has the following format:
monthdate_hour:minute
where month, date, hour, and minute are all two-digit numbers. For example,
0125_01:00 represents January 25, at 1 a.m.
Each of the two report subdirectories contains a collection of reports generated from
one execution of ASET.
The latestdirectory is a symbolic link that always points to the subdirectory that
contains the latest reports. Therefore, to look at the latest reports that ASET has
generated, you can go to the /usr/aset/reports/latest directory. There is a
report file in this directory for each task that ASET performed during its most recent
execution.

Format of Report Files

Each report file is named after the task that generates it. See Table 16–1 for a list of
tasks and their reports.

Using Automated Security Enhancement Tool (Tasks) 337

 TABLE 16–1 ASET Tasks and Resulting Reports

Tasks Report

System file permissions tuning (tune) [Link]

System files checklist (cklist) [Link]

User/group checks (usrgrp) [Link]

System configuration files check (sysconf) [Link]

Environment check (env) [Link]

eeprom check (eeprom) [Link]

Firewall setup (firewall) [Link]

Within each report file, messages are bracketed by a beginning and an ending banner
line. Sometimes a task terminates prematurely; for example, when a component of
ASET is accidently removed or damaged. In most cases, the report file will contain a
message near the end that indicates the reason for the premature exit.
The following is a sample report file, [Link].

*** Begin User and Group Checking ***

Checking /etc/passwd ...

Warning! Password file, line 10, no passwd
:sync::1:1::/:/bin/sync
..end user check; starting group check ...
Checking /etc/group...
*** End User And group Checking ***

Examining Report Files

After initially running or reconfiguring ASET, you should examine the report files
closely. (Reconfiguration includes modifying the asetenv file or the master files in
the masters subdirectory, or changing the security level at which ASET operates.)
The reports record any errors introduced when you reconfigured. By watching the
reports closely, you can react to, and solve, problems as they arise.

338 System Administration Guide, Volume II ♦ October 1998

Comparing Report Files
After you monitor the report files for a period during which there are no
configuration changes or system updates, you may find that the content of the
reports begin to stabilize and that it contains little, if any, unexpected information.
You can use the diff utility to compare reports.

ASET Master Files

ASET’s master files, [Link], [Link], [Link], and uid_aliases, are
located in the /usr/aset/masters directory. ASET uses the master files to define
security levels.

Tune Files
The [Link], [Link], and [Link] master files define the available ASET
security levels. They specify the attributes of system files at each level and are used
for comparison and reference purposes.

The uid_aliases File

The uid_aliases file contains a list of multiple user accounts sharing the same ID.
Normally, ASET warns about such multiple user accounts because this practice
lessens accountability. You can allow for exceptions to this rule by listing the
exceptions in the uid_aliases file. ASET does not report entries in the passwd file
with duplicate user IDs if these entries are specified in the uid_aliases file.
Avoid having multiple user accounts (password entries) share the same user ID. You
should consider other methods of achieving your objective. For example, if you
intend for several users to share a set of permissions, you could create a group
account. Sharing user IDs should be your last resort, used only when absolutely
necessary and when other methods will not accomplish your objectives.
You can use the UID_ALIASES environment variable to specify an alternate aliases
file. The default is /usr/aset/masters/uid_aliases.

The Checklist Files

The master files used by the systems files checklist are generated when you first
execute ASET, or when you run ASET after you change the security level.
The files checked by this task are defined by the following environment variables:
4 CKLISTPATH_LOW
4 CKLISTPATH_MED

Using Automated Security Enhancement Tool (Tasks) 339

 4 CKLISTPATH_HIGH

ASET Environment File (asetenv)

The environment file, asetenv, contains a list of variables that affect ASET tasks.
These variables can be changed to modify ASET operation.

Configuring ASET
This section discusses how ASET is configured and the environment under which it
operates.
ASET requires minimum administration and configuration, and in most cases, you
can run it with the default values. You can, however, fine-tune some of the
parameters that affect the operation and behavior of ASET to maximize its benefit.
Before changing the default values, you should understand how ASET works, and
how it affects the components of your system.
ASET relies on four configuration files to control behavior of its tasks:
4 /usr/aset/asetenv
4 /usr/aset/masters/[Link]
4 /usr/aset/masters/[Link]
4 /usr/aset/masters/[Link]

Modifying the Environment File (asetenv)

The /usr/aset/asetenv file has two main sections:
4 A user-configurable parameters section
4 An internal environment variables section
You can alter the user-configurable parameters section. However, the settings in the
internal environment variables section are for internal use only and should not be
modified.
You can edit the entries in the user-configurable parameters section to:
4 Choose which tasks to run
4 Specify directories for checklist task
4 Schedule ASET execution
4 Specify an aliases file
4 Extend checks to NIS+ tables

340 System Administration Guide, Volume II ♦ October 1998

Choose Which Tasks to Run: TASKS
Each of the tasks ASET performs monitors a particular area of system security. In
most system environments, all the tasks are necessary to provide balanced security
coverage. However, you may decide to eliminate one or more of the tasks.
For example, the firewall task runs at all security levels, but takes action only at the
high security level. You may want to run ASET at the high-security level, but do not
require firewall protection.
It’s possible to set up ASET to run at the high level without the firewall feature by
editing the TASKS list of environment variables in the asetenv file. By default, the
TASKS list contains all of the ASET tasks. (An example is shown below). To delete a
task, remove the task setting from the file. In this case, you would delete the
firewall environment variable from the list. The next time ASET runs, the
excluded task will not be performed.

TASKS=’’env sysconfig usrgrp tune cklist eeprom firewall’’

Specify Directories for Checklist Task: CKLISTPATH

The system files check checks attributes of files in selected system directories. You
define which directories to check by using these checklist path environment
variables:

4 CKLISTPATH_LOW

4 CKLISTPATH_MED

4 CKLISTPATH_HIGH
The CKLISTPATH_LOW variable defines the directories to be checked at the low
security level. CKLISTPATH_MED and CKLISTPATH_HIGH environment variables
function similarly for the medium and high security levels.

The directory list defined by a variable at a lower security level should be a subset of
the directory list defined at the next higher level. For example, all directories
specified for CKLISTPATH_LOW should be included in CKLISTPATH_MED, and all the
directories specified for CKLISTPATH_MED should be included in
CKLISTPATH_HIGH.
Checks performed on these directories are not recursive; ASET only checks those
directories explicitly listed in the variable. It does not check their subdirectories.

You can edit these variable definitions to add or delete directories that you want
ASET to check. Note that these checklists are useful only for system files that do not
normally change from day to day. A user’s home directory, for example, is generally
too dynamic to be a candidate for a checklist.

Using Automated Security Enhancement Tool (Tasks) 341

 Schedule ASET Execution: PERIODIC_SCHEDULE
When you start ASET, you can start it interactively, or use the −p option to request
that the ASET tasks run at a scheduled time and period. You can run ASET
periodically, at a time when system demand is light. For example, ASET consults
PERIODIC_SCHEDULE to determine how frequently to execute the ASET tasks, and
at what time to run them. For detailed instructions about setting up ASET to run
periodically, see “How to Run ASET Periodically” on page 351.
The format of PERIODIC_SCHEDULE follows the format of crontab entries. See
crontab(1) for complete information.

Specify an Aliases File: UID_ALIASES

The UID_ALIASES variable specifies an aliases file that lists shared user IDs. The
default is /usr/aset/masters/uid_aliases.

Extend Checks to NIS+ Tables: YPCHECK

The YPCHECK environment variable specifies whether ASET should also check
system configuration file tables. YPCHECK is a Boolean variable; you can specify only
true or false for it. The default value is false, disabling NIS+ table checking.
To understand how this variable works, consider its effect on the passwd file. When
this variable is set to false, ASET checks the local passwd file. When it is set to true,
the task also checks the NIS+ passwd file for the domain of the system.

Note - Although ASET automatically repairs the local tables, it only reports
potential problems in the NIS+ tables; it does not change them.

Modifying the Tune Files

ASET uses the three master tune files, [Link], [Link], and [Link], are
used by ASET to ease or tighten access to critical system files. These master files are
located in the /usr/aset/masters directory, and they can be modified to suit your
environment. For additional information, see “Tune Files” on page 348.
The [Link] file sets permissions to values appropriate for default system settings.
The [Link] file further restricts these permissions and includes entries not
present in [Link]. The [Link] file restricts permissions even further.

Note - Modify settings in the tune file by adding or deleting file entries. Setting a
permission to a less restrictive value than the current setting has no effect; the ASET
tasks do not relax permissions unless you downgrade your system security to a
lower level.

342 System Administration Guide, Volume II ♦ October 1998

Restoring System Files Modified by ASET
When ASET is executed for the first time, it saves and archives the original system
files. The [Link] utility reinstates these files. It also deschedules ASET, if it
is currently scheduled for periodic execution. The [Link] utility is located
in /usr/aset, the ASET operating directory.
Changes made to system files are lost when you run [Link].
You should use [Link]:
4 When you want to remove ASET changes and restore the original system. If you
want to deactivate ASET permanently, you can remove it from cron scheduling if
the aset command had been added to root’s crontab previously. For directions
on how to use cron to remove automatic execution, see “How to Stop Running
ASET Periodically” on page 352.
4 After a brief period of experimenting with ASET, to restore the original system
state.
4 When some major system functionality is not working properly and you suspect
that ASET is causing the problem.

Network Operation Using the NFS System

Generally, ASET is used in standalone mode, even on a system that is part of a
network. As system administrator for your standalone system, you are responsible
for the security of your system and for running and managing ASET to protect your
system.
You can also use ASET in the NFS distributed environment. As a network
administrator, you are responsible for installing, running, and managing various
administrative tasks for all of your clients. To facilitate ASET management across
several client systems, you can make configuration changes that are applied globally
to all clients, eliminating the need for you to log in to each system to repeat the
process.
When deciding how to set up ASET on your networked systems, you should
consider how much you want users to control security on their own systems, and
how much you want to centralize responsibility for security control.

Providing a Global Configuration for Each Security Level

A case might arise where you want to set up more than one network configuration.
For example, you may want to set up one configuration for clients that are
designated with low security level, another configuration for those with medium
level, and yet another one with high level.

Using Automated Security Enhancement Tool (Tasks) 343

 If you need to create a separate ASET network configuration for each security level,
you can create three ASET configurations on the server—one for each level. You
would export each configuration to the clients with the appropriate security level.
Some ASET components that are common to all three configurations could be shared
using links.

Collecting ASET Reports

Not only can you centralize the ASET components on a server to be accessed by
clients with or without superuser privilege, but you can also set up a central
directory on a server to collect all reports produced by tasks running on various
clients. For instructions on setting up a collection mechanism, see “How to Collect
Reports on a Server” on page 352.
Setting up the collection of reports on a server allows you to review reports for all
clients from one location. You can use this method whether a client has superuser
privilege or not. Alternatively, you can leave the reports directory on the local system
when you want users to monitor their own ASET reports.

Environment Variables
Table 16–2 lists the ASET environment variables and the values that they specify.

TABLE 16–2 Environment Variables and Their Meanings

Environment Variable Specifies ...

ASETDIR (See below) ASET working directory

ASETSECLEVEL (See below) Security level

PERIOD_SCHEDULE Periodic schedule

TASKS Tasks to run

UID_ALIASES Aliases file

YPCHECK Extends check to NIS and NIS+

CKLISTPATH_LOW Directory lists for low security

344 System Administration Guide, Volume II ♦ October 1998

TABLE 16–2 Environment Variables and Their Meanings (continued)

Environment Variable Specifies ...

CKLISTPATH_MED Directory list for medium security

CKLISTPATH_HIGH Directory list for high security

The environment variables listed below are found in the /usr/aset/asetenv file.
The ASETDIR and ASETSECLEVEL variables are optional and can be set only
through the shell by using the aset command. The other environment variables can
be set by editing the file. The variables are described below.

ASETDIR Variable
ASETDIR specifies an ASET working directory.

From the C shell, type:

% setenv ASETDIR pathname

From the Bourne shell or the Korn shell, type:

$ ASETDIR=pathname
$ export ASETDIR

Set pathname to the full path name of the ASET working directory.

ASETSECLEVEL Variable
The ASETSECLEVEL variable specifies a security level at which ASET tasks are
executed.

From the C shell, type:

% setenv ASETSECLEVEL level

From the Bourne shell or the Korn shell, type:

Using Automated Security Enhancement Tool (Tasks) 345

 $ ASETSECLEVEL=level
export ASETSECLEVEL

In the above commands, level can be set to one of the following:

low Low security level

med Medium security level

high High security level

PERIODIC_SCHEDULE Variable
The value of PERIODIC_SCHEDULE follows the same format as the crontab file.
Specify the variable value as a string of five fields enclosed in double quotation
marks, each field separated by a space:

"minutes hours day-of-month month day-of-week"

TABLE 16–3 Periodic_Schedule Variable Values

Variable Value

minutes hours Specifies start time in number of minutes after the hour (0-59)
and the hour (0-23)

day-of-month Specifies the day of the month when ASET should be run, using
values from 1 through 31

month Specifies the month of the year when ASET should be run,
using values from 1 through 12

day-of-week Specifies the day of the week when ASET should be run, using
values from 0 through 6; Sunday is day 0 in this scheme

The following rules apply:

4 You can specify a list of values, each delimited by a comma, for any field.

346 System Administration Guide, Volume II ♦ October 1998

4 You can specify a value as a number, or you can specify it as a range; that is, a
pair of numbers joined by a hyphen. A range states that the ASET tasks should be
executed for every time included in the range.
4 You can specify an asterisk (*) as the value of any field. An asterisk specifies all
possible values of the field, inclusive.
The default entry for PERIODIC_SCHEDULE variable causes ASET to execute at 12:00
midnight every day:

PERIODIC_SCHEDULE=’’0 0 * * *’’

TASKS Variable
The TASKS variable lists the tasks that ASET performs. The default is to list all seven
tasks:

TASKS=’’env sysconfig usrgrp tune cklist eeprom firewall’’

UID_ALIASES Variable
The UID_ALIASES variable specifies an aliases file. If present, ASET consults this file
for a list of permitted multiple aliases. The format is UID_ALIASES=pathname.
pathname is the full path name of the aliases file.
The default is:

UID_ALIASES=${ASETDIR}/masters/uid_aliases

YPCHECK Variable
The YPCHECK variable extends the task of checking system tables to include NIS or
NIS+ tables. It is a Boolean variable, which can be set to either true or false.
The default is false, confining checking to local system tables:

YPCHECK=false

CKLISTPATH_level Variable
The three checklist path variables list the directories to be checked by the checklist
task. The following definitions of the variables are set by default; they illustrate the
relationship between the variables at different levels:

CKLISTPATH_LOW=${ASETDIR}/tasks:${ASETDIR}/util:${ASETDIR}/masters:
/etc
CKLISTPATH_MED=${CKLISTPATH_LOW}:/usr/bin:/usr/ucb
CKLISTPATH_HIGH=${CKLISTPATH_MED}:/usr/lib:/sbin:/usr/sbin:/usr/ucblib

Using Automated Security Enhancement Tool (Tasks) 347

 The values for the checklist path environment variables are similar to those of the
shell path variables, in that they are lists of directory names separated by colons ( : ).
You use an equal sign ( =) to connect the variable name to its value.

ASET File Examples

This section has examples of some of the ASET files, including the tune files and the
aliases file.

Tune Files
ASET maintains three tune files. The entry format in all three tune files are described
in Table 16–4.

TABLE 16–4 Tune File Entry Format

Entry Description

pathname The full path name of the file

mode A five-digit number that represents the permission setting

owner The owner of the file

group The group owner of the file

type The type of the file

The following rules apply:

4 You can use regular shell wildcard characters, such as an asterisk (*) and a
question mark (?), in the path name for multiple references. See sh(1) for more
information.
4 mode represents the least restrictive value. If the current setting is already more
restrictive than the specified value, ASET does not loosen the permission settings.
For example, if the specified value is 00777, the permission will remain unchanged,
because 00777 is always less restrictive than whatever the current setting is.
This is how ASET handles mode setting, unless the security level is being
downgraded or you are removing ASET. When you decrease the security level
from what it was for the previous execution, or when you want to restore the

348 System Administration Guide, Volume II ♦ October 1998

 system files to the state they were in before ASET was first executed, ASET
recognizes what you are doing and decreases the protection level.
4 You must use names for owner and group instead of numeric IDs.
4 You can use a question mark (?) in place of owner, group, and type to prevent ASET
from changing the existing values of these parameters.
4 type can be symlink (symbolic link), directory, or file (everything else).
4 Higher security level tune files reset file permissions to be at least as restrictive as
they are at lower levels. Also, at higher levels, additional files are added to the list.
4 A file can match more than one tune file entry. For example, etc/passwd matches
etc/pass* and /etc/* entries.
4 Where two entries have different permissions, the file permission is set to the most
restrictive value. In the following example, the permission of /etc/passwd will
be set to 00755, which is the more restrictive of 00755 and 00770.

/etc/pass* 00755 ? ? file

/etc/* 00770 ? ? file

4 If two entries have different owner or group designations, the last entry takes
[Link] following example shows the first few lines of the [Link] file.

/ 02755 root root directory

/bin 00777 root bin symlink
/sbin 02775 root sys directory
/usr/sbin 02775 root bin directory
/etc 02755 root sys directory
/etc/chroot 00777 bin bin symlink

Aliases File
An aliases file contains a list of aliases that share the same user ID.
Each entry is in this form:
uid=alias1=alias2=alias3=...

uid Shared user ID.

aliasn User account sharing the user ID.

For example, the following entry lists the user ID 0 being shared by sysadm and
root:
0=root=sysadm

Using Automated Security Enhancement Tool (Tasks) 349

 Running ASET
This section describes how to run ASET either interactively or periodically.

How to Run ASET Interactively

1. Become superuser.

2. Run ASET interactively by using the aset command.

# /usr/aset/aset -l level -d pathname

level Specifies the level of security. Valid values are low, medium,
or high. The default setting is low. See “ASET Security
Levels” on page 332 for detailed information about security
levels.

pathname Specifies the working directory for ASET. The default is /

usr/aset.

3. Verify ASET is running by viewing the ASET execution log that is displayed
on the screen.
The execution log message identifies which tasks are being run.

Example—Running ASET Interactively

The following example runs ASET at low security with the default working directory.

# /usr/aset/aset -l low
======= ASET Execution Log =======

ASET running at security level low

Machine = jupiter; Current time = 0111_09:26

aset: Using /usr/aset as working directory

Executing task list ...

firewall
env
sysconf
usrgrp

(continued)

350 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

tune
cklist
eeprom

All tasks executed. Some background tasks may still be running.

Run /usr/aset/util/taskstat to check their status:

/usr/aset/util/taskstat [aset_dir]

where aset_dir is ASET’s operating

directory,currently=/usr/aset.

When the tasks complete, the reports can be found in:

/usr/aset/reports/latest/*.rpt

You can view them by:

more /usr/aset/reports/latest/*.rpt

How to Run ASET Periodically

1. Become superuser.

2. If necessary, set up the time when you want ASET to run periodically.
You should have ASET run when system demand is light. The
PERIODIC_SCHEDULE environment variable in the /usr/aset/asetenv file is
used to set up the time for ASET to run periodically. By default, the time is set for
midnight every 24 hours.
If you want to set up a different time, edit the PERIODIC_SCHEDULE variable in
the /usr/aset/asetenv file. See “PERIODIC_SCHEDULE Variable” on page 346
for detailed information about setting the PERIODIC_SCHEDULE variable.

3. Add an entry to the crontab file using the aset command.

# /usr/aset/aset -p

Inserts a line in the crontab file that starts ASET running at

−p
the time determined by the PERIODIC_SCHEDULE
environment variable in the /usr/aset/asetenv file.

4. Display the crontab entry to verify when ASET will run.

Using Automated Security Enhancement Tool (Tasks) 351

 # crontab -l root

How to Stop Running ASET Periodically

1. Become superuser.

2. Edit the crontab file.

# crontab -e root

3. Delete the ASET entry.

4. Save the changes and exit.

5. Display the crontab entry to verify the ASET entry is deleted.

# crontab -l root

How to Collect Reports on a Server

1. Become superuser.

2. Set up a directory on the server:

a. Change to the /usr/aset directory.

mars# cd /usr/aset

b. Create a rptdir directory.

mars# mkdir rptdir

c. Change to the rptdir directory and create a client_rpt directory.

352 System Administration Guide, Volume II ♦ October 1998

 mars# cd rptdir
mars# mkdir client_rpt

d. This creates a subdirectory (client_rpt) for a client. Repeat this step for each
client whose reports you need to collect.
The following example creates the directory all_reports, and the
subdirectories pluto_rpt and neptune_rpt.

mars# cd /usr/aset
mars# mkdir all_reports
mars# cd all_reports
mars# mkdir pluto_rpt
mars# mkdir neptune_rpt

3. Add the client_rpt directories to the /etc/dfs/dfstab file.

The directories should have read/write options.
For example, the following entries in dfstab are shared with read/write
permissions.

share -F nfs -o rw=pluto /usr/aset/all_reports/pluto_rpt

share -F nfs -o rw=neptune /usr/aset/all_reports/neptune_rpt

4. Make the resources in the dfstab file available to the clients.

# shareall

5. On each client, mount the client subdirectory from the server at the mount
point, /usr/aset/masters/reports

# mount server:/usr/aset/client_rpt /usr/aset/masters/reports

6. Edit the /etc/vfstab file to mount the directory automatically at boot time.

Using Automated Security Enhancement Tool (Tasks) 353

 The following sample entry in /etc/vfstab on neptune lists the directory to
be mounted from mars, /usr/aset/all_reports/neptune_rpt, and the
mount point on neptune, /usr/aset/reports. At boot time, the directories
listed in vfstab are automatically mounted.

mars:/usr/aset/all_reports/[Link] /usr/aset/reports nfs - yes

hard

Troubleshooting ASET Problems

This section documents the error messages generated by ASET.

ASET Error Messages

ASET failed: no mail program found.

Reason Error Occurred How to Fix the Problem

ASET is directed to send the execution log to Install a mail program.

a user, but no mail program can be found.

Usage: aset [-n user[@host]] in /bin/mail or /usr/ucb/mail.

Cannot decide current and previous security levels.

354 System Administration Guide, Volume II ♦ October 1998

Reason Error Occurred How to Fix the Problem

ASET cannot determine what the security Ensure the current security level is set either
levels are for the current and previous through the command line option or the
invocations. ASETSECLEVELenvironment variable. Also,
ensure that the last line of ASETDIR/
archives/[Link] correctly
reflects the previous security level. If these
values are not set or are incorrect, specify
them correctly.

ASET working directory undefined.

To specify, set ASETDIR environment variable or use command line
option -d.
ASET startup unsuccessful.

Reason Error Occurred How to Fix the Problem

The ASET working (operating) directory is Use the ASETDIR environment variable or
not defined, or defined incorrectly. the -d command line option to specify it
correctly, and restart ASET.

ASET working directory $ASETDIR missing.

ASET startup unsuccessful.

Reason Error Occurred How to Fix the Problem

The ASET working (operating) directory is Ensure that the correct directory—that is, the
not defined, or it is defined incorrectly. This directory containing the ASET directory
may be because the ASETDIR variable or the hierarchy—is referred to correctly.
-d command line option refers to a
nonexistent directory.

Cannot expand $ASETDIR to full pathname.

Using Automated Security Enhancement Tool (Tasks) 355

 Reason Error Occurred How to Fix the Problem

ASET cannot expand the directory name Ensure that the directory name is given
given by the ASETDIR variable or the -d correctly, and that it refers to an existing
command line option to a full path name. directory to which the user has access.

aset: invalid/undefined security level.

To specify, set ASETSECLEVEL environment variable or use command
line option -l, with argument= low/med/high.

Reason Error Occurred How to Fix the Problem

The security level is not defined or it is Use the ASETSECLEVEL variable or the -l
defined incorrectly. Only the values low, command line option to specify one of the
med, or high are acceptable. three values.

ASET environment file asetenv not found in $ASETDIR.

ASET startup unsuccessful.

Reason Error Occurred How to Fix the Problem

ASET cannot locate an asetenv file in its Ensure there is an asetenv file in ASET’s
working directory. working directory. See asetenv(4) for the
details about this file.

filename doesn’t exist or is not readable.

Reason Error Occurred How to Fix the Problem

The file referred to by filename doesn’t exist Ensure the argument to the -u option exists
or is not readable. This can specifically occur and is readable.
when using the -u option where you can
specify a file that contains a list of users
whom you want to check.

ASET task list TASKLIST undefined.

356 System Administration Guide, Volume II ♦ October 1998

Reason Error Occurred How to Fix the Problem

The ASET task list, which should be defined Examine your asetenv file. Ensure the task
in the asetenv file, is not defined. This can list is defined in the User Configurable
mean that your asetenv file is bad. section. Also check other parts of the file to
ensure the file is intact. See asetenv(4) for
the content of a good asetenv file.

ASET task list $TASKLIST missing.

ASET startup unsuccessful.

Reason Error Occurred How to Fix the Problem

The ASET task list, which should be defined Examine your asetenv file. Ensure the task
in the asetenv file, is not defined. This can list is defined in the User Configurable
mean that your asetenv file is bad. section. Also check other parts of the file to
ensure the file is intact. See asetenv(4) for
the content of a good asetenv file.

Schedule undefined for periodic invocation.

No tasks executed or scheduled. Check asetenv file.

Reason Error Occurred How to Fix the Problem

ASET scheduling is requested using the -p Check the User Configurable section of
option, but the variable the asetenv file to ensure the variable is
PERIODIC_SCHEDULE is undefined in the defined and is in proper format.
asetenv file.

Warning! Duplicate ASET execution scheduled.

Check crontab file.

Using Automated Security Enhancement Tool (Tasks) 357

 Reason Error Occurred How to Fix the Problem

ASET is scheduled more than once. In other Verify, through the crontab(1) command
words, scheduling is requested while a interface, that the correct schedule is in
schedule is already in effect. This is not effect. Ensure that no unnecessary crontab
necessarily an error if more than one entries for ASET are in place.
schedule is indeed desired, just a warning
that normally this is unnecessary since you
should use the crontab(1) scheduling
format if you want more than one schedule.

358 System Administration Guide, Volume II ♦ October 1998

PART V Managing System Resources

This part provides instructions for managing system resources in the Solaris
environment. This part contains these chapters.

Provides overview information about Solaris commands

Chapter 17
and utilities that help you manage system resources by
using disk quotas, accounting programs, and cron and
at commands.

Provides step-by-step instructions for examining and

Chapter 18
changing system information.

Provides step-by-step instructions for optimizing disk

Chapter 19
space by locating unused files and large directories.

Provides step-by-step instructions for setting up and

Chapter 20
administering disk quotas.

Provides step-by-step instructions for scheduling routine

Chapter 21
or one-time system events using crontab and at
features.

Provides step-by-step instructions for setting up and

Chapter 22
maintaining system accounting.

Provides reference information for system accounting

Chapter 23
software.
CHAPTER 17

Managing System Resources (Overview)

This chapter contains overview information about miscellaneous features offered by

UNIX software and the Solaris operating environment to help you manage system
resources by using disk quotas, accounting programs, and crontab and at
commands that automatically run routine commands.
This is a list of the overview information in this chapter.
4 “What Are Quotas?” on page 362
4 “Executing Routine Tasks Automatically” on page 362
4 “What is System Accounting?” on page 364

Where to Find System Resource Tasks

Use these references to find step-by-step instructions for managing system resources.
4 Chapter 18
4 Chapter 19
4 Chapter 20
4 Chapter 21
4 Chapter 22

361
 What Are Quotas?
Quotas enable system administrators to control the size of UFS file systems by
limiting the amount of disk space and the number of inodes (which roughly
corresponds to the number of files) that individual users can acquire. For this reason,
quotas are especially useful on the file systems where user home directories reside.
(As a rule, public and /tmp file systems probably wouldn’t benefit as much from the
establishment of quotas.)
Setting up quotas involves these general steps:
1. A series of commands prepares a file system to accept quotas, ensuring that
quotas will be enforced each time the system is rebooted and the file system is
mounted. Entries must be added to the /etc/vfstab file, and a quotas file
must be created in the top-level directory of the file system.
2. After a quota is created for one user, it can be copied as a prototype to set up
other user quotas.
3. Before quotas are actually turned on, another command checks for consistency by
comparing the proposed quotas to the current disk usage making sure there are
no conflicts.
4. Finally, a command turns the quotas on for one or more entire file systems.
These steps ensure that quotas are automatically activated on a file system each time
it is mounted. See Chapter 20 for specific information about these procedures.
Once they are in place, quotas can be changed to adjust the amount of disk space or
number of inodes that users can consume. Additionally, quotas can be added or
removed as system needs change. See “Changing and Removing Quotas” on page
406 for instructions on how to change quotas, disable individual quotas, or remove
quotas from file systems.
In addition, quota status can be monitored. Quota commands enable administrators
to display information about quotas on a file system, or search for users who have
exceeded their quotas. For procedures that describe how to use these commands, see
“Checking Quotas” on page 403.

Executing Routine Tasks Automatically

Many routine system events can be set up to execute automatically. Some of these
tasks should occur repetitively, at regular intervals. Other tasks need to run only
once, perhaps during off hours such as evenings or weekends.

362 System Administration Guide, Volume II ♦ October 1998

This section contains overview information about two commands, crontab and at,
which enable you to schedule routine commands to execute automatically, avoiding
peak hours or repeating commands according to a fixed schedule. crontab
schedules repetitive commands, while at schedules commands that execute once.

Scheduling Repetitive Jobs: crontab

You can schedule routine system administration commands to execute daily, weekly,
or monthly by using the crontab commands.
Daily crontab system administration tasks might include:
4 Removing junk files more than a few days old from temporary directories
4 Executing accounting summary commands
4 Taking snapshots of the system by using df and ps commands
4 Performing daily security monitoring
4 Running system backups
Weekly crontab system administration tasks might include:
4 Rebuilding the catman database for use by man -k
4 Running fsck -n to list any disk problems
Monthly crontab system administration tasks might include:
4 Listing files not used that month
4 Producing monthly accounting reports
Additionally, users can schedule crontab commands to execute other routine
system tasks, such as sending reminders and removing backup files.

Scheduling a Single Job: at

The at command allows you to schedule a job for execution at a later time. The job
may consist of a single command or a script.
Like crontab, at allows you to schedule the automatic completion of routine
commands. However, unlike crontab files, at files execute their commands once,
and then are removed from their directory. Therefore, at is most useful for running
simple commands or scripts that direct output into separate files for later
examination.
Submitting an at job involves entering a command, following the at command
syntax to specify options to schedule the time your job will be executed. For more
information about submitting at jobs, see “at Command Description” on page 425.

Managing System Resources (Overview) 363

 The at command stores the command or script you entered, along with a copy of
your current environment variables in either /usr/spool/cron/atjobs or
/var/spool/cron/atjobs. As a file name, your at job file is given a long number
specifying its location in the at queue, followed by the .a extension, such as
793962000.a.
The cron daemon periodically executes the atrun program, usually at 15-minute
intervals. atrun then executes at jobs at their scheduled times. After your at job
has been executed, its file is removed from the atjobs directory.

What is System Accounting?

The SunOS 5.7 system accounting software is a set of programs that enables you to
collect and record data about user connect time, CPU time charged to processes, and
disk usage. Once this data is collected, you can generate reports and charge fees for
system usage.
The accounting programs can be used for:
4 Monitoring system usage
4 Troubleshooting
4 Locating and correcting performance problems
4 Maintaining system security
After they’re set up, the system accounting programs run mostly on their own.

Accounting Components
The accounting software provides C language programs and shell scripts that
organize data into summary files and reports. These programs reside in the
/usr/adm/acct and /usr/lib/acct directories.
Daily accounting can help you do four types of auditing:
4 Connect
4 Process
4 Disk
4 Fee calculations

364 System Administration Guide, Volume II ♦ October 1998

How Accounting Works
Setting up automatic accounting involves putting the accounting startup script into
crontab files so they can be started automatically by cron.
The following is an overview of how accounting works.
1. Between system startup and shutdown, raw data about system use (such as user
logins, running processes, and data storage) are collected in accounting files.
2. Periodically (usually once a day), the /usr/lib/acct/runacct program
processes the various accounting files and produces both cumulative summary
files and daily accounting reports. The daily reports are printed by the
/usr/lib/acct/prdaily program.
3. Monthly, the administrator can process and print the cumulative summary files
generated by runacct by executing the monacct program. The summary reports
produced by monacct provide an efficient means for billing users on a monthly
or other fiscal basis.
See Chapter 22 for instructions on setting up the accounting software. See Chapter 23
for reference information about the different accounting features.

Managing System Resources (Overview) 365

366 System Administration Guide, Volume II ♦ October 1998
CHAPTER 18

Examining and Changing System

Information (Tasks)

This chapter describes tasks required to examine and change the most common
system information. This is a list of the step-by-step instructions in this chapter.
4 “How to Display General System Information (uname)” on page 369
4 “How to Display a System’s Host ID Number ” on page 369
4 “How to Display a System’s Installed Memory” on page 370
4 “How to Display the Date and Time” on page 370
4 “How to Synchronize Date and Time From Another System” on page 373
4 “How to Set a System’s Date and Time Manually” on page 373
4 “How to Set Up a Message of the Day” on page 374
4 “How to Set the Number of Processes per User” on page 375
4 “How to Increase the Number of Pseudo-ttys” on page 376
4 “How to Increase Shared Memory Segments” on page 377

Using Commands to Display System

Information
Table 18–1 describes commands that enable you to display general system
information.

367
 TABLE 18–1 Commands for Displaying System Information

Command Enables You to Display a System’s ...

Hostname, host identification number, release, kernel

showrev(1M) architecture, application architecture, hardware provider,
domain, and kernel version

Operating system name, release, and version; node name;

uname(1) hardware name; processor type

Host ID number
hostid(1)

Installed memory
prtconf(1M)

Date and time

date(1)

How to Display System and Software Release

Information
To display specific system and software release information, use the showrev
command.

$ showrev [-a]

-a Displays all system release information available.

Example—Displaying System and Software Release

Information
The following example shows showrev command output.

$ showrev -a
Hostname: pluto
Hostid: 5721864d
Release: 5.7
Kernel architecture: sun4m
Application architecture: sparc
Hardware provider: Sun_Microsystems
Domain: [Link]
Kernel version: SunOS 5.7 Generic September 1998

(continued)

368 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

OpenWindows version:
OpenWindows Version 3.7, 3 February 1998
No patches are installed
$

How to Display General System Information

(uname)
To display system information, use the uname command.

$ uname[-a]

-a Displays the operating system name as well as the system node

name, operating system release, operating system version,
hardware name, and processor type.

Example—Displaying General System Information

The following example shows uname command output.

$ uname
SunOS
$ uname -a
SunOS pluto 5.7 Generic sun4m sparc SUNW,SPARCstation-5
$

How to Display a System’s Host ID Number

To display the host identification number in hexadecimal format, use the hostid
command.

$ hostid

Example—Displaying a System’s Host ID Number

The following example shows sample output from the hostid command.

Examining and Changing System Information (Tasks) 369

 $ hostid
7725ac42

How to Display a System’s Installed Memory

To display the amount of memory installed on your system, use the prtconf
command.

$ prtconf [| grep Memory]

grep Memory Focuses output from this command to display memory

information only.

Example—Displaying a System’s Installed Memory

The following example shows sample output from the prtconf command.

# prtconf | grep Memory

Memory size: 56 Megabytes

How to Display the Date and Time

To display the current date and time according to your system clock, use the date
command.

$ date

Example—Displaying the Date and Time

The following example shows sample output from the date command.

$ date
Thu Feb 26 [Link] MST 1998
$

370 System Administration Guide, Volume II ♦ October 1998

Using Commands to Change System
Information
Table 18–2 shows man page references and descriptions for some commands that
enable you to change general system information.

TABLE 18–2 Commands for Changing System Information

Command Enables You to Change a System’s ...

Date and time to match those of another system

rdate(1M)

Date and time to match your specifications

date(1)

Using these commands, you can set a system’s date and time to synchronize with the
date and time of another system, such as a server. Or you can change a system’s date
and time by specifying new information.
The message of the day (MOTD) facility, located in /etc/motd, enables you to send
announcements or inquiries to all users of a system when they log in. Use this
facility sparingly, and edit this file regularly to remove obsolete messages.
By editing the /etc/system file, you can:
4 Change the number of processes per user
4 Increase the number of pseudo-ttys to 256
4 Increase the number of lock requests
4 Increase shared memory segments

Using Network Time Protocol (NTP) in Your

Networ
The Network Time Protocol (NTP) public domain software from the University of
Delaware is included in the Solaris software starting with the Solaris 2.6 release.
NTP enables you to manage precise time and/or network clock synchronization in a
network environment. The xntpd daemon sets and maintains a Unix system
time-of-day in agreement with Internet standard time servers. The xntpd daemon is

Examining and Changing System Information (Tasks) 371

 a complete implementation of the Network Time Protocol version 3 standard, as
defined by RFC 1305.
The xntpd daemon reads the /etc/inet/[Link] file at system startup. See
xntpd(1M) for information about configuration options. See the following section for
instructions on setting up an NTP server and clients.
Keep the following in mind when using NTP in your network:
4 The xntpd daemon takes up minimal system resources.
4 An NTP client synchronizes automatically when it boots, and if it gets out of sync,
it will resync again when it sees a time server.

How to Set Up a Network Time (NTP) Server

1. Become superuser.

2. Change to the /etc/inet directory.

3. Copy the [Link] file to the [Link] file.

# cp [Link] [Link]

4. Change to the /etc/init.d directory.

5. Start the xntpd daemon.

# ./xntpd start

How to Set Up a Network Time (NTP )Client

1. Become superuser.

2. Change to the /etc/inet directory.

3. Copy the [Link] file to the [Link] file.

# cp [Link] [Link]

4. Change to the /etc/init.d directory.

5. Start the xntpd daemon.

372 System Administration Guide, Volume II ♦ October 1998

 # ./xntpd start

How to Synchronize Date and Time From Another

System
1. Become superuser.

2. To reset the date and time to synchronize with another system, use the rdate
command.

# rdate other-system-name

other-system-name Name of another system.

3. Verify that you have reset your system’s date correctly by checking your
system’s date and time using the date command.
The output should show a date and time that matches that of the other system.

Example—Synchronizing Date and Time From Another

System
The following example shows how to use rdate to synchronize the date and time of
one system with another. In this example, the system neptune, running several
hours behind, is reset to match the date and time of the server pluto.

neptune$ date
Thu Feb 26 [Link] MST 1998
neptune# rdate pluto
Thu Feb 26 [Link] MST 1998
neptune$ date
Thu Feb 26 [Link] MST 1998

How to Set a System’s Date and Time Manually

1. Become superuser.

2. Enter the new date and time.

Examining and Changing System Information (Tasks) 373

 # date mmddHHMM[[cc]yy]

mm Month, using two digits.

dd Day of the month, using two digits.

HH Hour, using two digits and a 24-hour clock.

MM Minutes, using two digits.

cc Century, using two digits.

yy Year, using two digits.

3. Verify that you have reset your system’s date correctly by checking your
system’s date and time using the date command with no options.
The output should show a date and time that matches that of the other system.

Example—Setting a System’s Date and Time Manually

The following example shows how to use date to manually set a system’s date and
time.

# date
Thu Feb 26 [Link] MST 1998
# date 022610221998

How to Set Up a Message of the Day

1. Become superuser.

2. Open the /etc/motd file, using the editor of your choice.

3. Edit the text to include the message that will be displayed as part of the user
login process, including spaces, Tabs, and Returns.

4. Exit the file, saving your changes.

374 System Administration Guide, Volume II ♦ October 1998

5. Verify the changes by displaying the contents of the /etc/motd.

$ cat /etc/motd
Welcome to the UNIX Universe. Have a nice day.

Example—Setting Up a Message of the Day

The default message of the day, provided when you install Solaris software, contains
SunOS version information:

$ cat /etc/motd
Sun Microsystems Inc SunOS 5.7 Generic September 1998

The following example shows an edited /etc/motd file that provides information
about system availabilty to each user who logs in.

$ cat /etc/motd
The system will be down from 7:00 a.m to 2:00 [Link]
Saturday, February 28, for upgrades and maintenance.
Do not try to access the system during those hours.
Thank you...

How to Set the Number of Processes per User

1. Open the /etc/system file, using the editor of your choice.

2. Add the following line to the file.

set maxuprc=value

value Number of processes a user can run at once.

3. Exit the file, saving changes.

4. Verify the maxuprc value change.

Examining and Changing System Information (Tasks) 375

 # grep maxuprc /etc/system
set maxuprc=100

5. Reboot the system.

Example—Setting the Number of Processes per User

The following example shows the line you would add to the /etc/system file to
allow users to run 100 processes each.

set maxuprc=100

How to Increase the Number of Pseudo-ttys

1. Open the /etc/system file, using the editor of your choice.

2. Add the following line to the file.

set pt_cnt=value
set npty=same_value_as_pt_cnt
set sad_cnt=2_times_pt_cnt value
set nautopush=same_value_as_pt_cnt

set pt_cnt Sets the number of System V ptys.

set npty Sets the number of BSD ptys.

set sad_cnt Sets the number of STREAMS addressable devices.

set nautopush Sets the number of STREAMS autopush entries and should
be two times the value of sadcnt.

3. Exit the file, saving changes.

4. Verify the pt_cnt value change.

376 System Administration Guide, Volume II ♦ October 1998

 # grep pt_cnt /etc/system
set pt_cnt=256

5. Instruct the system to reconfigure upon rebooting.

$ touch /reconfigure

6. Reboot the system.

Example—Increasing the Number of Pseudo-ttys

The following example increases the number of ptys to 128.

set pt_cnt=128
set npty=128
set sad_cnt=256
set nautopush=128

How to Increase Shared Memory Segments

1. Open the /etc/system file, using the editor of your choice.

2. Add the following variables to increase shared memory segments.

set shmsys:shminfo_shmmax=value
set shmsys:shminfo_shmmin=value
set shmsys:shminfo_shmmni=value
set shmsys:shminfo_shmseg=value
set semsys:seminfo_semmap=value
set semsys:seminfo_semmni=value
set semsys:seminfo_semmns=value
set semsys:seminfo_semmsl=value
set semsys:seminfo_semmnu=value
set semsys:seminfo_semume=value

Examining and Changing System Information (Tasks) 377

 shmsys:shminfo_shmmax Maximum shared memory segment size

shmsys:shminfo_shmmin Mininum shared memory segment size

shmsys:shminfo_shmmni Number of shared memory identifiers

shmsys:shminfo_shmseg Number of segments, per process

semsys:seminfo_semmap Number of entries in the semaphore map

semsys:seminfo_semmni Number of semaphore identifiers

semsys:seminfo_semmns Number of semaphores in the system

semsys:seminfo_semmsl Maximum number of semaphores, per id

semsys:seminfo_semmnu Number of processes using the undo facility

semsys:seminfo_semume Maximum number of undo structures per

process

3. Exit the file, saving changes.

4. Verify the shared memory value changes.

# grep shmsys /etc/system

5. Reboot the system.

Example—Increasing Shared Memory Segments

The following shared memory values accommodate a system with a large amount of
memory (for example, 128 MBytes) that is running a large database application.

set shmsys:shminfo_shmmax=268435456
set shmsys:shminfo_shmmin=200
set shmsys:shminfo_shmmni=200
set shmsys:shminfo_shmseg=200
set semsys:seminfo_semmap=250
set semsys:seminfo_semmni=500
set semsys:seminfo_semmns=500
set semsys:seminfo_semmsl=500

(continued)

378 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

set semsys:seminfo_semmnu=500
set semsys:seminfo_semume=100

Examining and Changing System Information (Tasks) 379

380 System Administration Guide, Volume II ♦ October 1998
CHAPTER 19

Managing Disk Use (Tasks)

This chapter describes how to optimize disk space by locating unused files and large
directories. This is a list of the step-by-step instructions in this chapter.
4 “How to Display Information About Blocks, Files, and Disk Space” on page 381
4 “How to Display the Size of Files” on page 384
4 “How to Find Large Files” on page 385
4 “How to Find Files That Exceed a Given Size Limit” on page 386
4 “How to Display the Size of Directories, Subdirectories, and Files” on page 387
4 “How to Display the User Allocation of Local UFS File System” on page 388
4 “How to List the Newest Files” on page 390
4 “How to Find and Remove Old or Inactive Files ” on page 390
4 “How to Clear Out Temporary Directories” on page 392
4 “How to Find and Delete core Files” on page 393
4 “How to Delete Crash Dump Files” on page 393

Displaying Blocks and Files Used

Use the df command and its options to report the number of free disk blocks and
files. For more information, see df(1M).

How to Display Information About Blocks, Files,

and Disk Space
Display information about how disk space is used by using the df command.

381
 $ df [directory] [-F fstype] [-g] [-k] [-t]

df With no options, lists all mounted file systems and their device
names, the number of total 512-byte blocks used, and the
number of files.

directory Directory whose file system you want to check. The device
name, blocks used, and number of files are displayed.

Displays a list of unmounted file systems, their device names,

−F fstype
the number of 512-byte blocks used, and the number of files on
file systems of type fstype.

Displays the statvfs structure for all mounted file systems.

−g

Displays a list of file systems, kilobytes used, free kilobytes,

−k
percent capacity used, and mount points.

Displays total blocks as well as blocks used for all mounted file
−t
systems.

Note - For remotely mounted file systems, ‘‘-1 files’’ is displayed instead of
the number of files.

Examples—Displaying Information About Blocks, Files, and

Disk Space
In the following example, all the file systems listed are locally mounted except for
/usr/local, which is mounted remotely from the system mars, and does not use
local disk resources.

$ df
/ (/dev/dsk/c0t3d0s0 ): 30374 blocks 14002 files
/usr (/dev/dsk/c0t3d0s6 ): 40714 blocks 80522 files
/proc (/proc ): 0 blocks 429 files
/dev/fd (fd ): 0 blocks 0 files
/export/home (/dev/dsk/c0t3d0s7 ): 10712 blocks 10564 files
/export/root (/dev/dsk/c0t3d0s3 ): 69180 blocks 18812 files
/export/swap (/dev/dsk/c0t3d0s4 ): 61804 blocks 29563 files
/opt (/dev/dsk/c0t3d0s5 ): 15722 blocks 13147 files
/tmp (swap ): 57104 blocks 5653 files
/usr/local (mars:/usr/local ): 435040 blocks -1 files
$

382 System Administration Guide, Volume II ♦ October 1998

In the following example, the file system, total Kbytes, used Kbytes, available Kbytes,
percent of capacity used, and mount point are displayed.

$ df -k
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t3d0s0 30991 15812 12089 57% /
/dev/dsk/c0t3d0s6 185303 164946 1827 99% /usr
/proc 0 0 0 0% /proc
fd 0 0 0 0% /dev/fd
/dev/dsk/c0t3d0s7 19095 13739 3456 80% /export/home
/dev/dsk/c0t3d0s3 34599 9 31140 1% /export/root
/dev/dsk/c0t3d0s4 55511 24609 25352 50% /export/swap
/dev/dsk/c0t3d0s5 23063 15202 5561 74% /opt
swap 29564 976 28588 4% /tmp
mars:/usr/local 5353093 5135591 163972 97% /usr/local
$

The following example shows information about the same system as the previous
example, but only UFS file system information is displayed.

$ df -F ufs
/ (/dev/dsk/c0t3d0s0 ): 30358 blocks 14002 files
/usr (/dev/dsk/c0t3d0s6 ): 40714 blocks 80522 files
/export/home (/dev/dsk/c0t3d0s7 ): 10712 blocks 10564 files
/export/root (/dev/dsk/c0t3d0s3 ): 69180 blocks 18812 files
/export/swap (/dev/dsk/c0t3d0s4 ): 61804 blocks 29563 files
/opt (/dev/dsk/c0t3d0s5 ): 15722 blocks 13147 files
$

Note - Although /proc and /tmp are local file systems, they are not UFS file
systems (/proc is a PROCFS file system, and /tmp is a TMPFS file system).

The following example shows a list of all mounted file systems, device names, total
512-byte blocks used, and number of files. The second line of each two-line entry
displays the total number of blocks and files allocated for the file system.

$ df -t
/ (/dev/dsk/c0t3d0s0 ): 30358 blocks 14002 files
total: 61982 blocks 16128 files
/usr (/dev/dsk/c0t3d0s6 ): 40714 blocks 80522 files
total: 370606 blocks 94080 files
/proc (/proc ): 0 blocks 429 files
total: 0 blocks 492 files
/dev/fd (fd ): 0 blocks 0 files
total: 0 blocks 26 files
/export/home (/dev/dsk/c0t3d0s7 ): 10712 blocks 10564 files
total: 38190 blocks 10752 files
/export/root (/dev/dsk/c0t3d0s3 ): 69180 blocks 18812 files

(continued)

Managing Disk Use (Tasks) 383

 (Continuation)

total: 69198 blocks 18816 files

/export/swap (/dev/dsk/c0t3d0s4 ): 61804 blocks 29563 files
total: 111022 blocks 29568 files
/opt (/dev/dsk/c0t3d0s5 ): 15722 blocks 13147 files
total: 46126 blocks 13440 files
/tmp (swap ): 57144 blocks 5653 files
total: 59096 blocks 5768 files
/usr/local (mars:/usr/local ): 435008 blocks -1 files
total: 10706186 blocks -1 files
$

Checking the Size of Files

You can check the size of files and sort them by using the ls command. You can find
files that exceed a size limit by using the find command. For more information, see
ls(1) and find(1).

How to Display the Size of Files

1. Change the directory to where the files you want to check are located.

2. Display the size of the files.

$ ls [-l] [-s]

Displays a list of files and directories in long format, showing

−l
the sizes in bytes.

Displays a list of the files and directories, showing the sizes

−s
in blocks.

Examples—Displaying the Size of Files

The following example shows that lastlog, wtmp, and wtmpx are substantially
larger than the other files in the /var/adm directory.

384 System Administration Guide, Volume II ♦ October 1998

 venus% cd /var/adm
venus% ls -l
total 434
-r--r--r-- 1 root other 585872 Jan 28 14:53 lastlog
drwxrwxr-x 2 adm adm 512 Dec 1 16:35 log
-rw-r--r-- 1 root other 408 Jan 28 14:15 messages
-rw-r--r-- 1 root other 177 Jan 24 16:56 messages.0
-rw-r--r-- 1 root other 177 Jan 17 16:13 messages.1
-rw-r--r-- 1 root other 0 Jan 4 04:05 messages.2
-rw-r--r-- 1 root other 562 Jan 2 13:13 messages.3
drwxrwxr-x 2 adm adm 512 Dec 1 16:35 passwd
drwxrwxr-x 2 adm sys 512 Jan 28 11:38 sa
-rw-rw-rw- 1 bin bin 0 Nov 26 10:56 spellhist
-rw------- 1 root root 1319 Jan 28 14:58 sulog
-rw-r--r-- 1 root bin 288 Jan 28 14:53 utmp
-rw-r--r-- 1 root bin 2976 Jan 28 14:53 utmpx
-rw-rw-r-- 1 adm adm 12168 Jan 28 14:53 wtmp
-rw-rw-r-- 1 adm adm 125736 Jan 28 14:53 wtmpx

The following example shows that lpsched-2 uses two blocks.

% cd /var/lp/logs
% ls -s
total 2 0 lpsched 0 lpsched.1 2 lpsched.2%

How to Find Large Files

1. Change directory to the location where you want to search.

2. Display the size of files in blocks from largest to smallest.

$ ls -s | sort -nr | more

sort -nr Sorts the list of files by block size from smallest to
largest.

Example—Finding Large Files

In the following example, wtmpx and lastlog are the largest files in the /var/adm
directory.

Managing Disk Use (Tasks) 385

 $ cd /var/adm
$ ls -s | sort -nr | more
320 wtmpx
128 lastlog
74 pacct
56 messages
30 wtmp
6 utmpx
2 utmp
2 sulog
2 sa
2 passwd
2 log
0 spellhist
total 624

How to Find Files That Exceed a Given Size Limit

To locate and display the names of files that exceed a specified size, use the find
command.

$ find directory -size +nnn

directory Directory you want to search.

-size +nnn Is a number of 512-byte blocks. Files that exceed the size
indicated are listed.

Example—Finding Files That Exceed a Given Size Limit

The following example shows how to find files with more than 400 blocks in the
current working directory.

$ find . -size +400 -print

./Howto/[Link]
./Howto/[Link]
./Howto/[Link]
./Routine/[Link]
./Routine/[Link]
./Routine/[Link]
./.record
./Mail/pagination
./Config/[Link]
./Config/[Link]
./Config/[Link]
./Config/[Link]

(continued)

386 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

./[Link]

Checking the Size of Directories

You can display the size of directories by using the du command and its options.
Additionally, you can find the amount of disk space taken up by user accounts on
local UFS file systems by using the quot command. For more information about
these commands, see du(1M)and quot(1M).

How to Display the Size of Directories,

Subdirectories, and Files
Display the size of one or more directories, subdirectories, and files by using the du
command. Sizes are displayed in 512-byte blocks.

$ du [-as] [directory ...]

du Displays the size of each directory you specify, including

each subdirectory beneath it.

Displays the size of each file and subdirectory, and the

−a
total number of blocks contained in the specified directory.

Displays only the total number of blocks contained in the

−s
specified directory.

directory ... Specifies one or more directories you want to check.

Examples—Displaying the Size of Directories, Subdirectories,

and Files
The following example displays the sizes of two directories and all the subdirectories
they contain.

Managing Disk Use (Tasks) 387

 $ du /var/log /var/cron
4 /var/log
3250 /var/cron

The following example displays the sizes of two directories, all of the subdirectories
and files they contain, and the total number of blocks contained in each directory.

$ du -a /var/log /var/cron
0 /var/log/authlog
0 /var/log/syslog
2 /var/log/[Link]
4 /var/log
3248 /var/cron/log
3250 /var/cron

The following example displays the total sizes of two directories.

$ du -s /var/log /var/cron
4 /var/log
3250 /var/cron

How to Display the User Allocation of Local UFS

File System
1. Become superuser.

2. Display users, directories, or file systems, and the number of 1024-byte blocks
used.

# quot [-a] [filesystem]

Lists all users of each mounted UFS file system and the
−a
number of 1024-byte blocks used.

filesystem Is a UFS file system. Users and the number of blocks

used are displayed.

Note - The quot command works only on local UFS file systems.

388 System Administration Guide, Volume II ♦ October 1998

Example—Displaying the User Allocation of Local UFS File
Systems
In the following example, users of the root (/) file system are displayed, then users
of all mounted UFS file systems are displayed.

# quot /
/dev/rdsk/c0t0d0s0:
35400 bin
183 adm
49 lp
47 uucp
37 bob
28 sys
2 mary
# quot -a
/dev/rdsk/c0t0d0s0 (/):
35400 bin
183 adm
49 lp
47 uucp
37 bob
28 sys
2 mary
/dev/rdsk/c0t0d0s6 (/usr):
56567 bin
2000 lp
698 uucp
1 adm
/dev/rdsk/c0t0d0s7 (/export/home):
617 ken

Finding and Removing Old and Inactive

Files
Part of the job of cleaning up heavily loaded file systems involves locating and
removing files that have not been used recently. You can locate unused files using the
ls or find commands. For more information, see ls(1) and find(1).
Other ways to conserve disk space include emptying temporary directories such as
the ones located in /var/tmp or /var/spool, and deleting core and crash dump
files. For more information about these files, refer to Chapter 31.

Managing Disk Use (Tasks) 389

 How to List the Newest Files
List files, displaying the most recently created or changed files first, by using the
ls -t command.

$ ls -t [directory]

-t Sorts listings by latest time stamp first.

directory Directory you want to search.

Example—Listing the Newest Files

The following example shows how to use ls -t to locate the most recent files
within the /var/adm directory. sulog, messages, utmpx, wtmpx, utmp, and
lastlog were created or edited most recently. This is verified using output from
ls -l, which shows that these three files were created or edited in March, while the
other files in /var/spool were created or edited earlier.

$ ls -t /var/adm
sulog wtmpx wtmp messages.1 [Link] spellhist
messages utmp sa messages.2 log aculog
utmpx lastlog messages.0 messages.3 acct passwd
$ ls -l /var/adm
total 686
drwxr-xr-x 5 adm adm 512 Feb 13 16:20 acct
-rw------- 1 uucp bin 0 Feb 13 16:04 aculog
-r--r--r-- 1 root other 8456 Mar 27 10:34 lastlog
drwxr-xr-x 2 adm adm 512 Feb 13 16:36 log
-rw-r--r-- 1 root other 117376 Mar 27 13:11 messages
-rw-r--r-- 1 root other 4620 Jan 30 08:30 messages.0
-rw-r--r-- 1 root other 11176 Jan 23 04:30 messages.1
-rw-r--r-- 1 root other 60 Jan 13 09:45 messages.2
-rw-r--r-- 1 root other 0 Jan 31 04:05 messages.3
drwxr-xr-x 2 adm adm 512 Feb 13 16:03 passwd
drwxr-xr-x 2 adm sys 512 Mar 20 06:59 sa
-rw-rw-rw- 1 bin bin 0 Feb 13 16:04 spellhist
-rw------- 1 root root 1647 Mar 27 13:28 sulog
-rw-r--r-- 1 root bin 504 Mar 27 10:34 utmp
-rw-r--r-- 1 root bin 5208 Mar 27 10:34 utmpx
-rw-rw-rw- 1 root root 500 Jan 11 14:40 [Link]
-rw-rw-r-- 1 adm adm 14724 Mar 27 10:34 wtmp
-rw-rw-r-- 1 adm adm 151404 Mar 27 10:34 wtmpx

How to Find and Remove Old or Inactive Files

1. Become superuser.

390 System Administration Guide, Volume II ♦ October 1998

2. Find files that have not been accessed for a specified number of days and list
them in a file.

# find directory -type f [-atime + nnn][-mtime + nnn]-print > filename

directory Directory you want to check. Directories below this

also will be checked.

Finds files that have not been accessed within the

−atime +nnn
number of days you specify.

Finds files that have not been modified within the

−mtime +nnn
number of days you specify.

filename File containing the list of inactive files.

3. Remove the inactive files that you listed in the previous step.

# rm ‘cat filename‘

filename File created by this command which contains the list of

inactive files.

Example—Finding and Removing Old or Inactive Files

The following example locates regular files in /var/adm and its directories that have
not been accessed in the last 60 days and saves the list of inactive files in
/var/tmp/deadfiles. These files are then removed with the rm command.

# find /var/adm -type f -atime +60 -print > /var/tmp/deadfiles &

# more /var/tmp/deadfiles
/var/adm/log/[Link]
/var/adm/aculog
/var/adm/spellhist
/var/adm/wtmp
/var/adm/wtmpx
/var/adm/sa/sa13
/var/adm/sa/sa27
/var/adm/sa/sa11
/var/adm/sa/sa23
/var/adm/sulog
/var/adm/[Link]

(continued)

Managing Disk Use (Tasks) 391

 (Continuation)

/var/adm/messages.1
/var/adm/messages.2
/var/adm/messages.3
# rm ‘cat /var/tmp/deadfiles‘

How to Clear Out Temporary Directories

1. Become superuser.

2. Change to the /var/tmp directory.

# cd /var/tmp

Caution - Be sure you are in the right directory before completing the following
step. The next step deletes all files in the current directory.

3. Delete the files and subdirectories in the current directory.

# rm -r *

4. Change to other directories containing temporary or obsolete subdirectories

and files (for example, mail, lost+found, or quotas), and delete them by
repeating Step 3 above.

Example—Clearing Out Temporary Directories

The following example shows how to clear out the /var/tmp directory, and verifies
that all files and subdirectories were removed.

# cd /var/tmp
# ls
deadfiles wxconAAAa0003r:0.0 wxconAAAa000NA:0.0
test_dir wxconAAAa0003u:0.0 wxconAAAa000cc:0.0
wxconAAAa000zs:0.0

(continued)

392 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

# rm -r *
# ls
#

How to Find and Delete core Files

1. Become superuser.

2. Change the directory to where you want to start the search.

3. Find and remove any core files in this directory and its subdirectories.

# find . -name core -exec rm {} \;

Example—Finding and Deleting core Files

The following example shows how to find and remove core files from the user
account belonging to jones using the find command.

# cd /home/jones
# find . -name core -exec rm {} \;

How to Delete Crash Dump Files

Crash dump files can be very large, so if you have enabled your system to store
these files, do not retain them for longer than necessary.

1. Become superuser.

2. Change to the directory where crash dump files are stored.

# cd /var/crash/system

system System that created the crash dump files.

Managing Disk Use (Tasks) 393

 Caution - Be sure you are in the right directory before completing the following
step. The next step deletes all files in the current directory.

3. Remove the crash dump files.

# rm *

4. Verify the crash dump files are removed.

# ls

Example—Deleting Crash Dump Files

The following example shows how to remove crash dump files from the system
venus, and how to verify that the crash dump files were removed.

# cd /var/crash/venus
# rm *
# ls

394 System Administration Guide, Volume II ♦ October 1998

CHAPTER 20

Managing Quotas (Tasks)

This chapter describes how to set up and administer quotas for disk space and
inodes. This is a list of the step-by-step instructions in this chapter.
4 “How to Configure File Systems for Quotas” on page 399
4 “How to Set Up Quotas for a User” on page 400
4 “How to Set Up Quotas for Multiple Users” on page 401
4 “How to Check Quota Consistency” on page 402
4 “How to Turn Quotas On” on page 402
4 “How to Check for Exceeded Quotas” on page 404
4 “How to Check Quotas on a File System” on page 405
4 “How to Change the Soft Time Limit Default” on page 407
4 “How to Change Quotas for a User” on page 408
4 “How to Disable Quotas for a User” on page 409
4 “How to Turn Quotas Off” on page 410

Using Quotas
Using quotas enable system administrators to control the size of UFS file systems by
limiting the amount of disk space and the number of inodes (which roughly
corresponds to the number of files) that individual users can acquire. For this reason,
quotas are especially useful on the file systems where user home directories reside.
Once they are in place, quotas can be changed to adjust the amount of disk space or
number of inodes that users can consume. Additionally, quotas can be added or

395
 removed as system needs change. See “Changing and Removing Quotas” on page
406 for instructions on changing quotas or the amount of time that quotas can be
exceeded, disabling individual quotas, or removing quotas from file systems.
In addition, quota status can be monitored. Quota commands enable administrators
to display information about quotas on a file system, or search for users who have
exceeded their quotas. For procedures that describe how to use these commands, see
“Checking Quotas” on page 403.

Soft Limits vs. Hard Limits

You can set both soft and hard limits. The system will not allow a user to exceed his
or her hard limit. However, a system administrator may set a soft limit (sometimes
referred to as a quota) which can be temporarily exceeded by the user. The soft limit
must be less than the hard limit.
Once the user exceeds the soft limit a timer begins. While the timer is ticking, the
user is allowed to operate above the soft limit but cannot exceed the hard limit. Once
the user goes below the soft limit, the timer gets reset. However, if the user’s usage
remains above the soft limit when the timer expires, the soft limit is enforced as a
hard limit. By default, the soft limit timer is seven days.
The value of the timer is shown by the timeleft field in the repquota and quota
commands.
For example, let’s say a user has a soft limit of 10,000 blocks and a hard limit of
12,000 blocks. If the user’s block usage exceeds 10,000 blocks and the timer is also
exceeded (more than seven days), the user will not be able to allocate more disk
blocks on that file system until his or her usage drops below the soft limit.

Difference Between Disk Block and File Limits

There are two resources that a file system provides to the user: blocks (for data) and
inodes (for files). Each file consumes one inode. File data is stored in data blocks
(usually made of up 1 kilobyte blocks.)
Assuming there are no directories, it is possible for a user to exceed his or her inode
quota without using any blocks by creating all empty files. It is also possible for a
user to use only one inode yet exceed his or her block quota by simply creating one
file large enough to consume all the data blocks in the user’s quota.

396 System Administration Guide, Volume II ♦ October 1998

Setting Up Quotas
You can set up quotas to limit the amount of disk space and number of inodes
(roughly equivalent to the number of files) available to users. These quotas are
activated automatically each time a file system is mounted. This section describes
how to configure file systems for quotas, and how to set up and activate quotas.
Setting up quotas involves these general steps:
1. A series of commands prepares a file system to accept quotas, ensuring that
quotas will be enforced each time the system is rebooted and the file system is
mounted. Entries must be added to the /etc/vfstab file, and a quotas file
must be created in the top-level directory of the file system.
2. After a quota is created for one user, it can be copied as a prototype to set up
other user quotas.
3. Before quotas are actually turned on, another command checks for consistency by
comparing the proposed quotas with the current disk usage to make sure that
there are no conflicts.
4. Finally, a command turns the quotas on for one or more entire file systems.
These steps ensure that quotas are automatically activated on a file system each time
it is mounted. For specific information about these procedures, see “Setting Up
Quotas Task Map” on page 398.
Table 20–1 describes the commands you use to set up disk quotas.

TABLE 20–1 Commands for Setting Up Quotas

Command Enables You To ...

Set the hard and soft limits on the number of inodes and
edquota(1M) disk space for each user.

Examine each mounted UFS file system, comparing

quotacheck(1M) against information stored in the file system’s disk quota
file, and resolve inconsistencies.

Activate the quotas for the specified file systems.

quotaon(1M)

Display user’s quotas on mounted file systems to verify

quota(1M) that quotas have been correctly set up.

Managing Quotas (Tasks) 397

 Guidelines for Setting Up Quotas
Before you set up quotas, you need to determine how much space and how many
inodes to allocate to each user. If you want to be sure the total file system space is
never exceeded, you can divide the total size of the file system between the number
of users. For example, if three users share a 100-Mbyte slice and have equal disk
space needs, you could allocate 33 Mbytes to each. In environments where not all
users are likely to push their limits, you may want to set individual quotas so that
they add up to more than the total size of the file system. For example, if three users
share a 100-Mbyte slice, you could allocate 40 Mbytes to each.
When you have established a quota for one user by using the edquota command,
you can use this quota as a prototype to set the same quota for other users on the
same file system.
After you have configured UFS file systems for quotas and established quotas for
each user, run the quotacheck command to check consistency between current disk
usage and quota files before you actually turn quotas on. Also, if systems are
rebooted infrequently, it is a good idea to periodically run quotacheck.
The quotas you set up with edquota are not enforced until you turn them on by
using the quotaon command. If you have properly configured the quota files,
quotas will be turned on automatically each time a system is rebooted and the file
system is mounted.

Setting Up Quotas Task Map

TABLE 20–2 Setting Up Quotas Task Map

Task Description For Instructions, Go To

1. Configure a File System Edit /etc/vfstab so that quotas are

“How to Configure File
for Quotas activated each time the file system is
Systems for Quotas” on page
mounted, and create a quotas file.
399

2. Set Up Quotas for a User Use the edquota command to create disk
“How to Set Up Quotas for a
and inode quotas for a single user account.
User” on page 400

3. Set Up Quotas for Optional. Use edquota to apply prototype “How to Set Up Quotas for
Multiple Users quotas to other user accounts. Multiple Users” on page 401

398 System Administration Guide, Volume II ♦ October 1998

TABLE 20–2 Setting Up Quotas Task Map (continued)

Task Description For Instructions, Go To

4. Check for Consistency Use the quotacheck command to compare

“How to Check Quota
quotas to current disk usage for consistency
Consistency” on page 402
on one or more file systems.

5. Turn Quotas On Use the quotaon command to initate quotas

“How to Turn Quotas On” on
on one or more file systems.
page 402

How to Configure File Systems for Quotas

1. Become superuser.

2. Edit the /etc/vfstab file by using the editor of your choice. Add rq to the
mount options field for each UFS file system that will have quotas.

3. Exit the file, saving the changes.

4. Change directory to the top of the file system that will have quotas.

5. Create a file named quotas.

# touch quotas

6. Change permissions to read/write for root only.

# chmod 600 quotas

Examples—Configuring File Systems for Quotas

The following example from /etc/vfstab shows that the /export/home directory
from the system pluto is mounted as an NFS file system on the local system with
quotas enabled.

#device device mount FS fsck mount mount

#to mount to fsck point type pass at boot options
#

(continued)

Managing Quotas (Tasks) 399

 (Continuation)

pluto:/export/home - /export/home nfs - yes rq

The following example line from /etc/vfstab shows that the local (UFS)/work
directory is mounted with quotas enabled.

#device device mount FS fsck mount mount

#to mount to fsck point type pass at boot options
#

/dev/dsk/c0t4d0s0 /dev/rdsk/c0t4d0s0 /work ufs 3 yes rq

How to Set Up Quotas for a User

1. Become superuser.

2. Use the quota editor to create a temporary file containing one line of quota
information for each mounted UFS file system that has a quotas file in its
top-level directory.

# edquota username

username User for whom you want to set up quotas.

3. Change the number of 1-Kbyte disk blocks, both soft and hard, and the
number of inodes, both soft and hard, from 0 (the default) to the quotas you
specify for each file system.

4. Exit the editor, saving your changes.

5. Verify the user’s quota by using the quota command.

# quota -v username

400 System Administration Guide, Volume II ♦ October 1998

 Display’s user’s quota information on all mounted file
−v
systems where quotas exist.

username Specifies user name to view quota limits.

Examples—Setting Up Quotas for a User

The following example shows the contents of the temporary file opened by edquota
on a system where /files is the only mounted file system containing a quotas file
in its top-level directory.

fs /files blocks (soft = 0, hard = 0) inodes (soft = 0, hard = 0)

The following example shows the same line in the temporary file after quotas have
been set up.

fs /files blocks (soft = 50, hard = 60) inodes (soft = 90, hard = 100)

How to Set Up Quotas for Multiple Users

1. Become superuser.

2. Use the quota editor to apply the quotas you already established for a
prototype user to the additional users you specify.

# edquota -p prototype-user username ...

prototype-user User name of the account for which you have set
up quotas.

username ... Specifies one or more user names of additional

accounts.

Example—Setting Up Prototype Quotas for Multiple Users

The following example applies the quotas established for user bob to users mary
and john.

Managing Quotas (Tasks) 401

 # edquota -p bob mary john

How to Check Quota Consistency

Note - To ensure accurate disk data, the file systems being checked should be
quiescent when you run the quotacheck command manually. The quotacheck
command is run automatically when a system is rebooted.

1. Become superuser.

2. Run a consistency check on UFS file systems. See the quotacheck.

# quotacheck [ -v ] -a | filesystem

(Optional) Identifies the disk quotas for each user on a

−v
particular file system.

Checks all file systems with an rq entry in the /etc/

−a
vfstab file.

filesystem Specifies a file system to check.

Example—Checking Quota Consistency

The following example checks quotas for the /export/home file system on the
/dev/rdsk/c0t0d0s7 slice. The /export/home file system is the only file system
with an rq entry in the /etc/vfstab file.

# quotacheck -va
*** Checking quotas for /dev/rdsk/c0t0d0s7 (/export/home)

How to Turn Quotas On

1. Become superuser.

2. Turn file system quotas on by using the quotaon command.

# quotaon [-v] -a | filesystem ...]

402 System Administration Guide, Volume II ♦ October 1998

 (Optional) Verbose option.
−v

Turns quotas on for all file systems with an rq entry

−a
in the /etc/vfstab file.

filesystem ... Turns quotas on for one or more file systems that
you specify.

Example—Turning Quotas On
The following example turns quotas on for the file systems on the
/dev/dsk/c0t4d0s2 and /dev/dsk/c0t3d0s2 slices.

# quotaon -v /dev/dsk/c0t4d0s2 /dev/dsk/c0t3d0s2

/dev/dsk/c0t4d0s2: quotas turned on
/dev/dsk/c0t3d0s2: quotas turned on

Checking Quotas
After you have set up and turned on disk and inode quotas, you can check for users
who exceed their quotas. In addition, you can check quota information for entire file
systems.
Table 20–3 describes the commands you use to check quotas.

TABLE 20–3 Commands for Checking Quotas

Command Task

Display user quotas and current disk use, and

quota(1M) information about users who are exceeding their quotas.

Display quotas, files, and amount of space owned for

repquota(1M) specified file systems.

Managing Quotas (Tasks) 403

 How to Check for Exceeded Quotas
You can display the quotas and disk use for individual users on file systems on
which quotas have been activated by using the quota command.

1. Become superuser.

2. Display user quotas for mounted file systems where quotas are enabled.

# quota [-v] username

(Optional) Displays users’ quotas on all mounted file

−v
systems that have quotas.

username Is the login name or UID of a user’s account.

Example—Checking for Exceeded Quotas

The following example shows that the user account identified by UID 301 has a
quota of one Kbyte but has not used any disk space.

# quota -v 301
Disk quotas for bob (uid 301):
Filesystem usage quota limit timeleft files quota limit timeleft
/export/home 0 1 2 0 2 3

Filesystem Is the mount point for the file system

usage Is the current block usage

quota Is the soft block limit

limit Is the hard block limit

timeleft Is the amount of time (in days) left on the quota timer

files Is the current inode usage

quota Is the soft inode limit

404 System Administration Guide, Volume II ♦ October 1998

 limit Is the hard inode limit

timeleft Is the amount time (in days) left on the quota timer.

How to Check Quotas on a File System

Display the quotas and disk use for all users on one or more file systems by using
the repquota command.
1. Become superuser.

2. Display all quotas for one or all file systems, even if there is no usage.

# repquota [-v] -a | filesystem

(Optional) Reports on quotas for all users-even

−v
those who do not consume resources. (Verbose
mode).

Reports on all file systems.

−a

filesystem (Reports on the specified file system.

Example—Checking Quotas on a File System

The following example shows output from the repquota command on a system
that has quotas enabled on only one file system (/export/home).

# repquota -va
/dev/dsk/c0t3d0s7 (/export/home):
Block limits File limits
User used soft hard timeleft used soft hard timeleft
#301 -- 0 1 2.0 days 0 2 3
#341 -- 57 50 60 7.0 days 2 90 100

Managing Quotas (Tasks) 405

 Block Limits

used Is the current block usage

soft Is the soft block limit

hard Is the hard block limit

timeleft Is the amount of time (in days) left on the

quota timer

File Limits

used Is the current inode usage

soft Is the soft inode limit

hard Is the hard inode limit

timeleft Is the amount of time (in days) left on the

quota timer

Changing and Removing Quotas

You can change quotas to adjust the amount of disk space or number of inodes users
can consume. You can also remove quotas for individual users or from entire file
systems as needed.
Table 20–4 describes the commands you use to change or remove quotas.

406 System Administration Guide, Volume II ♦ October 1998

 TABLE 20–4 Commands for Changing and Removing Quotas

Command Task

Change the hard and soft limits on the number of inodes or

edquota(1M) disk space for each user. Also, change the soft quota time
limit for each file system with a quota.

Turn off quotas for specified file systems.

quotaoff(1M)

How to Change the Soft Time Limit Default

Users can exceed the soft time limits for their quotas for one week, by default. This
means that after a week of repeated violations of the soft time limits of either disk
space or inode quotas, the system prevents users from using any more inodes or disk
blocks.

You can change the length of time that users may exceed their disk space or inode
quotas by using the edquota command.

1. Become superuser.

2. Use the quota editor to create a temporary file containing soft time limits.

# edquota -t

3. Change the time limits from 0 (the default) to the time limits you specify by
numbers and the keywords month, week, day, hour, min, or sec.

4. Exit the editor, saving your changes.

Note - This procedure doesn’t affect current quota violators.

Examples—Changing the Soft Time Limit Default

The following example shows the contents of the temporary file opened by edquota
on a system where /export/home is the only mounted file system with quotas. The
0 (default) value means that the default time limit of one week is used.

fs /export/home blocks time limit = 0 (default), files time limit = 0 (default)

Managing Quotas (Tasks) 407

 The following example shows the same temporary file after the time limit for
exceeding the blocks quota has been changed to one week, and the time limit for
exceeding the number of files has been changed to ten days.

fs /export/home blocks time limit = 2 weeks, files time limit = 16 days

How to Change Quotas for a User

1. Become superuser.

2. Use the quota editor to open a temporary file containing one line for each
mounted file system that has a quotas file in its top-level directory.

# edquota username

username User name whose quota will be modified.

Caution - Although you can specify multiple users as arguments to the edquota
command, the information displayed does not show which user it belongs to, which
could create some confusion.

3. Enter the number of 1-Kbyte disk blocks, both soft and hard, and the number
of inodes, both soft and hard.

4. Exit the editor, saving your changes.

5. Verify that a user’s quota has been correctly changed by using the quota
command.

# quota -v username

Displays user quota information on all mounted file

−v
systems with quotas enabled.

username User name whose quota you want to check.

408 System Administration Guide, Volume II ♦ October 1998

 Examples—Changing Quotas for a User
The following example shows the contents of the temporary file opened by edquota
on a system where /files is the only mounted file system containing a quotas file
in its top-level directory.

fs /files blocks (soft = 0, hard = 0) inodes (soft = 0, hard = 0)

The following example shows the same temporary file after quotas have been
changed.

fs /files blocks (soft = 0, hard = 500) inodes (soft = 0, hard = 100)

The following example shows how to verify that the hard quotas for user smith
have been changed to 500 1-Kbyte blocks, and 100 inodes.

# quota -v smith
Disk quotas for smith (uid 12):
Filesystem usage quota limit timeleft files quota limit timeleft

/files 1 0 500 1 0 100

How to Disable Quotas for a User

1. Become superuser.

2. Use the quota editor to create a temporary file containing one line for each
mounted file system that has a quotas file in its top-level directory.

# edquota username

username User name whose quota will be disabled.

Caution - Although you can specify multiple users as arguments to the edquota
command, the information displayed does not show which user it belongs with,
which could create some confusion.

3. Change the number of 1-Kbyte disk blocks, both soft and hard, and the
number of inodes, both soft and hard, to 0 (zero).

Managing Quotas (Tasks) 409

 Note - Be sure you change the values to zero. Do not delete the line from the text
file.

4. Exit the editor, saving your changes.

5. Verify that you have disabled a user’s quota by using the quota command.

# quota -v username

Displays user quota information on all mounted file

−v
systems with quotas enabled.

username User name (UID) whose quota you want to check.

Examples—Disabling Quotas for a User

The following example shows the contents of the temporary file opened by edquota
on a system where /files is the only mounted file system containing a quotas file
in its top-level directory.

fs /files blocks (soft = 50, hard = 60) inodes (soft = 90, hard = 100)

The following example shows the same temporary file after quotas have been
disabled.

fs /files blocks (soft = 0, hard = 0) inodes (soft = 0, hard = 10)

How to Turn Quotas Off

1. Become superuser.

2. Turn file system quotas off.

# quotaoff [ -v ] -a | filesystem ...

410 System Administration Guide, Volume II ♦ October 1998

 (Optional) Verbose option.
−v

Turns quotas off for all file systems.

−a

filesystem1, 2, 3 ... Turns quotas off for one or more file systems you
specify.

Example—Turning Quotas Off

The following example turns the quotas off for the /export/home file system.

# quotaoff -v /export/home
/export/home: quotas turned off

Managing Quotas (Tasks) 411

412 System Administration Guide, Volume II ♦ October 1998
CHAPTER 21

Scheduling System Events (Tasks)

This chapter describes how to schedule routine or one-time system events by using
the crontab and at commands. It also explains how to control access to these
commands by using [Link], [Link], and [Link] files.
This is a list of the step-by-step instructions in this chapter.
4 “How to Create or Edit a crontab File” on page 417
4 “How to Display a crontab File” on page 419
4 “How to Remove a crontab File” on page 420
4 “How to Deny crontab Access” on page 422
4 “How to Limit crontab Access to Specified Users” on page 423
4 “How to Create an at Job” on page 426
4 “How to Display the at Queue” on page 427
4 “How to Display at Jobs” on page 427
4 “How to Remove at Jobs” on page 428
4 “How to Deny at Access” on page 429

Commands for Scheduling System

Events
You can schedule system events to execute repetitively, at regular intervals, by using
the crontab [Link] can schedule a single system event for execution at a
specified time by using the at command. Table 21–1 summarizes crontab and at,
as well as the files that enable you to control access to these commands.

413
 TABLE 21–1 Command Summary: Scheduling System Events

What It
Command Schedules Location of Files Files That Control Access

crontab Multiple system /var/spool/cron/ /etc/cron.d/

events at crontabs [Link] and /etc/
regular intervals cron.d/[Link]

at A single system /var/spool/cron/ /etc/cron.d/[Link]

event atjobs

Scheduling a Repetitive System Event

(cron)
The following sections describe how to create, edit, display, and remove crontab
files, as well as how to control access to them.

Inside a crontab File

The cron daemon schedules system events according to commands found within
each crontab file. A crontab file consists of commands, one per line, that will be
executed at regular intervals. The beginning of each line contains date and time
information that tells the cron daemon when to execute the command.
For example, a crontab file named root is supplied during SunOS software
installation. Its contents include these command lines:

10 3 * * 0,4 /etc/cron.d/logchecker
10 3 * * 0 /usr/lib/newsyslog
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1

The first command line instructs the system to run logchecker at 3:10 on Sundays
and Thursdays nights. The second command line schedules the system to run
newsyslog at 3:10 every Sunday morning. The third command line orders the
system to execute nfsfind daily at 3:15 in the morning The fourth command line

414 System Administration Guide, Volume II ♦ October 1998

instructs the system to check for daylight savings time and makes corrections if
necessary. If there is no RTC time zone nor an /etc/rtc_config file, this entry
will do nothing.
For more information about the syntax of lines within a crontab file, see “Syntax of
crontab File Entries” on page 416.
The crontab files are stored in /var/spool/cron/crontabs. Several crontab
files besides root are provided during SunOS software installation (see Table 21–2).

TABLE 21–2 Default crontab Files

crontab File Function

adm Accounting

lp Printing

root General system functions and

file system cleanup

sys Performance collection

uucp General uucp cleanup

Other crontab files are named after the user accounts in which they are created,
such as bob, mary, smith, or jones.
Besides the default crontab file, users can create crontab files to schedule their
own system events. To access crontab files belonging to root or other users,
superuser privileges are required.
Procedures explaining how to create, edit, display, and remove crontab files are
described in “Commands for Scheduling System Events” on page 413.

How the cron Daemon Handles Scheduling

The cron daemon handles the automatic scheduling of crontab commands. Its
function is to check the /var/spool/cron/crontab directory for the presence of
crontab files, normally every 15 minutes. It checks for new crontab files or
changes to existing ones, reads the execution times listed within the files, and
submits the commands for execution at the proper times.
In much the same way, the cron daemon controls the scheduling of at files, which
are stored in the /var/spool/cron/atjobs directory.

Scheduling System Events (Tasks) 415

 Syntax of crontab File Entries
A crontab file consists of commands, one per line, that execute automatically at the
time specified by the first five fields at the beginning of each command line. These
first five fields, described in Table 21–3, are separated by spaces. They indicate when
the command will be executed.

TABLE 21–3 Values for crontab Time Fields

Time Field Values

Minute 0-59

Hour 0-23

Day of month 1-31

Month 1-12

Day of week 0-6 (0=Sunday)

Follow these guidelines to use special characters in crontab time fields:

4 Use a space to separate each field.
4 Use a comma to separate multiple values.
4 Use a hyphen to designate a range of values.
4 Use an asterisk as a wildcard to include all possible values.
4 Use a comment mark (#) at the beginning of a line to indicate a comment or a
blank line.
For example, the following sample crontab command entry displays a reminder in
the user’s console window at 4 p.m. on the first and fifteenth of every month.

0 16 1,15 * * echo Timesheets Due > /dev/console

Each command within a crontab file must consist of one line, even if it is very
long, because crontab does not recognize extra carriage returns. For more detailed
information about crontab entries and command options, refer to crontab(1).

416 System Administration Guide, Volume II ♦ October 1998

Creating and Editing crontab Files
The simplest way to create a crontab file is to use the crontab -e command to
invoke the text editor set up for your system environment, defined by the EDITOR
environment variable. If this variable has not been set, crontab uses the default
editor ed. Define your EDITOR environment to be an editor you are familiar with.
The following example shows how to check to see whether an editor has been
defined, and how to set up vi as the default.

$ which $EDITOR
$
$ EDITOR=vi
$ export EDITOR

When you create a crontab file, it is automatically placed in the

/var/spool/cron/crontabs directory and is given your user name. You can
create or edit a crontab file for another user, or root, if you have superuser
privileges.
Enter crontab command entries as described in “Syntax of crontab File Entries”
on page 416.

How to Create or Edit a crontab File

1. Be sure that you have access to the editor of your choice.

2. (Optional) To create or edit a crontab file belonging to root or another user,

become superuser.

3. Create a new crontab file, or edit an existing one.

$ crontab -e [username]

username Name of another user’s account, and requires root

privileges to create or edit.

Scheduling System Events (Tasks) 417

 Caution - If you accidentally enter the crontab command with no option, press the
interrupt character for your editor. This allows you to quit without saving changes.
Exiting the file and saving changes at this point would overwrite an existing
crontab file with an empty file.

4. Add command lines to the file, following the syntax described in “Syntax of
crontab File Entries” on page 416.

5. Exit the file, saving the changes.

The crontab file will be placed in /var/spool/cron/crontabs.

6. Verify the crontab file by using the crontab -l command.

# crontab -l [username]

Example—Creating or Editing a crontab File

The following example shows how to create a crontab file for another user.

# crontab -e jones

The following command entry added to a new crontab file will automatically
remove any log files from the user’s home directory at 1 every Sunday morning.
Because the command entry does not redirect output, redirect characters are added
to the command line after *.log to make sure that the command executes properly.

# This command helps clean up user accounts.

1 0 * * 0 rm /home/jones/*.log > /dev/null 2>&1

How to Verify a crontab File

To verify that a crontab file exists for a user, use the ls -l command in the
/var/spool/cron/crontabs directory. For example, the following display shows
that crontab files exist for users smith and jones.

418 System Administration Guide, Volume II ♦ October 1998

 $ ls -l /var/spool/cron/crontabs
-rw-r--r-- 1 root sys 190 Feb 26 16:23 adm
-rw------- 1 root staff 225 Mar 1 9:19 jones
-rw-r--r-- 1 root root 1063 Feb 26 16:23 lp
-rw-r--r-- 1 root sys 441 Feb 26 16:25 root
-rw------- 1 root staff 60 Mar 1 9:15 smith
-rw-r--r-- 1 root sys 308 Feb 26 16:23 sys

Verify the contents of user’s crontab file by using crontab -l as described in

“How to Display a crontab File” on page 419.

Displaying crontab Files

The crontab -l command displays the contents of your crontab file much the
way the cat command displays the contents of other types of files. You do not have
to change directories to /var/spool/cron/crontabs (where crontab files are
located) to use this command.
By default, the crontab -l command displays your own crontab file. To display
crontab files belonging to other users, you must be superuser.

How to Display a crontab File

1. (Optional) To display a crontab file belonging to root or another user, become
superuser.

2. Display the crontab file.

$ crontab -l [username]

username Name of another user’s account, and requires

superuser privileges to create or edit.

Caution - If you accidentally enter the crontab command with no option, press the
interrupt character for your editor. This allows you to quit without saving changes.
Exiting the file and saving changes at this point would overwrite an existing
crontab file with an empty file.

Scheduling System Events (Tasks) 419

 Example—Displaying a crontab File
The following example shows how to use crontab -l to display the contents of the
default user’s crontab file, the default root crontab file, and the crontab file
belonging to another user.

$ crontab -l
13 13 * * * chmod g+w /usr/documents/*.book > /dev/null 2>&1
$ su
Password:
# crontab -l
#ident "@(#)root 1.16 98/04/28 SMI" /* SVr4.0 [Link] */
#
# The root crontab should be used to perform accounting data collection.
#
# The rtc command is run to adjust the real time clock if and when
# daylight savings time changes.
#
10 3 * * 0,4 /etc/cron.d/logchecker
10 3 * * 0 /usr/lib/newsyslog
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
# crontab -l jones
13 13 * * * cp /home/jones/work_files /usr/backup/. > /dev/null
2>&1

Removing crontab Files

By default, crontab file protections are set up so that you cannot inadvertently
delete a crontab file by using the rm command. Instead, use the crontab -r
command to remove crontab files.

By default, crontab -r removes your own crontab file. You must be superuser to
remove crontab files belonging to superuser or other users.

You do not have to change directories to /var/spool/cron/crontabs (where

crontab files are located) to use this command.

How to Remove a crontab File

1. (Optional) To remove a crontab file belonging to root or another user, become
superuser.

2. Remove the crontab file.

$ crontab -r [username]

420 System Administration Guide, Volume II ♦ October 1998

 username Name of another user’s account, and requires
superuser privilegs to create or edit.

Caution - If you accidentally enter the crontab command with no option, press the
interrupt character for your editor. This allows you to quit without saving changes.
Exiting the file and saving changes at this point would overwrite an existing
crontab file with an empty file.

3. Verify the crontab file is removed.

# ls /var/spool/cron/crontabs

Example—Removing a crontab File

The following example shows how user smith uses the crontab -r command to
remove his crontab file.

$ ls /var/spool/cron/crontabs
adm jones lp root smith sys uucp
$ crontab -r
$ ls /var/spool/cron/crontabs
adm jones lp root sys uucp

Controlling Access to crontab

You can control access to crontab by using two files in the /etc/cron.d directory:
[Link] and [Link]. These files permit only specified users to perform
crontab tasks such as creating, editing, displaying, or removing their own crontab
files.

The [Link] and [Link] files consist of a list of user names, one per line.
These access control files work together like this:

4 If [Link] exists, only the users listed in this file can create, edit, display, or
remove crontab files.

Scheduling System Events (Tasks) 421

 4 If [Link] doesn’t exist, all users may submit crontab files, except for users
listed in [Link].
4 If neither [Link] nor [Link] exists, superuser privileges are required
to run crontab.
Superuser privileges are required to edit or create [Link] and [Link].
During Solaris software installation, a default [Link] file is provided:

$ cat /etc/cron.d/[Link]
daemon
bin
smtp
nuucp
listen
nobody
noaccess

None of these user names can access crontab commands. You can edit this file to
add other user names who will be denied access to the crontab command.
No default [Link] file is supplied. This means that, after Solaris software
installation, all users (except the ones listed in the default [Link] file) can access
crontab. If you create a [Link] file, only these users can access crontab
commands.

How to Deny crontab Access

1. Become superuser.

2. Using the editor of your choice, edit the /etc/cron.d/[Link] file to add
user names, one per line, who will be prevented from using crontab
commands.

daemon
bin
smtp
nuucp
listen
nobody
noaccess
username1
username2
username3
.
.

(continued)

422 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

3. Exit the file, saving the changes.

4. Verify the /etc/cron.d/[Link] file.

# cat /etc/cron.d/[Link]

How to Limit crontab Access to Specified Users

1. Become superuser.

2. Use the editor of your choice to create a file named

/etc/cron.d/[Link].

3. Enter the user names, one per line, who will be allowed to use crontab
commands.

root
username1
username2
username3
.
.
.

Be sure to add root to this list. If you do not, superuser access to crontab
commands will be denied.

4. Exit the file, saving the changes.

Scheduling System Events (Tasks) 423

 Examples—Limiting crontab Access to Specified Users
The following example shows a [Link] file that prevents user names visitor,
jones, and temp from accessing crontab.

$ cat /etc/cron.d/[Link]
daemon
bin
smtp
nuucp
listen
nobody
noaccess
jones
temp
visitor

The following example shows a [Link] file. The users smith, jones, lp, and
root are the only ones who may access crontab.

$ cat /etc/cron.d/[Link]
root
jones
lp
smith

How to Verify Limited crontab Accesss

To verify whether or not a specific user can access crontab, use the crontab -l
command while logged into the user account.

$ crontab -l

If the user can access crontab, and already has created a crontab file, it will be
displayed. Otherwise, if the user can access crontab but no crontab file exists, a
message like the following will be displayed:

crontab: can’t open your crontab file

This user either is listed in [Link] (if it exists), or is not listed in [Link].
If the user cannot access crontab, the following message is displayed whether or
not a previous crontab file exists:

crontab: you are not authorized to use cron. Sorry.

This means either that the user is not listed in [Link] (if it exists), or the user
is listed in [Link].

424 System Administration Guide, Volume II ♦ October 1998

Scheduling a Single System Event (at)
The following sections describe how to use at(1) to schedule jobs (commands and
scripts) for execution at a later time, how to display and remove these jobs, and how
to control access to the at command.
By default, users can create, display, and remove their own at job files. To access at
files belonging to root or other users, you must have superuser privileges.
When you submit an at job, it is assigned a job identification number along with the
.a extension that becomes its file name.

at Command Description
Submitting an at job file includes:
1. Invoking the at utility, specifying a command execution time.
2. Entering a command or script to execute later.

Note - If output from this command or script is important, be sure to direct it to a

file for later examination.

For example, the following at job removes core files from the user account
belonging to Smith near midnight on the last day of January.

$ at 11:45pm June 11
at> rm /home/smith/*core*
at> Press Control-d
job 897543900.a at Wed Jun 10 [Link] 1998

at Command Security
You can set up a file to control access to the at command, permitting only specified
users to create, remove, or display queue information about their at jobs. The file
that controls access to at, /etc/cron.d/[Link], consists of a list of user names,
one per line. The users listed in this file cannot access at commands.
The [Link] file, created during SunOS software installation, contains the following
user names:

Scheduling System Events (Tasks) 425

 daemon
bin
smtp
nuucp
listen
nobody
noaccess

With superuser privileges, you can edit this file to add other user names whose at
access you want to restrict.

How to Create an at Job

1. Enter the at facility, specifying the time you want your job executed, and press
Return.

$ at [-m] time [date]

-m Sends you mail after the job is completed.

time Hour that you want to schedule the job. Add am or pm if

you do not specify the hours according to a 24-hour clock.
midnight, noon, and now are acceptable keywords.
Minutes are optional.

date First three or more letters of a month, a day of the week,

or the keywords today or tomorrow.

2. At the at prompt, enter the commands or scripts you want to execute, one per
line. You may enter more than one command by pressing Return at the end of
each line.

3. Exit the at utility and save the at job by pressing Control-d.

Your at job is assigned a queue number, which is also its file name. This number
is displayed when you exit the at utility.

Examples—Creating an at Job
The following example shows the at job that user jones created to remove her
backup files at 7:30 at night. She used the -m option so that she would receive a mail
message after her job completed.

426 System Administration Guide, Volume II ♦ October 1998

 $ at -m 1930
at> rm /home/jones/*.backup
at> Press Control-d
job 897355800.a at Mon Jun 8 [Link] 1998

She received a mail message which confirmed the execution of her at job.

Your ‘‘at’’ job ‘‘rm /home/jones/*.backup’’

completed.

The following example shows how Jones scheduled a large at job for 4:00 Saturday
morning. The output of which was directed to [Link].

$ at 4 am Saturday
at> sort -r /usr/dict/words > /export/home/jones/[Link]

How to Display the at Queue

To check your jobs that are waiting in the at queue, use the atq command. This
command displays status information about the at jobs that you created.

$ atq

How to Verify an at Job

To verify that you have created an at job, use the atq command. The atq command
confirms that at jobs belonging to jones have been submitted to the queue.

$ atq
Rank Execution Date Owner Job Queue Job Name
1st Jun 8, 1998 19:30 jones 897355800.a a stdin
2nd Jun 10, 1998 23:45 jones 897543900.a a stdin
3rd Jun 13, 1998 04:00 jones 897732000.a a stdin

How to Display at Jobs

To display information about the execution times of your at jobs, use the at -l
command.

$ at -l [job-id]

Scheduling System Events (Tasks) 427

 -l job-id Identification number of the job whose status you want to
examine.

Example—Displaying at Jobs
The following example shows output from the at -l command, used to get status
information on all jobs submitted by a user.

$ at -l
897543900.a Wed Jun 10 [Link] 1998
897355800.a Mon Jun 8 [Link] 1998
897732000.a Sat Jun 13 [Link] 1998

The following example shows output displayed when a single job is specified with
the at -l command.

$ at -l 897732000.a

How to Remove at Jobs

1. (Optional) To remove an at job belonging to root or another user, become
superuser.

2. Remove the at job from the queue before it is executed.

$ at -r [job-id]

-r job-id Identification number of the job you want to remove.

3. Verify the at job is removed by using the at -l (or the atq) command to
display the jobs remaining in the at queue. The job whose identification
number you specified should not appear.

$ at -l [job-id]

Example—Removing at Jobs
In the following example, a user wants to remove an at job that was scheduled to
execute at noon on March 1. First, the user displays the at queue to locate the job

428 System Administration Guide, Volume II ♦ October 1998

identification number. Next, the user removes this job from the at queue. Finally, the
user verifies that this job has been removed from the queue.

$ at -l
897543900.a Wed Jun 10 [Link] 1998
897355800.a Mon Jun 8 [Link] 1998
897732000.a Sat Jun 13 [Link] 1998
$ at -r 897732000.a
$ at -l 897732000.a
at: 858142000.a: No such file or directory

Controlling Access to at
Users listed in the [Link] file cannot use at to schedule jobs or to check the at
queue status.
The [Link] file is placed in the /etc/cron.d directory during Solaris software
installation. At that time, the same users are listed in both this file and the default
[Link] file.

daemon
bin
smtp
nuucp
listen
nobody
noaccess

Root permissions are required to edit this file.

How to Deny at Access

1. Become superuser.

2. Using the editor of your choice, open the /etc/cron.d/[Link] file.

3. Add the names of users, one per line, who will be prevented from using at
commands.

Scheduling System Events (Tasks) 429

 daemon
bin
smtp
nuucp
listen
nobody
noaccess
username1
username2
username3
.
.
.

4. Exit the file, saving your changes.

Example—Denying at Access
The following example shows an [Link] file that has been edited so that the users
Smith and Jones may not access at.

$ cat [Link]
daemon
bin
smtp
nuucp
listen
nobody
noaccess
jones
smith

How to Verify at Access Is Denied

To verify whether or not a user’s name was added correctly to
/etc/cron.d/[Link], use the at -l command while logged in as the user. If
the user cannot access at commands, the following message is displayed.

# su smith
Password:
$ at -l
at: you are not authorized to use at. Sorry.

430 System Administration Guide, Volume II ♦ October 1998

Likewise, if the user tries to submit an at job, the following message is displayed:
$ at 2:30pm
at: you are not authorized to use at. Sorry.

This confirms that the user is listed in the [Link] file.

Scheduling System Events (Tasks) 431

432 System Administration Guide, Volume II ♦ October 1998
CHAPTER 22

Managing System Accounting (Tasks)

This section contains some simple procedures for setting up and maintaining system
accounting.
This is a list of the step-by-step instructions in this chapter.
4 “How to Set Up System Accounting” on page 434
4 “How to Bill Users” on page 437
4 “How to Fix a wtmp File” on page 438
4 “How to Fix tacct Errors” on page 439
4 “How to Restart runacct” on page 440
4 “How to Set Up System Accounting” on page 434
4 “How to Permanently Disable System Accounting” on page 441

Setting Up System Accounting

You can set up system accounting to run while the system is in multiuser mode
(system state 2). Generally, this involves:
1. Creating /etc/rc0.d/K22acct and /etc/rc2.d/S22acct.
2. Modifying /var/spool/cron/crontabs/adm
and /var/spool/cron/crontabs/root.
Most of the accounting scripts are added to the /var/spool/cron/crontabs/adm
database file. Table 22–1 describes the default accounting scripts.

433
 TABLE 22–1 Default Accounting Scripts

Accounting Script ... Is Used To ... And Runs ...

Check the size of the /usr/adm/ Periodically

ckpacct(1M) pacct log file

Process connect, process, disk, and fee Daily

runacct(1M) accounting information

Generate fiscal reports and is run once On a fiscal basis

monacct(1M) per period

You can change these defaults. After these entries have been added to the database
and the accounting programs have been installed, accounting should run
automatically.

How to Set Up System Accounting

1. Become superuser.

2. If necessary, install the SUNWaccr and SUNWaccu packages on your system by

using the pkgadd or admintool command.

3. Install /etc/init.d/acct as the startup script for Run Level 2.

# ln /etc/init.d/acct /etc/rc2.d/S22acct

4. Install /etc/init.d/acct as the stop script for Run Level 0.

# ln /etc/init.d/acct /etc/rc0.d/K22acct

5. Modify the admcrontab file to start the ckpacct, runacct, and monacct
programs automatically.

# EDITOR=vi; export EDITOR

# crontab -e adm
0 * * * * /usr/lib/acct/ckpacct
30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log

(continued)

434 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

30 7 1 * * /usr/lib/acct/monacct

6. Modify the root crontab file to start the dodisk program automatically.

# crontab -e
30 22 * * 4 /usr/lib/acct/dodisk

7. Edit /etc/acct/holidays to include national and local holidays, by using

the editor of your choice.

8. Reboot the system, or type

# /etc/init.d/acct start

Examples—Setting Up Accounting
The following example shows how the crontab entries that run
/usr/lib/acct/ckpacct, /usr/lib/acct/runacct, and
/usr/lib/acct/monacct have been added to
/var/spool/cron/crontabs/adm.

#ident "@(#)adm 1.5 92/07/14 SMI" /* SVr4.0 1.2 */

#
# The adm crontab file should contain startup of performance
# collection if the profiling and performance feature has been
# installed.
0 * * * * /usr/lib/acct/ckpacct
30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
30 7 1 * * /usr/lib/acct/monacct

The following example shows how the crontab entry that runs
/usr/lib/acct/dodisk has been added to
/var/spool/cron/crontabs/root.

Managing System Accounting (Tasks) 435

 #ident "@(#)root 1.16 98/04/28 SMI" /* SVr4.0 [Link] */
#
# The root crontab should be used to perform accounting data collection.
#
# The rtc command is run to adjust the real time clock if and when
# daylight savings time changes.
#
10 3 * * 0,4 /etc/cron.d/logchecker
10 3 * * 0 /usr/lib/newsyslog
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
30 22 * * 4 /usr/lib/acct/dodisk

The following example shows a sample /etc/acct/holidays file.

* @(#)holidays January 1, 1998

*
* Prime/Nonprime Table for UNIX Accounting System
*
* Curr Prime Non-Prime
* Year Start Start
*
1997 0800 1800
*
* only the first column (month/day) is significiant.
*
* month/day Company
* Holiday
*
1/1 New Years Day
1/20 Martin Luther King’s Day
2/17 President’s Day
5/26 Memorial Day
7/3 Day before Indep. Day
7/4 Indep. Day
9/1 Labor Day
11/27 Thanksgiving
11/28 Day after Thanksgiving
12/25 Christmas
12/26 Winter Break
12/29 Winter Break
12/30 Winter Break
12/31 Winter Break

436 System Administration Guide, Volume II ♦ October 1998

Billing Users
If you provide special user services on a request basis, such as restoring files or
remote printing, you may want to bill users by running a utility called
chargefee(1M). chargefee records charges in the file /var/adm/fee and each
time the runacct utility is executed, new entries are merged into the total
accounting records.

How to Bill Users

1. Become superuser.

2. Charge a user for special services.

# chargefee username amount

username User account you want to bill.

amount Number of units to bill the user.

Example—Billing Users
The following example charges the user print_customer 10 units.

# chargefee print_customer 10

Maintaining Accounting Information

This section describes how to maintain accounting information.

Managing System Accounting (Tasks) 437

 Fixing Corrupted Files and wtmp Errors
Unfortunately, the UNIX accounting system is not foolproof. Occasionally, a file will
become corrupted or lost. Some of the files can simply be ignored or restored from
backup. However, certain files must be fixed to maintain the integrity of the
accounting system.

The wtmp(4) files seem to cause the most problems in the day-to-day operation of
the accounting system. When the date is changed and the system is in multiuser
mode, a set of date change records is written into /var/adm/wtmp. The
wtmpfix(1M)wtmpfix utility is designed to adjust the time stamps in the wtmp
records when a date change is encountered. However, some combinations of date
changes and reboots will slip through wtmpfix and cause acctcon to fail. For
instructions on correcting wtmp problems, see “How to Fix a wtmp File” on page 438.

How to Fix a wtmp File

1. Become superuser.

2. Change to the /var/adm/acct/nite directory.

3. Convert the binary file [Link] into the ASCII file xwtmp.

# fwtmp [Link] xwtmp

MMDD Pair of two-digit numbers representing the month and

day.

4. Edit xwtmp. Delete the corrupted files, or delete all records from the beginning
up to the date change.

5. Convert the ASCII file xwtmp to a binary file, overwriting the corrupted file.

# fwtmp -ic xwtmp [Link]

Fixing tacct Errors

The integrity of /var/adm/acct/sum/tacct is important if you are charging users
for system resources. Occasionally, mysterious tacct records appear with negative
numbers, duplicate user IDs, or a user ID of 65535. First, check
/var/adm/acct/sum/tacctprev, using prtacct to print it. If the contents look
all right, patch the latest /var/adm/acct/sum/[Link] file, then recreate

438 System Administration Guide, Volume II ♦ October 1998

the /var/adm/acct/sum/tacct file. The following steps outline a simple patch
procedure.

How to Fix tacct Errors

1. Become superuser.

2. Change to the /var/adm/acct/sum directory.

3. Convert the contents of [Link] from binary to ASCII format.

# acctmerg -v [Link] xtacct

MMDD Month and day specified by two-digit numbers.

4. Edit the xtacct file, removing bad records and writing duplicate records to
another file.

5. Convert the xtacct file from ASCII format to binary.

# acctmerg -i xtacct [Link]

MMDD Month and day specified by two-digit numbers.

6. Merge the files [Link] and [Link] into the file tacct.

# acctmerg tacctprv [Link] tacct

Restarting runacct
The runacct program can fail for a variety of reasons, the most common being a
system crash, /var running out of space, or a corrupted wtmp file. If the
activeMMDD file exists, check it first for error messages. If the active and lock
files exist, check fd2log for any mysterious messages.

Called without arguments, runacct assumes that this is the first invocation of the
day. The argument MMDD is necessary if runacct is being restarted and specifies
the month and day for which runacct will rerun the accounting. The entry point

Managing System Accounting (Tasks) 439

 for processing is based on the contents of statefile. To override statefile,
include the desired state on the command line.

Caution - When running the runacct program manually, be sure to run it as user
adm.

How to Restart runacct

1. Remove the lastdate file and any lock* files, if any.

$ cd /var/adm/acct/nite
$ rm lastdate lock*

2. Restart the runacct program.

$ runacct MMDD [state] 2> /var/adm/acct/nite/fd2log &

MMDD Month and day specified by two-digit numbers.

state Specifies a state, or starting point, where runacct

processing should begin.

Stopping and Disabling System

Accounting
You can temporarily stop system accounting or disable it permanently.

How to Temporarily Stop System Accounting

1. Become superuser.

440 System Administration Guide, Volume II ♦ October 1998

2. Modify the adm crontab file to stop the ckpacct, runacct, and monacct
programs from running by commenting out the appropriate lines.

# EDITOR=vi; export EDITOR

# crontab -e adm
#0 * * * * /usr/lib/acct/ckpacct
#30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
#30 7 1 * * /usr/lib/acct/monacct

3. Modify the crontab file for user root in order to stop the dodisk program
from running by commenting out the appropriate line.

# crontab -e
#30 22 * * 4 /usr/lib/acct/dodisk

4. Stop accounting.

# /etc/init.d/acct stop

To re-enable system accounting, remove the newly added comment symbols from the
crontab files and restart accounting.

# /etc/init.d/acct start

How to Permanently Disable System Accounting

1. Become superuser.

2. Modify the adm crontab file and delete the entries for the ckpacct, runacct,
and monacct programs.

Managing System Accounting (Tasks) 441

 # EDITOR=vi; export EDITOR
# crontab -e adm

3. Modify the root crontab file and delete the entries for the dodisk program.

# crontab -e

4. Remove the startup script for Run Level 2.

# unlink /etc/rc2.d/S22acct

5. Remove the stop script for Run Level 0.

# unlink /etc/rc0.d/K22acct

6. Stop accounting.

# /etc/init.d/acct stop

442 System Administration Guide, Volume II ♦ October 1998

CHAPTER 23

System Accounting (Reference)

This is a list of reference information in this chapter.

4 “Daily Accounting” on page 443
4 “Connect Accounting ” on page 443
4 “Process Accounting ” on page 444
4 “Disk Accounting ” on page 444
4 “Calculating User Fees” on page 445
4 “How Daily Accounting Works” on page 445
4 “Daily Accounting Reports ” on page 447
4 “The runacct Program” on page 456
4 “Accounting Reports” on page 447
4 “Accounting Files” on page 458

Daily Accounting
Daily accounting can help you track four types of accounting: connect accounting,
process accounting, disk accounting, and fee calculations.

Connect Accounting
Connect accounting enables you to determine the following:
4 The length of time a user was logged in

443
 4 How the tty lines are being used
4 The number of reboots on your system
4 The frequency with which the accounting software was turned off and on
To provide this information, the system stores records of time adjustments, boot
times, times the accounting software was turned off and on, changes in run levels,
the creation of user processes (login processes and init processes), and the deaths
of processes. These records (produced from the output of system programs such as
date, init, login, ttymon, and acctwtmp) are stored in the /var/adm/wtmp file.
Entries in the wtmp file may contain the following information: a user’s login name,
a device name, a process ID, the type of entry, and a time stamp denoting when the
entry was made.

Process Accounting
Process accounting enables you to keep track of the following data about each
process run on your system:
4 User and group IDs of those using the process
4 Beginning and elapsed times of the process
4 CPU time for the process (user time and system time)
4 Amount of memory used
4 Commands run
4 The tty controlling the process
Every time a process dies, the exit program collects this data and writes it to
/var/adm/pacct.

Disk Accounting
Disk accounting enables you to gather and format the following data about the files
each user has on disks:
4 Name and ID of the user
4 Number of blocks used by the user’s files
This data is collected by the shell script /usr/lib/acct/dodisk at intervals
determined by the entry you add to the /var/spool/cron/crontabs/root file.
In turn, dodisk invokes the commands acctdusg and diskusg, which gather disk
usage by login.
See “How to Set Up System Accounting” on page 434 for more information about
setting up dodisk.

444 System Administration Guide, Volume II ♦ October 1998

The acctdusg(1M) command gathers all the disk accounting information. Each
time it is invoked, this command can process a maximum of 3000 users.

Caution - Information gathered by running dodisk(1M) is stored in the

/var/adm/acct/nite/disktacct file. This information is overwritten the next
time dodisk is run. Therefore, avoid running dodisk twice in the same day.

The diskusg command may overcharge for files that are written in random access
fashion, which may create holes in the files. This is because diskusg does not read
the indirect blocks of a file when determining its size. Rather, diskusg determines
the size of a file by looking at the di_size value of the inode.

Calculating User Fees

The chargefee utility stores charges for special services provided to a user, such as
file restoration, in the file /var/adm/fee. Each entry in the file consists of a user’s
login name, user ID, and the fee. This file is checked by the runacct program every
day and new entries are merged into the total accounting records. For instructions on
running chargefee to bill users, see “How to Bill Users” on page 437.

How Daily Accounting Works

Here is a step-by-step summary of how daily accounting works:
1. When the system is switched into multiuser mode, the
/usr/lib/acct/startup program is executed. The startup program executes
several other programs that invoke accounting.
2. The acctwtmp program adds a “boot” record to /var/adm/wtmp. In this record,
the system name is shown as the login name in the wtmp record. Table 23–1
summarizes how the raw accounting data is gathered and where it is stored.

TABLE 23–1 Raw Accounting Data

File in /var/adm Information Written By Format

wtmp Connect sessions login, init utmp.h

Changes date

Reboots acctwtmp

System Accounting (Reference) 445

 TABLE 23–1 Raw Accounting Data (continued)

File in /var/adm Information Written By Format

Shutdowns shutacct shell

pacctn Processes Kernel (when the acct.h

process ends)

turnacct switch
(creates a new file
when the old one
reaches 500 blocks)

fee Special charges chargefee acct.h

acct/nite/ Disk space used dodisk tacct.h

disktacct

3. The turnacct program, invoked with the −on option, begins process accounting.
Specifically, turnacct executes the accton program with the /var/adm/pacct
argument.
4. The remove shell script “cleans up” the saved pacct and wtmp files left in the
sum directory by runacct.
5. The login and init programs record connect sessions by writing records into
/var/adm/wtmp. Any date changes (using date with an argument) are also
written to /var/adm/wtmp. Reboots and shutdowns using acctwtmp are also
recorded in /var/adm/wtmp.
6. When a process ends, the kernel writes one record per process, using acct.h
format, in the /var/adm/pacct file.
Every hour, cron executes the ckpacct program to check the size of
/var/adm/pacct. If the file grows past 500 blocks (default), the turnacct
switch is executed. (The program moves the pacct file and creates a new one.)
The advantage of having several smaller pacct files becomes apparent when
trying to restart runacct if a failure occurs when processing these records.
7. runacct is executed by cron each night. runacct processes the accounting
files: /var/adm/pacctn, /var/adm/wtmp, /var/adm/fee, and
/var/adm/acct/nite/disktacct, to produce command summaries and usage
summaries by login.
8. The /usr/lib/acct/prdaily program is executed on a daily basis by
runacct to write the daily accounting information collected by runacct (in
ASCII format) in /var/adm/acct/sum/[Link].

446 System Administration Guide, Volume II ♦ October 1998

9. The monacct program should be executed on a monthly basis (or at intervals
determined by you, such as the end of every fiscal period). The monacct
program creates a report based on data stored in the sum directory that has been
updated daily by runacct. After creating the report, monacct “cleans up” the
sum directory to prepare the directory’s files for the new runacct data.

What Happens if the System Shuts Down

If the system is shut down using shutdown, the shutacct program is executed
automatically. The shutacct program writes a reason record into /var/adm/wtmp
and turns off process accounting.

Accounting Reports
This section describes the various reports generated by the accounting software.

Daily Accounting Reports

The runacct(1M) shell script generates four basic reports upon each invocation.
These reports cover the areas of connect accounting, usage by login on a daily basis,
command usage reported by daily and monthly totals, and a report of the last time
users were logged in. Table 23–2 describes the four basic reports generated.

TABLE 23–2 Daily Accounting Reports

Report Type Description

Daily Report Shows line utilization by tty number.

Daily Usage Report Indicates usage of system resources by users (listed in order
of UID).

Daily Command Summary Indicates usage of system resources by commands, listed in

descending order of use of memory (in other words, the
command that used the most memory is listed first). This
same information is reported for the month with the monthly
total command summary.

Last Login Shows the last time each user logged in (arranged in
chronological order).

System Accounting (Reference) 447

 Daily Report
This report gives information about each terminal line used. A sample daily report
appears below.

Jun 11 [Link] 1998 DAILY REPORT FOR mercury Page 1

from Wed Jun 10 [Link] 1998

to Thu Jun 11 [Link] 1998
1 system boot
1 run-level 3
1 acctg on
1 runacct
1 acctcon

TOTAL DURATION IS 1384 MINUTES

LINE MINUTES PERCENT # SESS # ON # OFF
/dev/pts/5 0 0 0 0 0
/dev/pts/6 0 0 0 0 1
/dev/pts/7 0 0 0 0 0
console 1337 97 1 1 1
pts/3 0 0 0 0 1
pts/4 0 0 0 0 1
pts/5 3 0 2 2 3
pts/6 232 17 5 5 5
pts/7 54 4 1 1 2
pts/8 0 0 0 0 1
pts/9 0 0 0 0 1
TOTALS 1625 -- 9 9 16

The from and to lines specify the time period reflected in the report—the period
from the time the last accounting report was generated until the time the current
accounting report was generated. It is followed by a log of system reboots,
shutdowns, power failure recoveries, and any other record dumped into
/var/adm/wtmp by the acctwtmp program. For more information, see acct(1M).

The second part of the report is a breakdown of line utilization. The TOTAL
DURATION tells how long the system was in multiuser state (accessible through the
terminal lines). The columns are described in Table 23–3.

TABLE 23–3 Daily Report Data

Column Description

LINE The terminal line or access port.

MINUTES The total number of minutes that the line was in use during the
accounting period.

448 System Administration Guide, Volume II ♦ October 1998

 TABLE 23–3 Daily Report Data (continued)

Column Description

PERCENT The total number of MINUTES the line was in use, divided into the
TOTAL DURATION.

# SESS The number of times this port was accessed for a login session.

# ON Identical to SESS. (This column does not have much meaning

anymore. Previously, it listed the number of times that a port was
used to log in a user.)

# OFF This column reflects the number of times a user logs out and any
interrupts that occur on that line. Generally, interrupts occur on a
port when ttymon is first invoked after the system is brought to
multiuser state. If the # OFF exceeds the # ON by a large factor, the
multiplexer, modem, or cable is probably going bad, or there is a bad
connection somewhere. The most common cause of this is an
unconnected cable dangling from the multiplexer.

During real time, you should monitor /var/adm/wtmp because it is the file from
which the connect accounting is geared. If the wtmp file grows rapidly, execute
acctcon -l file < /var/adm/wtmp to see which tty line is the noisiest. If
interruption is occurring frequently, general system performance will be affected.
Additionally, wtmp may become corrupted. To correct this, see “How to Fix a wtmp
File” on page 438.

Daily Usage Report

The daily usage report gives a breakdown of system resource utilization by user. A
sample of this type of report appears below.

Jun 11 [Link] 1998 DAILY USAGE REPORT FOR mercury Page 1

LOGIN CPU (MINS) KCORE-MINS CONNECT (MINS) DISK # OF # OF # DISK FEE

UID NAME PRIME NPRIME PRIME NPRIME PRIME NPRIME BLOCKS PROCS SESS SAMPLES
0 TOTAL 1 1 2017 717 785 840 660361 1067 9 7 20
0 root 1 1 1833 499 550 840 400443 408 2 1 0
1 daemon 0 0 0 0 0 0 400 0 0 1 0
2 bin 0 0 0 0 0 0 253942 0 0 1 0
3 sys 0 0 0 0 0 0 2 0 0 1 0
4 adm 0 0 46 83 0 0 104 280 0 1 0
5 uucp 0 0 74 133 0 0 1672 316 0 1 0
71 lp 0 0 0 2 0 0 3798 1 0 1 0
8198 ksm 0 0 8 0 0 0 0 6 1 0 0

(continued)

System Accounting (Reference) 449

 (Continuation)

52171 pjm 0 0 56 0 234 0 0 56 6 0 20

The data provided in the daily usage report is described in Table 23–4.

TABLE 23–4 Daily Usage Report Data

Column Description

UID User identification number.

LOGIN NAME Login name of the user. Identifies a user who has multiple login
names.

CPU-MINS Amount of time, in minutes, that the user’s process used the
central processing unit. Divided into PRIME and NPRIME
(non-prime) utilization. The accounting system’s version of this
data is located in the /etc/acct/holidays file.

KCORE-MINS A cumulative measure of the amount of memory in kbyte

segments per minute that a process uses while running. Divided
into PRIME and NPRIME utilization.

CONNECT-MINS Amount of time a user was logged into the system, or “real time.”
Divided into PRIME and NPRIME use. If these numbers are high
while the # OF PROCS is low, you can conclude that the user logs
in first thing in the morning and hardly touches the terminal the
rest of the day.

DISK BLOCKS Output from the acctdusg program, which runs and merges
disk accounting programs and total accounting record
(daytacct). (For accounting purposes, a block is 512 bytes.)

# OF PROCS Number of processes invoked by the user. If large numbers appear,

a user may have a shell procedure that has run out of control.

# OF SESS Number of times a user logged on to the system.

# DISK SAMPLES Number of times disk accounting was run to obtain the average
number of DISK BLOCKS.

FEE Often unused field that represents the total accumulation of units
charged against the user by chargefee.

450 System Administration Guide, Volume II ♦ October 1998

 Daily Command Summary
The daily command summary report shows the system resource use by command.
With this report, you can identify the most heavily used commands and, based on
how those commands use system resources, gain insight on how best to tune the
system. The format of the daily and monthly reports are virtually the same; however,
the daily summary reports only on the current accounting period while the monthly
summary reports on the start of the fiscal period to the current date. In other words,
the monthly report reflects the data accumulated since the last invocation of
monacct.
These reports are sorted by TOTAL KCOREMIN, which is an arbitrary gauge but often
a good one for calculating drain on a system.
A sample daily command summary appears below.

Jun 11 [Link] 1998 DAILY COMMAND SUMMARY Page 1

TOTAL COMMAND SUMMARY

COMMAND NUMBER TOTAL TOTAL TOTAL MEAN MEAN HOG CHARS BLOCKS
NAME CMDS KCOREMIN CPU-MIN REAL-MIN SIZE-K CPU-MIN FACTOR TRNSFD READ

TOTALS 1067 2730.99 2.01 1649.38 1361.41 0.00 0.00 6253571 2305

sendmail 28 1085.87 0.05 0.24 23865.20 0.00 0.19 101544 39

admintoo 3 397.68 0.12 1132.96 3443.12 0.04 0.00 680220 83
sh 166 204.78 0.31 161.13 651.80 0.00 0.00 598158 20
nroff 12 167.17 0.14 0.24 1205.55 0.01 0.59 709048 22
find 10 151.27 0.27 2.72 563.40 0.03 0.10 877971 1580
acctdusg 3 87.40 0.13 2.74 698.29 0.04 0.05 883845 203
lp 10 74.29 0.05 0.22 1397.38 0.01 0.24 136460 57
expr 20 67.48 0.02 0.06 3213.24 0.00 0.34 6380 1
[Link] 3 65.83 0.01 0.04 11285.60 0.00 0.15 24709 15
cmdtool 1 37.65 0.02 20.13 2091.56 0.02 0.00 151296 1
uudemon. 105 37.38 0.09 0.32 435.46 0.00 0.27 62130 17
csh 6 35.17 0.05 57.28 756.30 0.01 0.00 209560 13
col 12 31.12 0.06 0.26 523.00 0.00 0.23 309932 0
ntpdate 22 27.55 0.05 11.18 599.00 0.00 0.00 22419 0
uuxqt 44 18.66 0.04 0.06 417.79 0.00 0.74 32604 3
man 12 15.11 0.03 7.05 503.67 0.00 0.00 85266 47
.
.
.

The data provided, by column, in the daily command summary is described in Table
23–5.

System Accounting (Reference) 451

 TABLE 23–5 Daily Command Summary

Column Description

COMMAND NAME Name of the command. Unfortunately, all shell procedures

are lumped together under the name sh because only object
modules are reported by the process accounting system. It’s a
good idea to monitor the frequency of programs called
[Link] or core or any other unexpected name. acctcom can
be used to determine who executed an oddly named
command and if superuser privileges were used.

NUMBER CMNDS Total number of invocations of this particular command

during prime time.

TOTAL KCOREMIN Total cumulative measurement of the Kbyte segments of

memory used by a process per minute of run time.

TOTAL CPU-MIN: Total processing time this program has accumulated during
prime time.

TOTAL REAL-MIN Total real-time (wall-clock) minutes this program has

accumulated.

MEAN SIZE-K Mean of the TOTAL KCOREMIN over the number of

invocations reflected by NUMBER CMDS.

MEAN CPU-MIN Mean derived between the NUMBER CMDS and TOTAL
CPU-MIN.

HOG FACTOR Total CPU time divided by elapsed time. Shows the ratio of
system availability to system use, providing a relative
measure of total available CPU time consumed by the
process during its execution.

CHARS TRNSFD Total count of the number of characters pushed around by the
read and write system calls. May be negative due to overflow.

BLOCKS READ Total count of the physical block reads and writes that a
process performed.

Monthly Command Summary

The monthly command summary is similar to the daily command summary. The
only difference is that the monthly command summary shows totals accumulated
since the last invocation of monacct. A sample report appears below.

452 System Administration Guide, Volume II ♦ October 1998

Jun 9 [Link] 1998 MONTHLY TOTAL COMMAND SUMMARY Page 1

TOTAL COMMAND SUMMARY

COMMAND NUMBER TOTAL TOTAL TOTAL MEAN MEAN HOG CHARS BLOCKS
NAME CMDS KCOREMIN CPU-MIN REAL-MIN SIZE-K CPU-MIN FACTOR TRNSFD READ

TOTALS 771 483.70 0.94 8984.09 515.12 0.00 0.00 2248299 179

sh 105 155.41 0.23 429.58 667.94 0.00 0.00 491870 1

uudemon. 85 29.39 0.07 0.29 434.28 0.00 0.23 49630 14
acctcms 5 27.21 0.04 0.04 752.41 0.01 0.90 218880 1
ntpdate 17 21.30 0.04 14.10 605.73 0.00 0.00 18192 0
dtpad 1 19.69 0.01 10.87 2072.70 0.01 0.00 46992 8
sendmail 17 16.75 0.02 0.02 859.04 0.00 0.91 1965 0
acctprc 1 14.92 0.03 0.03 552.69 0.03 0.95 115584 0
uuxqt 34 14.78 0.03 0.04 426.29 0.00 0.92 25194 0
uusched 34 10.96 0.03 0.03 363.25 0.00 0.91 25194 0
sed 40 10.15 0.03 0.09 315.50 0.00 0.36 64162 2
man 5 10.08 0.02 57.58 555.05 0.00 0.00 25773 2
getent 1 7.68 0.01 0.02 921.60 0.01 0.40 20136 0
[Link] 5 7.65 0.01 4331.67 611.73 0.00 0.00 87440 0
cp 37 7.28 0.03 0.05 280.08 0.00 0.50 1739 36
date 27 7.24 0.02 0.03 329.12 0.00 0.65 23443 1
ls 15 7.05 0.01 0.02 503.33 0.00 0.79 14123 0
awk 19 6.94 0.02 0.06 372.04 0.00 0.32 666 0
rm 29 6.83 0.02 0.04 301.32 0.00 0.60 2348 17

See “Daily Command Summary ” on page 451 for a description of the data.

Last Login Report

This report gives the date when a particular login was last used. You can use this
information to find unused logins and login directories that may be archived and
deleted. A sample report appears below.

Jun 9 [Link] 1998 LAST LOGIN Page 1

.
.
.
00-00-00 arimmer 00-00-00 lister 97-02-27 pjm
00-00-00 reception 00-00-00 smithey 97-02-27 ksm
00-00-00 release 00-00-00 smsc 97-02-27 root
00-00-00 resch 00-00-00 datab

Looking at the pacct File With acctcom

At any time, you can examine the contents of the /var/adm/pacctn files, or any
file with records in the acct.h format, by using the acctcom program. If you don’t
specify any files and don’t provide any standard input when you run this command,
acctcom reads the pacct file. Each record read by acctcom represents information

System Accounting (Reference) 453

 about a dead process (active processes may be examined by running the ps
command). The default output of acctcom provides the following information:
4 Command name (pound (#) sign if it was executed with superuser privileges)
4 User
4 tty name (listed as ? if unknown)
4 Starting time
4 Ending time
4 Real time (in seconds)
4 CPU time (in seconds)
4 Mean size (in Kbytes)
The following information can be obtained by using options to acctcom:
4 State of the fork/exec flag (1 for fork without exec)
4 System exit status
4 Hog factor
4 Total kcore minutes
4 CPU factor
4 Characters transferred
4 Blocks read
Table 23–6 describes the acctcom options.

TABLE 23–6 acctcom Options

Option Description

Show some average statistics about the processes selected. (The

−a
statistics are printed after the output is recorded.)

Read the files backward, showing latest commands first. (This has no
−b
effect if reading standard input.)

Print the fork/exec flag and system exit status columns. (The
−f
output is an octal number.)

Instead of mean memory size, show the hog factor, which is the
−h
fraction of total available CPU time consumed by the process during
its execution. Hog factor = total_CPU_time/elapsed_time.

Print columns containing the I/O counts in the output.

−i

454 System Administration Guide, Volume II ♦ October 1998

TABLE 23–6 acctcom Options (continued)

Option Description

Show total kcore minutes instead of memory size.

−k

Show mean core size (this is the default).

−m

Don’t print output records, just print average statistics.

−q

Show CPU factor: user_time/(system_time + user_time).

−r

Show separate system and user CPU times.

−t

Exclude column headings from the output.

−v

Show only processes with total CPU time (system plus user)
−C sec
exceeding sec seconds.

Show processes existing at or before time, given in the format

−e time
hr[:min[:sec]].

Show processes starting at or before time, given in the format

−E time
hr[:min[:sec]]. Using the same time for both −S and −E, show
processes that existed at the time.

Show only processes belonging to group.

−g group

Show only processes that exceed factor, where factor is the “hog
−H factor
factor” (see the −h option).

Show only processes transferring more characters than the cutoff

−I chars
number specified by chars.

Show only processes belonging to the terminal /dev/line.

−l line

Show only commands matching pattern (a regular expression except

−n pattern
that “+” means one or more occurrences).

Instead of printing the records, copy them in acct.h format to ofile.

−o ofile

Show only processes with CPU system time exceeding sec seconds.
−O sec

System Accounting (Reference) 455

 TABLE 23–6 acctcom Options (continued)

Option Description

Show processes existing at or after time, given in the format

−s time
hr[:min[:sec]].

Show processes starting at or after time, given in the format

−S time
hr[:min[:sec]].

Show only processes belonging to user.

−u user

The runacct Program

The main daily accounting shell script, runacct, is normally invoked by cron
outside of prime time hours. The runacct shell script processes connect, fee, disk,
and process accounting files. It also prepares daily and cumulative summary files for
use by prdaily and monacct for billing purposes.

The runacct shell script takes care not to damage files if errors occur. A series of
protection mechanisms are used that attempt to recognize an error, provide
intelligent diagnostics, and complete processing in such a way that runacct can be
restarted with minimal intervention. It records its progress by writing descriptive
messages into the file active. (Files used by runacct are assumed to be in the
/var/adm/acct/nite directory, unless otherwise noted.) All diagnostic output
during the execution of runacct is written into fd2log.

When runacct is invoked, it creates the files lock and lock1. These files are used
to prevent simultaneous execution of runacct. The runacct program prints an
error message if these files exist when it is invoked. The lastdate file contains the
month and day runacct was last invoked, and is used to prevent more than one
execution per day. If runacct detects an error, a message is written to the console,
mail is sent to root and adm, locks may be removed, diagnostic files are saved, and
execution is ended. For instructions on how to start runacct again, see “How to
Restart runacct” on page 440.

To allow runacct to be restartable, processing is broken down into separate

re-entrant states. The file statefile is used to keep track of the last state
completed. When each state is completed, statefile is updated to reflect the next
state. After processing for the state is complete, statefile is read and the next
state is processed. When runacct reaches the CLEANUP state, it removes the locks
and ends. States are executed as shown in Table 23–7.

456 System Administration Guide, Volume II ♦ October 1998

TABLE 23–7 runacct States

State Description

SETUP The command turnacct switch is executed to create a new pacct

file. The process accounting files in /var/adm/pacctn (except for
the pacct file) are moved to /var/adm/[Link]. The /
var/adm/wtmp file is moved to /var/adm/acct/nite/
[Link] (with the current time record added on the end) and a
new /var/adm/wtmp is created. closewtmp and utmp2wtmp add
records to [Link] and the new wtmp to account for users
currently logged in.

WTMPFIX The wtmpfix program checks the [Link] file in the nite
directory for accuracy. Because some date changes will cause
acctcon to fail, wtmpfix attempts to adjust the time stamps in the
wtmp file if a record of a date change appears. It also deletes any
corrupted entries from the wtmp file. The fixed version of
[Link] is written to tmpwtmp.

CONNECT The acctcon program is used to record connect accounting records

in the file [Link]. These records are in tacct.h format. In
addition, acctcon creates the lineuse and reboots files. The
reboots file records all the boot records found in the wtmp file.

PROCESS The acctprc program is used to convert the process accounting

files, /var/adm/[Link], into total accounting records in
[Link]. The Spacct and ptacct files are correlated by
number so that if runacct fails, the Spacct files will not be
processed.

MERGE The MERGE program merges the process accounting records with the
connect accounting records to form daytacct.

FEES The MERGE program merges ASCII tacct records from the fee file
into daytacct.

DISK If the dodisk procedure has been run, producing the disktacct
file, the DISK program merges the file into daytacct and moves
disktacct to /tmp/[Link].

MERGETACCT The MERGETACCT merges daytacct with sum/tacct, the

cumulative total accounting file. Each day, daytacct is saved in
sum/[Link], so that sum/tacct can be recreated if it is
corrupted or lost.

System Accounting (Reference) 457

 TABLE 23–7 runacct States (continued)

State Description

CMS The acctcms program is run several times. acctcms is first run to
generate the command summary using the Spacctn files and write
it to sum/daycms. The acctcms program is then run to merge
sum/daycms with the cumulative command summary file sum/cms.
Finally, acctcms is run to produce the ASCII command summary
files, nite/daycms and nite/cms, from the sum/daycms and
sum/cms files, respectively. The lastlogin program is used to
create the /var/adm/acct/sum/loginlog log file, the report of
when each user last logged in. (If runacct is run after midnight, the
dates showing the time last logged in by some users will be incorrect
by one day.)

USEREXIT Any installation-dependent (local) accounting program can be

included at this point. runacct expects it to be called /usr/lib/
acct/[Link].

CLEANUP Cleans up temporary files, runs prdaily and saves its output in
sum/[Link], removes the locks, then exits.

Caution - When restarting runacct in the CLEANUP state, remove the last ptacct
file because it will not be complete.

Accounting Files
The /var/adm directory structure contains the active data collection files and is
owned by the adm login (currently user ID of 4).

TABLE 23–8 Files in /var/adm Directory

File Description

dtmp Output from the acctdusg program

fee Output from the chargefee program, ASCII tacct records

pacct Active process accounting file

458 System Administration Guide, Volume II ♦ October 1998

TABLE 23–8 Files in /var/adm Directory (continued)

File Description

pacctn Process accounting files switched using turnacct

[Link] Process accounting files for MMDD during execution of runacct

The /var/adm/acct directory contains the nite, sum, and fiscal directories,
which contain the actual data collection files. For example, the nite directory
contains files that are reused daily by the runacct procedure. A brief summary of
the files in the /var/adm/acct/nite directory follows.

TABLE 23–9 Files in the /var/adm/acct/nite Directory

File Description

active Used by runacct to record progress and print warning and error
messages

activeMMDD Same as active after runacct detects an error

cms ASCII total command summary used by prdaily

[Link] Connect accounting records in tacct.h format

ctmp Output of acctcon1 program, connect session records in ctmp.h

format (acctcon1 and acctcon2 are provided for compatibility
purposes)

daycms ASCII daily command summary used by prdaily

daytacct Total accounting records for one day in tacct.h format

disktacct Disk accounting records in tacct.h format, created by the dodisk

procedure

fd2log Diagnostic output during execution of runacct

lastdate Last day runacct executed (in date +%m%d format)

lock Used to control serial use of runacct

lineuse tty line usage report used by prdaily

System Accounting (Reference) 459

 TABLE 23–9 Files in the /var/adm/acct/nite Directory (continued)

File Description

log Diagnostic output from acctcon

[Link] Same as log after runacct detects an error

owtmp Previous day’s wtmp file

reboots Beginning and ending dates from wtmp and a listing of reboots

statefile Used to record current state during execution of runacct

tmpwtmp wtmp file corrected by wtmpfix

wtmperror Place for wtmpfix error messages

[Link] Same as wtmperror after runacct detects an error

[Link] runacct’s copy of the wtmp file

The sum directory contains the cumulative summary files updated by runacct and
used by monacct. A brief summary of the files in the /var/adm/acct/sum
directory is in Table 23–10.

TABLE 23–10 Files in the /var/adm/acct/sum Directory

File Description

cms Total command summary file for current fiscal period in internal
summary format

cmsprev Command summary file without latest update

daycms Command summary file for the day’s usage in internal summary
format

loginlog Record of last date each user logged on; created by lastlogin and
used in the prdaily program

[Link] Saved output of prdaily program

tacct Cumulative total accounting file for current fiscal period

460 System Administration Guide, Volume II ♦ October 1998

TABLE 23–10 Files in the /var/adm/acct/sum Directory (continued)

File Description

tacctprev Same as tacct without latest update

[Link] Total accounting file for MMDD

The fiscal directory contains periodic summary files created by monacct. A brief
description of the files in the /var/adm/acct/fiscal directory is in Table 23–11.

TABLE 23–11 Files in the /var/adm/acct/fiscal Directory

File Description

cmsn Total command summary file for fiscal period n in internal summary
format

fiscrptn Report similar to rprtn for fiscal period n

tacctn Total accounting file for fiscal period n

Files Produced by runacct

The most useful files produced by runacct (found in /var/adm/acct) are shown
in Table 23–12.

System Accounting (Reference) 461

 TABLE 23–12 Files Produced by runacct

File Description

nite/lineuse runacct calls acctcon to gather data on terminal line usage

from /var/adm/acct/nite/tmpwtmp and writes the data to /
var/adm/acct/nite/lineuse. prdaily uses this data to
report line usage. This report is especially useful for detecting bad
lines. If the ratio between the number of logouts to logins is
greater than about three to one, there is a good possibility that the
line is failing.

nite/daytacct This file is the total accounting file for the day in tacct.h format.

sum/tacct This file is the accumulation of each day’s nite/daytacct and

can be used for billing purposes. It is restarted each month or
fiscal period by the monacct procedure.

sum/daycms runacct calls acctcms to process the data about the commands
used during the day. This information is stored in /var/adm/
acct/sum/daycms. It contains the daily command summary. The
ASCII version of this file is /var/adm/acct/nite/daycms.

sum/cms This file is the accumulation of each day’s command summaries.

It is restarted by the execution of monacct. The ASCII version is
nite/cms.

sum/loginlog runacct calls lastlogin to update the last date logged in for
the logins in /var/adm/acct/sum/loginlog. lastlogin also
removes from this file logins that are no longer valid.

sum/[Link] Each execution of runacct saves a copy of the daily report that
was printed by prdaily.

462 System Administration Guide, Volume II ♦ October 1998

PART VI Managing System Performance

This part provides instructions for managing system performance. This part contains
these chapters.

Provides overview information about performance

Chapter 24
topics.

Provides step-by-step instructions for using process

Chapter 25
commands to enhance system performance.

Provides step-by-step instructions for using vmstat,

Chapter 26
sar, and disk utilization commands to monitor
performance.

Provides step-by-step instructions for monitoring

Chapter 27
network performance.

Provides step-by-step instructions for tuning selected

Chapter 28
kernel parameters.

Provides overview information about the SunOS 5.7

Chapter 29
scheduler.
CHAPTER 24

System Performance (Overview)

Getting good performance from a computer or network is an important part of

system administration. This chapter is an overview of some of the factors that
contribute to maintaining and managing the performance of the computer systems in
your care.
This is a list of the overview information in this chapter.
4 “Where to Find System Performance Tasks” on page 467
4 “System Performance and System Resources” on page 467
4 “Processes and System Performance” on page 468
4 “Disk I/O and System Performance” on page 473
4 “Memory and System Performance” on page 475
4 “Kernel Parameters and System Performance” on page 476
4 “About Monitoring Performance” on page 477

What’s New in Managing System

Performance?
This section describes new Solaris 7 features in the area of managing system
performance.

465
 The pgrep and pkill Commands
The pgrep and pkill commands replace the combination of the ps, grep, egrep,
awk, and kill commands that were used to manage processes in previous Solaris
releases.
The pgrep command looks at the active processes on the system and displays the
process IDs of the processes whose attributes match the specified criteria on the
command line.
The pkill command works the same way as the pgrep command except that each
matching process ID is signaled by kill(2) instead of having the process ID
displayed.
Highlights of the command usage are:
4 Processes can be matched by their real or effective user IDs, group IDs, or their
parent process ID or process group ID, etc.
4 Each process ID is displayed as a decimal value and is separated from the next
process ID by a new line. You can override the new line display between each
process by specifying your own deliminator with the −d option.
4 Multiple options can be specified on one command line by separating each one
with a comma.
4 Defunct processes are never matched by either the pgrep or pkill commands.
4 The current pgrep or pkill process will never consider itself a potential match.
4 You can use pkill -signal to specify a signal value, such as HUP (1) or KILL
(9), as either the symbolic or numeric value. If you specify a signal value, it must
be the first option on the command line. The SIGTERM signal is sent by default.

Examples—Using the pgrep and pkill Commands

The following example illustrates how to use the pgrep command to exactly match
the user kryten as the owner of the specified process dtmail, and then terminate
the process with the pkill command.

$ pgrep -u kryten -x dtmail

14206
$ pkill -u kryten -x dtmail
$

Using the −u option prevents you from accidently terminating a process called
dtmail owned by another user, if you executed the pkill command as superuser.
This example terminates the most recently created shelltool process owned by the
user pmorph:

466 System Administration Guide, Volume II ♦ October 1998

 % pkill -u pmorph -n shelltool

This example uses the pwdx command, one of the proc(1) tools, as input to the
pgrep command to display the current working directory of the user rimmer’s Korn
shells:

$ pgrep -u rimmer -x ksh | xargs /usr/proc/bin/pwdx

4748: /home/rimmer
11395: /home/rimmer/src/command
6010: /datab/files/file1

See pgrep(1) for more information.

Where to Find System Performance

Tasks
Use these references to find step-by-step instructions for monitoring system
performance.
4 Chapter 25
4 Chapter 26
4 Chapter 27
4 Chapter 28

System Performance and System

Resources
The performance of a computer system depends upon how the system uses and
allocates its resources. It is important to monitor your system’s performance on a
regularly so that you know how it behaves under normal conditions. You should
have a good idea of what to expect, and be able to recognize a problem when it
occurs.
System resources that affect performance include:
4 Central processing unit (CPU) – The CPU processes instructions, fetching
instructions from memory and executing them.

System Performance (Overview) 467

 4 Input/output (I/O) devices – I/O devices transfer information into and out of the
computer. Such a device could be a terminal and keyboard, a disk drive, or a
printer.
4 Memory – Physical (or main) memory is the amount of memory (RAM) on the
system.
Chapter 26 describes the tools that display statistics about the activity and the
performance of the computer system.

Other Sources of Information

Performance is a broad subject that can’t be adequately covered in these chapters.
There are several books available that cover various aspects of improving
performance and tuning your system or network. Three useful books are:
4 Sun Performance and Tuning: SPARC and Solaris, by Adrian Cockcroft, SunSoft
Press/PRT Prentice Hall, ISBN 0-13-149642-3
4 System Performance Tuning, by Mike Loukides, O’Reilly & Associates, Inc.
4 Managing NFS and NIS, by Hal Stern, O’Reilly & Associates, Inc.

Processes and System Performance

Terms related to processes are described in Table 24–1.

TABLE 24–1 Process Terminology

Term Description

Process An instance of program in execution.

Lightweight process Is a virtual CPU or execution resource. LWPs are scheduled by

(LWP) the kernel to use available CPU resources based on their
scheduling class and priority. LWPs include a kernel thread,
which contains information that has to be in memory all the
time and an LWP, which contains information that is swappable.

Application thread A series of instructions with a separate stack that can execute
independently in a user’s address space. They can be
multiplexed on top of LWPs.

468 System Administration Guide, Volume II ♦ October 1998

A process can consist of multiple LWPs and multiple application threads. The kernel
schedules a kernel-thread structure, which is the scheduling entity in the SunOS 5.7
environment. Various process structures are described in Table 24–2.

TABLE 24–2 Process Structures

Structure Description

proc Contains information that pertains to the whole process and has
to be in main memory all the time.

kthread Contains information that pertains to one LWP and has to be in

main memory all the time.

user Contains the per process information that is swappable.

klwp Contains the per LWP process information that is swappable.

Figure 24–1 illustrates the relationship of these structures.

Main Memory
(non-swappable )

process kernel thread

(proc structure) ( kthread structure)

per process per LWP

user LWP
(user structure) (klwp structure)

swappable
Figure 24–1 Process Structures
Most process resources are accessible to all the threads in the process. Almost all
process virtual memory is shared. A change in shared data by one thread is available
to the other threads in the process.

System Performance (Overview) 469

 Commands for Managing Processes
Table 24–3 describes commands for managing processes.

TABLE 24–3 Commands for Managing Processes

Use This Command ... To ...

ps Check the status of active processes on a system, as

well as display detailed information about the
processes

dispadmin List default scheduling policies

priocntl Assign processes to a priority class and manage

process priorities

nice Change the priority of a timesharing process

Another feature enables the control of process groups over processor sets. Using
processor sets means process groups can bind to a group of processors rather than to
just a single processor. The /usr/sbin/psrset command gives a system
administrator control over the creation and management of processor sets. See
psrset(1M) for more information.
See Chapter 25 for more information about commands for managing processes.

The /proc File System and Commands

In addition, process tools are available in the /usr/proc/bin directory that display
highly detailed information about the processes listed in the /proc directory, also
known as the process file system (PROCFS). Images of active processes are stored
here by their process ID number.
The process tools are similar to some options of the ps command, except that the
output provided by the tools is more detailed. In general, the process tools:
4 Display more details about processes, such as fstat and fcntl information,
working directories, and trees of parent and child processes
4 Provide control over processes, allowing users to stop or resume them
The new /usr/proc/bin utilities are summarized in Table 24–4.

470 System Administration Guide, Volume II ♦ October 1998

TABLE 24–4 Process Tools

Tools That Control Processes What the Tools Do

/usr/proc/bin/pstop pid Stops the process

/usr/proc/bin/prun pid Restarts the process

/usr/proc/bin/ptime pid Times the process using microstate

accounting

/usr/proc/bin/pwait [-v] pid Waits for specified processes to terminate

Tools That Display Process Details What the Tools Display

/usr/proc/bin/pcred pid Credentials

/usr/proc/bin/pfiles pid fstat and fcntl information for open files

/usr/proc/bin/pflags pid /proc tracing flags, pending and held

signals, and other status information for
each lwp

/usr/proc/bin/pldd pid Dynamic libraries linked into each process

/usr/proc/bin/pmap pid Address space map

/usr/proc/bin/psig pid Signal actions

/usr/proc/bin/pstack pid Hex+symbolic stack trace for each lwp

/usr/proc/bin/ptree pid Process trees containing specified pids

/usr/proc/bin/pwdx pid Current working directory

In these commands, pid is a process identification number. You can obtain this
number by using the ps -ef command.

Chapter 25 describes how to use the process tool commands to perform selected
system administration tasks, such as displaying details about processes, and starting

System Performance (Overview) 471

 and stopping them. A more detailed description of the process tools can be found in
proc(1).
If a process becomes trapped in an endless loop, or if it takes too long to execute,
you may want to stop (kill) the process. See Chapter 25 for more information about
stopping processes using the pkill command.
The previous flat /proc file system has been restructured into a directory hierarchy
that contains additional sub-directories for state information and control functions.
It also provides a watchpoint facility that is used to remap read/write permissions
on the individual pages of a process’s address space. This facility has no restrictions
and is MT-safe.
The new /proc file structure provides complete binary compatibility with the old
/proc interface except that the new watchpoint facility cannot be used with the old
interface.
Debugging tools have been modified to use /proc’s new watchpoint facility, which
means the entire watchpoint process is faster.
The following restrictions have been removed when setting watchpoints using the
dbx debugging tool:
4 Setting watchpoints on local variables on the stack due to SPARC register windows
4 Setting watchpoints on multi-threaded processes
See proc(4), core(4), and adb(1) for more information.

Process Scheduling Classes and Priority Levels

A process is allocated CPU time according to its scheduling class and its priority
level. By default, the Solaris operating environment has four process scheduling
classes: real-time, system, timesharing and interactive.
4 Real-time processes have the highest priority. This class includes processes that
must respond to external events as they happen. For example, a process that
collects data from a sensing device may need to process the data and respond
immediately. In most cases, a real-time process requires a dedicated system. No
other processes can be serviced while a real-time process has control of the CPU.
By default, the range of priorities is 100-159.
4 System processes have the middle priorities. This class is made up of those
processes that are automatically run by the kernel, such as the swapper and the
paging daemon. By default, the range of priorities is 60-99.
4 Timesharing processes have the lowest priority. This class includes the standard
UNIX processes. Normally, all user processes are timesharing processes. They are
subject to a scheduling policy that attempts to distribute processing time fairly,
giving interactive applications quick response time and maintaining good
throughput for computations. By default, the range of priorities is 0-59.

472 System Administration Guide, Volume II ♦ October 1998

4 Interactive processes were introduced in the SunOS 5.4 environment. The priorities
range from 0-59. All processes started under OpenWindows are placed in the
interactive class and those processes with keyboard focus get higher priorities.
The scheduling priority determines the order in which processes will be run.
Real-time processes have fixed priorities. If a real-time process is ready to run, no
system process or timesharing process can run.
System processes have fixed priorities that are established by the kernel when they
are started. The processes in the system class are controlled by the kernel, and cannot
be changed.
Timesharing and interactive processes are controlled by the scheduler, which
dynamically assigns their priorities. You can manipulate the priorities of the
processes within this class.

Disk I/O and System Performance

The disk is used to store data and instructions used by your computer system. You
can examine how efficiently the system is accessing data on the disk by looking at
the disk access activity and terminal activity. See Chapter 26 for a discussion of the
iostat and sar commands, which report statistics on disk activity. Managing and
allocating disk space and dividing your disk into slices are discussed in “Disk
Management (Overview)” in System Administration Guide, Volume I.
If the CPU spends much of its time waiting for I/O completions, there is a problem
with disk slowdown. Some ways to prevent disk slowdowns are:
4 Keep disk space with 10% free so file systems are not full. If a disk becomes full,
back up and restore the file systems to prevent disk fragmentation. Consider
purchasing products that resolve disk fragmentation.
4 Organize the file system to minimize disk activity. If you have two disks,
distributeTMthe file system for a more balanced load. Using Sun’s Solstice
DiskSuite product provides more efficient disk usage.
4 Add more memory. Additional memory reduces swapping and paging traffic, and
allows an expanded buffer pool (reducing the number of user-level reads and
writes that need to go out to disk).
4 Add a disk and balance the most active file systems across the disks.

UFS Direct Input/Output (I/O)

Direct I/O is intended to boost bulk I/O operations. Bulk I/O operations use large
buffer sizes to transfer large files (files larger than physical memory).

System Performance (Overview) 473

 An example of a bulk I/O operation is downloading satellite data, which writes
large amounts of data to a file. Direct I/O data is read or written into memory
without using the overhead of the operating system’s page caching mechanism.
There is a potential penalty on direct I/O startup. If a file requested for I/O is
already mapped by another application, the pages will have to be flushed out of
memory before the direct I/O operation can begin.
See directio(3C) for more information.
Direct I/O can also be enabled on a file system by using the forcedirectio option
to the mount command. Enabling direct I/O is a performance benefit only when a
file system is transferring large amounts of sequential data.
When a file system is mounted with this option, data is transferred directly between
a user’s address space and the disk. When forced direct I/O is not enabled for a file
system, data transferred between a user’s address space and the disk is first buffered
in the kernel address space.
The default behavior is no forced direct I/O on a UFS file system. See
mount_ufs(1M) for more information.

How to Enable Forced Direct I/O on a UFS File

System
1. Become superuser.

2. Mount a file system with the forcedirectio mount option.

# mount -F ufs -o forcedirectio /dev/dsk/c0t3d0s7 /datab

3. Verify the mounted file system has forced direct I/O enabled.

# mount
.
.
.
/export/home on /dev/dsk/c0t3d0s7 forcedirectio/setuid/read/write/
largefiles on Tue Jun 16 [Link] 1998

474 System Administration Guide, Volume II ♦ October 1998

Memory and System Performance
Performance suffers when the programs running on the system require more
physical memory than is available. When this happens, the operating system begins
paging and swapping, which is costly in both disk and CPU overhead.
Paging involves moving pages that have not been recently referenced to a free list of
available memory pages. Most of the kernel resides in main memory and is not
pageable.
Swapping occurs if the page daemon cannot keep up with the demand for memory.
The swapper will attempt to swap out sleeping or stopped lightweight processes
(LWPs). If there are no sleeping or stopped LWPs, the swapper will swap out a
runnable process. The swapper will swap LWPs back in based on their priority. It
will attempt to swap in processes that are runnable.

Swap Space
Swap areas are really file systems used for swapping. Swap areas should be sized
based on the requirements of your applications. Check with your vendor to identify
application requirements.
Table 24–5 describes the formula used to size default swap areas by the Solaris
installation program. These default swap sizes are a good place to start if you are not
sure how to size your swap areas.

TABLE 24–5 Default Swap Sizes

If Your Physical Memory Size Is ... Your Default Swap Size Is ...

16-64 Mbytes 32 Mbytes

64-128 Mbytes 64 Mbytes

128-512 Mbytes 128 Mbytes

greater than 512 Mbytes 256 Mbytes

See “Configuring Additional Swap Space (Tasks)” in System Administration Guide,

Volume I for information about managing swap space.

System Performance (Overview) 475

 Buffer Resources
The buffer cache for read and write system calls uses a range of virtual addresses
in the kernel address space. A page of data is mapped into the kernel address space
and the amount of data requested by the process is then physically copied to the
process’ address space. The page is then unmapped in the kernel. The physical page
will remain in memory until the page is freed up by the page daemon.
This means a few I/O-intensive processes can monopolize or force other processes
out of main memory. To prevent monopolization of main memory, balance the
running of I/O-intensive processes serially in a script or with the at(1) command.
Programmers can use mmap(2) and madvise(3) to ensure that their programs free
memory when they are not using it.

Kernel Parameters and System

Performance
Many basic parameters (or tables) within the kernel are calculated from the value of
the maxusers parameter. Tables are allocated space dynamically. However, you can
set maximums for these tables to ensure that applications won’t take up large
amounts of memory.
By default, maxusers is approximately set to the number of Mbytes of physical
memory on the system. However, the system will never set maxusers higher than
1024. The maximum value of maxusers is 2048, which can be set by modifying the
/etc/system file.
See Chapter 28 and system(3S) for details on kernel parameters.
In addition to maxusers, a number of kernel parameters are allocated dynamically
based on the amount of physical memory on the system, as shown in Table 24–6
below.

TABLE 24–6 Kernel Parameters

Kernel Parameter Description

ufs_ninode The maximum size of the inode table

ncsize The size of the directory name lookup cache

max_nprocs The maximum size of the process

476 System Administration Guide, Volume II ♦ October 1998

TABLE 24–6 Kernel Parameters (continued)

Kernel Parameter Description

ndquot The number of disk quota structures

maxuprc The maximum number of user processes per user-ID

Table 24–7 lists the default settings for kernel parameters affected by the value
assigned to maxusers.

TABLE 24–7 Default Settings for Kernel Parameters

Kernel Table Variable Default Setting

Inode ufs_ninode max_nprocs + 16 + maxusers + 64

Name cache ncsize max_nprocs + 16 + maxusers + 64

Process max_nprocs 10 + 16 * maxusers

Quota table ndquot (maxusers * NMOUNT) / 4 + max_nprocs

User process maxuprc max_nprocs – 5

See Chapter 28 for a description of the kernel parameters and how to change the
default values.

About Monitoring Performance

While your computer is running, counters in the operating system are incremented
to keep track of various system activities. System activities that are tracked are:
4 Central processing unit (CPU) utilization
4 Buffer usage
4 Disk and tape input/output (I/O) activity
4 Terminal device activity

System Performance (Overview) 477

 4 System call activity
4 Context switching
4 File access
4 Queue activity
4 Kernel tables
4 Interprocess communication
4 Paging
4 Free memory and swap space
4 Kernel Memory Allocation (KMA)

Monitoring Tools
The Solaris 7 system software provides several tools to help you keep track of how
your system is performing. These include:

TABLE 24–8 Performance Monitoring Tools

For More Information,

The ... Enable(s) You To ... See ...

sar and sadc utilities Collect and report on system

Chapter 26
activity data

ps command Display information about active

Chapter 25
processes

Performance meter Display graphical representation of

Chapter 26
the status of systems on the
network

vmstat and iostat Summarize system activity data,

Chapter 26
commands such as virtual memory statistics,
disk usage, and CPU activity

swap command Display information about available

swap space on your system “Configuring Additional
Swap Space (Tasks)” in
System Administration
Guide, Volume I

478 System Administration Guide, Volume II ♦ October 1998

TABLE 24–8 Performance Monitoring Tools (continued)

For More Information,

The ... Enable(s) You To ... See ...

netstat and nfsstat Display information about network

Chapter 27
commands performance

Solstice System Monitor Collect system activity data on Solstice SyMON 1.5
(SyMON) UltraTM EnterpriseTM 3000, 4000, User’s Guide
5000, and 6000 systems

System Performance (Overview) 479

480 System Administration Guide, Volume II ♦ October 1998
CHAPTER 25

Managing Processes (Tasks)

This chapter describes the procedures for managing system processes. This is a list of
the step-by-step instructions in this chapter.
4 “How to List Processes” on page 483
4 “How to Display Information About Processes” on page 485
4 “How to Control Processes” on page 487
4 “How to Kill a Process” on page 489
4 “How to Display Basic Information About Process Classes” on page 490
4 “How to Display the Global Priority of a Process” on page 491
4 “How to Designate a Process Priority” on page 491
4 “How to Change Scheduling Parameters of a Timeshare Process” on page 492
4 “How to Change the Class of a Process” on page 493
4 “How to Change the Priority of a Process” on page 495

Displaying Information About Processes

This section describes commands used to manage process information.

The ps Command

481
 The ps command enables you to check the status of active processes on a system, as
well as display technical information about the processes. This data is useful for such
administrative tasks as determining how to set process priorities.
Depending on which options you use, ps reports the following information:
4 Current status of the process
4 Process ID
4 Parent process ID
4 User ID
4 Scheduling class
4 Priority
4 Address of the process
4 Memory used
4 CPU time used
Table 25–1 describes some of the fields reported by the ps command. The fields
displayed depend on which option you choose. See ps(1) for a description of all
available options.

TABLE 25–1 Summary of Fields in ps Reports

Field Description

UID The effective user ID of the process’s owner.

PID The process ID.

PPID The parent process’s ID.

C The processor utilization for scheduling. This field is not

displayed when the −c option is used.

CLS The scheduling class to which the process belongs: real-time,

system, or timesharing. This field is included only with the −c
option.

PRI The kernel thread’s scheduling priority. Higher numbers mean

higher priority.

NI The process’s nice number, which contributes to its scheduling

priority. Making a process “nicer” means lowering its priority.

ADDR The address of the proc structure.

482 System Administration Guide, Volume II ♦ October 1998

TABLE 25–1 Summary of Fields in ps Reports (continued)

Field Description

SZ The virtual address size of the process.

WCHAN The address of an event or lock for which the process is sleeping.

STIME The starting time of the process (in hours, minutes, and
seconds).

TTY The terminal from which the process (or its parent) was started.
A question mark indicates there is no controlling terminal.

TIME The total amount of CPU time used by the process since it
began.

CMD The command that generated the process.

How to List Processes

To list all the processes being executed on a system, use the ps command.

$ ps [-ef]

ps Displays only the processes associated with your login

session.

Displays full information about all the processes being

−ef
executed on the system.

Example—Listing Processes
The following example shows output from the ps command when no options are
used.

$ ps
PID TTY TIME COMD
1664 pts/4 0:06 csh
2081 pts/4 0:00 ps

The following example shows output from ps −ef. This shows that the first process
executed when the system boots is sched (the swapper) followed by the init
process, pageout, and so on.

Managing Processes (Tasks) 483

 $ ps -ef
UID PID PPID C STIME TTY TIME CMD
root 0 0 0 May 05 ? 0:04 sched
root 1 0 0 May 05 ? 10:48 /etc/init -
root 2 0 0 May 05 ? 0:00 pageout
root 3 0 0 May 05 ? 43:21 fsflush
root 238 1 0 May 05 ? 0:00 /usr/lib/saf/sac -t 300
root 115 1 0 May 05 ? 0:10 /usr/sbin/rpcbind
root 158 1 0 May 05 ? 0:00 /usr/lib/autofs/autom...
root 134 1 0 May 05 ? 0:12 /usr/sbin/inetd -s
root 107 1 0 May 05 ? 11:49 /usr/sbin/[Link] -q
root 117 1 5 May 05 ? 899:32 /usr/sbin/keyserv
root 125 1 0 May 05 ? 0:00 /usr/sbin/kerbd
root 123 1 0 May 05 ? 4:17 /usr/sbin/nis_cachemgr
root 137 1 0 May 05 ? 0:00 /usr/lib/nfs/statd
root 139 1 0 May 05 ? 0:02 /usr/lib/nfs/lockd
root 159 1 50 May 05 ? 8243:36 /usr/sbin/automount
root 162 1 0 May 05 ? 0:07 /usr/sbin/syslogd
root 181 1 0 May 05 ? 0:03 /usr/sbin/nscd...
root 169 1 0 May 05 ? 5:09 /usr/sbin/cron
root 191 1 0 May 05 ? 0:00 /usr/lib/lpsched
root 210 1 0 May 05 ? 0:01 /usr/sbin/vold
root 200 1 0 May 05 ? 0:08 /usr/lib/sendmail -bd -q1h
root 4942 1 0 May 17 console 0:00 /usr/lib/saf/ttymon...
root 208 1 0 May 05 ? 0:00 /usr/lib/utmpd
root 241 238 0 May 05 ? 0:00 /usr/lib/saf/ttymon
root 5748 134 0 [Link] ? 0:01 [Link]
root 5750 5748 0 [Link] pts/0 0:00 -sh
root 5770 5750 2 [Link] pts/0 0:00 ps -ef

Displaying Information About Processes

(/proc Tools)
You can display detailed, technical information about active processes by using some
of the process tool commands contained in /usr/proc/bin. Table 25–2 lists these
process tools. Refer to proc(1) for more information.

TABLE 25–2 /usr/proc/bin Process Tools That Display Information

Process Tool What It Displays

pcred Credentials

pfiles fstat and fcntl information for open files in a

process

484 System Administration Guide, Volume II ♦ October 1998

TABLE 25–2 /usr/proc/bin Process Tools That Display Information (continued)

Process Tool What It Displays

pflags /proc tracing flags, pending and held signals, and

other status information

pldd Dynamic libraries linked into a process

pmap Address space map

psig Signal actions

pstack Hex+symbolic stack trace

ptime Process time using microstate accounting

ptree Process trees that contain the process

pwait Status information after a process terminates

pwdx Current working directory for a process

Note - To avoid typing long command names, add the process tool directory to your
PATH variable. This enables you to run process tools by entering only the last part of
each file name (for example, pwdx instead of /usr/proc/bin/pwdx).

How to Display Information About Processes

1. (Optional) Use output from the ps command to obtain the identification
number of the process you want to display more information about.

# ps -e | grep process

process Name of the process you want to display more

information about.

The process identification number is in the first column of the output.

2. Use the appropriate /usr/bin/proc command to display the information you

need.

Managing Processes (Tasks) 485

 # /usr/proc/bin/pcommand pid

pcommand Process tool command you want to run. Table 25–2 lists these
commands.

pid Identification number of a process.

Examples—Displaying Information About Processes

The following example shows how to use process tool commands to display more
information about an lpsched process. First the /usr/proc/bin path is defined
to avoid typing long process tool commands. Next, the identification number for
lpsched is obtained. Finally, output from three process tool commands is shown.
1
# PATH=$PATH:/usr/proc/bin
# export PATH
2
# ps -e | grep lpsched
191 ? 0:00 /usr/lib/lpsched
3
# pwdx 191

191: /
4
# ptree 191

183 /usr/lib/lpsched
5
# pfiles 191
210: /usr/lib/lpsched
Current rlimit: 1024 file descriptors
0: S_IFIFO mode:0000 dev:165,0 ino:83 uid:0 gid:0 size:0
O_RDWR
1: S_IFIFO mode:0000 dev:165,0 ino:83 uid:0 gid:0 size:0
O_RDWR
3: S_IFCHR mode:0666 dev:32,24 ino:34307 uid:0 gid:3 rdev:21,0
O_WRONLY FD_CLOEXEC
4: S_IFDOOR mode:0444 dev:171,0 ino:4124226512 uid:0 gid:0
size:0
O_RDONLY|O_LARGEFILE FD_CLOEXEC door to nscd[200]
5: S_IFREG mode:0664 dev:32,24 ino:311 uid:71 gid:8 size:0
O_WRONLY

The following example shows output from the pwait command, which waits until a
process terminates, then displays information about what happened. The following

1. Adds the /usr/proc/bin directory to the PATH variable.

2. Obtains the process identification number for lpsched.
3. Displays the current working directory for lpsched.
4. Displays the process tree containing lpsched.
5. Displays fstat and fcntl information.

486 System Administration Guide, Volume II ♦ October 1998

example shows output from the pwait command after a Command Tool window
was exited.

$ ps -e | grep cmdtool
273 console 0:01 cmdtool
277 console 0:01 cmdtool
281 console 0:01 cmdtool
$ pwait -v 281
281: terminated, wait status 0x0000

Controlling Processes (/proc Tools)

You can control some aspects of processes by using some of the process tools
contained in /usr/proc/bin. Table 25–3 lists these process tools. Refer to proc(1)
for detailed information about process tools.

TABLE 25–3 /usr/proc/bin Process Tools That Provide Control

Process Tool What it Does

pstop Stops a process

prun Restarts a process

Note - To avoid typing long command names, add the process tool directory to your
PATH variable. This allows you to run process tools by entering only the last part of
each file name (for example, prun instead of /usr/proc/bin/prun).

How to Control Processes

1. (Optional) Use output from the ps command to obtain the identification
number of the process you want to display more information about.

# ps -e | grep process

Managing Processes (Tasks) 487

 process Name of the process you want to display more information
about.

The process identification number is in the first column of the output.

2. Use the appropriate /usr/proc/bin command to control the process.

# /usr/proc/bin/pcommand PID

pcommand Process tool command you want to run. Table 25–3 lists
these commands.

PID Identification number of a process.

3. Verify the process status using the ps command.

# ps | grep PID

Example—Controlling Processes
The following example shows how to use process tools to stop and restart Print Tool.
6
# PATH=$PATH:/usr/proc/bin
# export PATH
7
# ps -e | grep print*
264 console 0:03 printtool
8
# pstop 264
9
# prun 264
# ps | grep 264
264 console 0:03 printtool
#

6. Adds the /usr/proc/bin directory to the PATH variable.

7. Obtains the process identification number for Print Tool.
8. Stops the Print Tool process.
9. Restarts the Print Tool process.

488 System Administration Guide, Volume II ♦ October 1998

Killing a Process (pkill)
Sometimes it is necessary to stop (kill) a process. The process may be in an endless
loop, or you may have started a large job that you want to stop before it is
completed. You can kill any process that you own, and superuser can kill any
processes in the system except for those with process IDs 0, 1, 2, 3, and 4.
Refer to pkill(1) for more detailed information.

How to Kill a Process

1. (Optional) To kill a process belonging to another user, become superuser.

2. (Optional) Use output from the pgrep command to obtain the identification
number of the process you want to display more information about.

$ pgrep process

process Name of the process you want to display more information

about.

The process identification number is in the first column of the output.

3. Use the pkill command to stop the process.

$ pkill [-9] PID ...

-9 Ensures that the process terminates promptly.

PID . . . ID of the process or processes to stop.

4. Use the pgrep command to verify that the process has been stopped.

$ pgrep PID ...

Managing Processes (Tasks) 489

 Managing Process Class Information
The listing below shows which classes are configured on your system, and the user
priority range for the timesharing class. The possible classes are:
4 System (SYS)
4 Interactive (IA)
4 Real-time (RT)
4 Timesharing (TS)

4 The user-supplied priority ranges from -20 to +20.

4 The priority of a process is inherited from the parent process. This is referred to
as the user-mode priority.
4 The system looks up the user-mode priority in the timesharing dispatch
parameter table and adds in any nice or priocntl (user-supplied) priority
and ensures a 0-59 range to create a global priority.

Changing the Scheduling Priority of Processes

With priocntl
The scheduling priority of a process is the priority it is assigned by the process
scheduler, according to scheduling policies. The dispadmin command lists the
default scheduling policies. See “Scheduler Configuration” on page 554for
information on the dispadmin command.
The priocntl(1) command can be used to assign processes to a priority class and
to manage process priorities. See the section called “How to Designate a Process
Priority” on page 491 for instructions on using the priocntl command to manage
processes.

How to Display Basic Information About Process

Classes
You can display process class and scheduling parameters with the priocntl -l
command.

$ priocntl -l

Example—Getting Basic Information About Process Classes

The following example shows output from the priocntl -l command.

490 System Administration Guide, Volume II ♦ October 1998

 $ priocntl -l
CONFIGURED CLASSES
==================

SYS (System Class)

TS (Time Sharing)
Configured TS User Priority Range: -20 through 20

How to Display the Global Priority of a Process

You can display the global priority of a process by using the ps command.

$ ps -ecl

The global priority is listed under the PRI column.

Example—Displaying the Global Priority of a Process

The following example shows output from ps -ecl. Data in the PRI column show
that pageout has the highest priority, while sh has the lowest.

$ ps -ecl
F S UID PID PPID CLS PRI ADDR SZ WCHAN TTY TIME COMD
19 T 0 0 0 SYS 96 f00d05a8 0 ? 0:03 sched
8 S 0 1 0 TS 50 ff0f4678 185 ff0f4848 ? 36:51 init
19 S 0 2 0 SYS 98 ff0f4018 0 f00c645c ? 0:01 pageout
19 S 0 3 0 SYS 60 ff0f5998 0 f00d0c68 ? 241:01 fsflush
8 S 0 269 1 TS 58 ff0f5338 303 ff49837e ? 0:07 sac
8 S 0 204 1 TS 43 ff2f6008 50 ff2f606e console 0:02 sh

How to Designate a Process Priority

1. Become superuser.

2. Start a process with a designated priority.

# priocntl -e -c class -m userlimit -p pri command_name

Managing Processes (Tasks) 491

 -e Executes the command.

-c class Specifies the class within which to run the process. The
default classes are TS (timesharing) or RT (real-time).

-m userlimit Specifies the maximum amount you can raise or lower your
priority, when using the -p option.

-p pri command_name Lets you specify the relative priority in the RT class, for a
real-time thread. For a timesharing process, the -p option lets
you specify the user-supplied priority which ranges from -20
to +20.

3. Verify the process status by using the ps -ecl command.

# ps -ecl | grep command_name

Example—Designating a Priority
The following example starts the find command with the highest possible
user-supplied priority.

# priocntl -e -c TS -m 20 -p 20 find . -name core -print

# ps -ecl | grep find

How to Change Scheduling Parameters of a

Timeshare Process
1. Become superuser.

2. Change the scheduling parameter of a running timeshare process.

# priocntl -s -m userlimit [-p userpriority] -i idtype idlist

492 System Administration Guide, Volume II ♦ October 1998

 -s Lets you set the upper limit on the user priority range and
change the current priority.

-m userlimit Specifies the maximum amount you can raise or lower your
priority, when using the -p option.

-p userpriority Allows you to designate a priority.

-i idtype idlist Uses a combination of idtype and idlist to identify the process.
The idtype specifies the type of ID, such as PID or UID.

3. Verify the process status by using the ps -ecl command.

# ps -ecl | grep idlist

Example—Changing Scheduling Parameters of a Timeshare

Process
The following example executes a command with a 500-millisecond time slice, a
priority of 20 in the RT class, and a global priority of 120.

# priocntl -e -c RT -t 500 -p 20 myprog

# ps -ecl | grep myprog

How to Change the Class of a Process

1. (Optional) Become superuser.

Note - You must be superuser or working in a real-time shell to change processes

from, or to, real-time processes.

2. Change the class of a process.

# priocntl -s -c class -i idtype idlist

Managing Processes (Tasks) 493

 -s Lets you set the upper limit on the user priority range and
change the current priority.

-c class Specifies the class, TS or RT, to which you are changing the
process.

-i idtype idlist Uses a combination of idtype and idlist to identify the process.
The idtype specifies the type of ID, such as PID or UID.

3. Verify the process status by using the ps -ecl command.

# ps -ecl | grep idlist

Example—Changing the Class of a Process

The following example changes all the processes belonging to user 15249 to
real-time processes.

# priocntl -s -c RT -i uid 15249

# ps -ecl | grep 15249

Note - If, as superuser, you change a user process to the real-time class, the user
cannot subsequently change the real-time scheduling parameters (using
priocntl -s).

Changing the Priority of a Timesharing Process

With nice
The nice(1) command is only supported for backward compatibility to previous
Solaris releases. The priocntl command provides more flexibility in managing
processes.
The priority of a process is determined by the policies of its scheduling class, and by
its nice number. Each timesharing process has a global priority which is calculated by
adding the user-supplied priority, which can be influenced by the nice or
priocntl commands, and the system-calculated priority.

494 System Administration Guide, Volume II ♦ October 1998

The execution priority number of a process is assigned by the operating system, and
is determined by several factors, including its schedule class, how much CPU time it
has used, and (in the case of a timesharing process) its nice number.

Each timesharing process starts with a default nice number, which it inherits from
its parent process. The nice number is shown in the NI column of the ps report.

A user can lower the priority of a process by increasing its user-supplied priority.
But only the superuser can lower a nice number to increase the priority of a
process. This is to prevent users from increasing the priorities of their own processes,
thereby monopolizing a greater share of the CPU.

Nice numbers range between 0 and +40, with 0 representing the highest priority. The
default value is 20. Two versions of the command are available, the standard version,
/usr/bin/nice, and a version that is part of the C shell.

How to Change the Priority of a Process

You can raise or lower the priority of a command or a process by changing the nice
number. To lower the priority of a process:

/usr/bin/nice command_name Increase the nice number by four units (the

default)

/usr/bin/nice +4 command_name Increase the nice number by four units

/usr/bin/nice -10 command_name Increase the nice number by ten units

The first and second commands increase the nice number by four units (the
default); and the third command increases the nice by ten units, lowering the
priority of the process.

The following commands raise the priority of the command by lowering the nice
number.

To raise the priority of a process:

/usr/bin/nice -10 command_name Raises the priority of the command by

lowering the nice number

/usr/bin/nice - -10 command_name Raises the priority of the command by

lowering the nice number. The first minus
sign is the option sign, and the second
minus sign indicates a negative number.

The above commands raise the priority of the command, command_name, by lowering
the nice number. Note that in the second case, the two minus signs are required.

Managing Processes (Tasks) 495

 Process Troubleshooting
Here are some tips on obvious problems you may find:
4 Look for several identical jobs owned by the same user. This may come as a result
of running a script that starts a lot of background jobs without waiting for any of
the jobs to finish.
4 Look for a process that has accumulated a large amount of CPU time. You’ll see
this by looking at the TIME field. Possibly, the process is in an endless loop.
4 Look for a process running with a priority that is too high. Type ps -c to see the
CLS field, which displays the scheduler class of each process. A process executing
as a real-time (RT) process can monopolize the CPU. Or look for a timeshare (TS)
process with a high nice value. A user with superuser privileges may have
bumped up the priorities of this process. The system administrator can lower the
priority by using the nice command.
4 Look for a runaway process—one that progressively uses more and more CPU
time. You can see it happening by looking at the time when the process started
(STIME) and by watching the cumulation of CPU time (TIME) for awhile.

496 System Administration Guide, Volume II ♦ October 1998

CHAPTER 26

Monitoring Performance (Tasks)

This chapter describes procedures for monitoring system performance by using the
vmstat, iostat, df, and sar commands. This is a list of the step-by-step
instructions in this chapter.
4 “How to Display Virtual Memory Statistics (vmstat)” on page 498
4 “How to Display System Event Information” on page 500
4 “How to Display Swapping Statistics” on page 501
4 “How to Display Cache Flushing Statistics ” on page 502
4 “How to Display Interrupts Per Device” on page 502
4 “How to Display Disk Utilization Information” on page 503
4 “How to Display Extended Disk Statistics” on page 504
4 “How to Display File System Information” on page 506
4 “How to Check File Access (sar)” on page 507
4 “How to Check Buffer Activity (sar)” on page 508
4 “How to Check System Call Statistics (sar)” on page 510
4 “How to Check Disk Activity (sar)” on page 511
4 “How to Check Page-Out and Memory (sar)” on page 513
4 “How to Check Kernel Memory Allocation (sar)” on page 515
4 “How to Check Interprocess Communication (sar)” on page 517
4 “How to Check Page-In Activity (sar)” on page 518
4 “How to Check Queue Activity (sar)” on page 520
4 “How to Check Unused Memory (sar)” on page 521
4 “How to Check CPU Utilization (sar)” on page 522
4 “How to Check System Table Status (sar)” on page 523

497
 4 “How to Check Swap Activity (sar)” on page 525
4 “How to Check Terminal Activity (sar)” on page 526
4 “How to Check Overall System Performance (sar)” on page 528
4 “How to Set Up Automatic Data Collection ” on page 531

Displaying Virtual Memory Statistics

(vmstat)
You can use the vmstat command to report virtual memory statistics and such
information about system events as CPU load, paging, number of context switches,
device interrupts, and system calls. The vmstat command can also display statistics
on swapping, cache flushing, and interrupts.
Refer to vmstat(1M) for a more detailed description of this command.

How to Display Virtual Memory Statistics

(vmstat)
Collect virtual memory statistics using the vmstat command with a time interval.

$ vmstat n

n Interval in seconds between reports.

Table 26–1 describes the fields in the vmstat output.

TABLE 26–1 Output From the vmstat Command

Category Field Name Description

procs Reports the following states:

r The number of kernel threads in the dispatch queue

b Blocked kernel threads waiting for resources

w Swapped out LWPs waiting for processing resources

to finish

498 System Administration Guide, Volume II ♦ October 1998

TABLE 26–1 Output From the vmstat Command (continued)

Category Field Name Description

memory Reports on usage of real and virtual memory:

swap Available swap space

free Size of the free list

page Reports on page faults and paging activity, in units

per second:

re Pages reclaimed

mf Minor and major faults

pi Kbytes paged in

po Kbytes paged out

fr Kbytes freed

de Anticipated memory needed by recently swapped-in

processes

sr Pages scanned by page daemon (not currently in use).

If sr does not equal zero, the page daemon has been
running.

disk Reports the number of disk operations per second,

showing data on up to four disks

faults Reports the trap/interrupt rates (per second):

in Interrupts per second

sy System calls per second

cs CPU context switch rate

cpu Reports on the use of CPU time:

us User time

Monitoring Performance (Tasks) 499

 TABLE 26–1 Output From the vmstat Command (continued)

Category Field Name Description

sy System time

id Idle time

Example—Displaying Virtual Memory Statistics

The following example shows the vmstat display of statistics gathered at
five-second intervals.

$ vmstat 5
procs memory page disk faults cpu
r b w swap free re mf pi po fr de sr f0 s3 -- -- in sy cs us sy id
0 0 8 28312 668 0 9 2 0 1 0 0 0 1 0 0 10 61 82 1 2 97
0 0 3 31940 248 0 10 20 0 26 0 27 0 4 0 0 53 189 191 6 6 88
0 0 3 32080 288 3 19 49 6 26 0 15 0 9 0 0 75 415 277 6 15 79
0 0 3 32080 256 0 26 20 6 21 0 12 1 6 0 0 163 110 138 1 3 96
0 1 3 32060 256 3 45 52 28 61 0 27 5 12 0 0 195 191 223 7 11 82
0 0 3 32056 260 0 1 0 0 0 0 0 0 0 0 0 4 52 84 0 1 99

How to Display System Event Information

Run vmstat -s to show the total of various system events that have taken place
since the system was last booted.

$ vmstat -s
0 swap ins
0 swap outs
0 pages swapped in
0 pages swapped out
2560974 total address trans. faults taken
495226 page ins
52459 page outs
1088645 pages paged in
420615 pages paged out
34409 total reclaims
34104 reclaims from free list
0 micro (hat) faults
2560974 minor (as) faults
493981 major faults
450203 copy-on-write faults
609679 zero fill page faults

(continued)

500 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

2669301 pages examined by the clock daemon

195 revolutions of the clock hand
1234901 pages freed by the clock daemon
14228 forks
3979 vforks
16151 execs
212282273 cpu context switches
248366049 device interrupts
5891779 traps
529830492 system calls
4028123 total name lookups (cache hits 95%)
1969 toolong
7272260 user cpu
3047366 system cpu
171183965 idle cpu
348263 wait cpu

How to Display Swapping Statistics

Run vmstat -S to show swapping statistics.

$ vmstat -S
procs memory page disk faults cpu
r b w swap free si so pi po fr de sr f0 s3 -- -- in sy cs us sy id
0 0 0 5604 1860 0 0 2 0 2 0 1 0 0 0 0 36 291 116 4 2 94

The additional fields are described in Table 26–2.

TABLE 26–2 Output From the vmstat -S Command

Field Name Description

si Average number of LWPs swapped in per second

so Number of whole processes swapped out

Note - The vmstat command truncates the output of both of these fields. Use the
sar command to display a more accurate accounting of swap statistics.

Monitoring Performance (Tasks) 501

 How to Display Cache Flushing Statistics
Run vmstat -c to show cache flushing statistics for a virtual cache.

$ vmstat -c
usr ctx rgn seg pag par
0 60714 5 134584 4486560 4718054

It shows the total number of cache flushes since the last boot. The cache types are
described in Table 26–3.

TABLE 26–3 Output From the vmstat -c Command

Cache Name Cache Type

usr User

ctx Context

rgn Region

seg Segment

pag Page

par Partial-page

How to Display Interrupts Per Device

Run vmstat -i to show interrupts per device.

$ vmstat -i

Example—Displaying Interrupts Per Device

The following example shows output from the vmstat -i command.

$ vmstat -i
interrupt total rate
--------------------------------
clock 181871074 100
zsc0 2 0

(continued)

502 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

zsc1 6523622 3
cgsixc0 63951 0
lec0 6433537 3
fdc0 13309 0
--------------------------------
Total 194905495 107

Displaying Disk Utilization Information

Use the iostat command to report statistics about disk input and output, and
produces measures of throughput, utilization, queue lengths, transaction rates, and
service time. For a detailed description of this command, refer to iostat(1M).

How to Display Disk Utilization Information

You can display disk activity information by using the iostat command with a
time interval.

$ iostat 5
tty fd0 sd3 nfs1 nfs31 cpu
tin tout kps tps serv kps tps serv kps tps serv kps tps serv us sy wt id
0 1 0 0 410 3 0 29 0 0 9 3 0 47 4 2 0 94

The first line of output shows the statistics since the last boot. Each subsequent line
shows the interval statistics. The default is to show statistics for the terminal (tty),
disks (fd and sd), and CPU (cpu).
Table 26–4 describes the fields in the iostat command output.

TABLE 26–4 Output From the iostat n Command

For Each ... Field Name Description

Terminal

tin Number of characters in the terminal input queue

tout Number of characters in the terminal output queue

Monitoring Performance (Tasks) 503

 TABLE 26–4 Output From the iostat n Command (continued)

For Each ... Field Name Description

Disk

bps Blocks per second

tps Transactions per second

serv Average service time, in milliseconds

CPU

us In user mode

sy In system mode

wt Waiting for I/O

id Idle

Example—Displaying Disk Utilization Information

The following example shows disk statistics gathered every five seconds.

$ iostat 5
tty fd0 sd3 nfs1 nfs31 cpu
tin tout kps tps serv kps tps serv kps tps serv kps tps serv us sy wt id
0 1 0 0 410 3 0 29 0 0 9 3 0 47 4 2 0 94
0 47 0 0 0 0 0 0 0 0 0 0 0 0 1 2 0 97
0 16 0 0 0 0 0 0 0 0 0 0 0 0 3 3 0 93
0 16 0 0 0 0 0 0 0 0 0 0 0 0 4 4 0 92
0 16 0 0 0 1 0 7 0 0 0 50 2 94 50 5 0 45
0 16 0 0 0 3 1 14 0 0 0 0 0 0 2 3 1 94
0 16 0 0 0 24 4 58 0 0 0 0 0 0 0 2 0 97
0 16 0 0 0 0 0 0 0 0 0 0 0 0 4 3 0 93
0 16 0 0 0 0 0 0 0 0 0 0 0 0 3 3 0 94
0 16 0 0 0 3 1 25 0 0 0 0 0 0 3 3 0 93
0 16 0 0 0 0 0 0 0 0 0 1 0 27 8 4 0 88

How to Display Extended Disk Statistics

Run iostat -xtc to get extended disk statistics.

504 System Administration Guide, Volume II ♦ October 1998

$ iostat -xtc
extended device statistics tty cpu
device r/s w/s kr/s kw/s wait actv svc_t %w %b tin tout us sy wt id
fd0 0.0 0.0 0.0 0.0 0.0 0.0 410.2 0 0 0 1 4 2 0 94
sd3 0.2 0.1 1.1 1.4 0.0 0.0 29.0 0 0
nfs1 0.0 0.0 0.0 0.0 0.0 0.0 8.6 0 0
nfs31 0.1 0.0 2.1 0.4 0.0 0.0 47.0 0 0
nfs32 0.0 0.0 0.2 0.0 0.0 0.0 29.7 0 0
nfs202 0.0 0.0 0.0 0.0 0.0 0.0 963.2 0 0
nfs216 0.2 0.0 5.3 0.0 0.0 0.0 50.9 0 1
nfs220 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0 0

This command displays a line of output for each disk. The output fields are
described in Table 26–5.

TABLE 26–5 Output From the iostat -xtc Command

Field Name Description

r/s Reads per second

w/s Writes per second

Kr/s Kbytes read per second

Kw/s Kbytes written per second

wait Average number of transactions waiting for service (queue

length)

actv Average number of transactions actively being serviced

svc_t Average service time, in milliseconds

%w Percentage of time the queue is not empty

%b Percentage of time the disk is busy

Monitoring Performance (Tasks) 505

 Displaying Disk Usage Statistics
Use the df command to show the amount of free disk space on each mounted disk.
The usable disk space reported by df reflects only 90% of full capacity, as the
reporting statistics leave a 10% head room above the total available space. This head
room normally stays empty for better performance.
The percentage of disk space actually reported by df is used space divided by usable
space.
If the file system is above 90% capacity, transfer files to a disk that is not as full by
using cp, or to a tape by using tar or cpio; or remove the files.
For a detailed description of this command, refer to the df(1M) man page.

How to Display File System Information

Use the df -k command to display file system information in Kbytes.

$ df -k
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t3d0s0 192807 40231 133296 24% /

Table 26–6 describes the df -k command output.

TABLE 26–6 Output From the df -k Command

Field Name Description

kbytes Total size of usable space in the file system

used Amount of space used

avail Amount of space available for use

capacity Amount of space used, as a percent of the total capacity

mounted on Mount point

506 System Administration Guide, Volume II ♦ October 1998

Example—Displaying File System Information
The following example shows output of the df -k command.

$ df -k
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t3d0s0 192807 40239 133288 24% /
/dev/dsk/c0t3d0s6 769758 472613 243262 67% /usr
/proc 0 0 0 0% /proc
fd 0 0 0 0% /dev/fd
/dev/dsk/c0t3d0s7 217191 19341 176131 10% /export/home
/dev/dsk/c0t3d0s5 192807 7785 165742 5% /opt
swap 161256 288 160968 1% /tmp

Monitoring System Activities (sar)

Use the sar command to:
4 Organize and view data about system activity
4 Access system activity data on a special request basis
4 Generate automatic reports to measure and monitor system performance, and
special request reports to pinpoint specific performance problems. “Collecting
System Activity Data Automatically (sar)” on page 528 describes these tools.
For a detailed description of this command, refer to sar(1).

How to Check File Access (sar)

Display file access operation statistics with the sar -a command.

$ sar -a
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] iget/s namei/s dirbk/s

[Link] 0 1 0
[Link] 0 1 0
[Link] 0 1 0
[Link] 0 1 0
[Link] 0 1 0
[Link] 0 1 0
[Link] 0 1 0
[Link] 0 1 0
[Link] 0 1 0
[Link] 0 0 0
[Link] 0 1 0

(continued)

Monitoring Performance (Tasks) 507

 (Continuation)

[Link] 0 3 0
[Link] 0 3 0
[Link] 0 3 1
[Link] 0 11 7

Average 0 1 0

The operating system routines reported are described in Table 26–7.

TABLE 26–7 Output from the sar -a Command

Field Name Description

iget/s The number of requests made for inodes that were not in the
directory name lookup cache (dnlc).

namei/s This is the number of file system path searches per second. If
namei does not find a directory name in the dnlc, it calls iget
to get the inode for either a file or directory. Hence, most igets
are the result of dnlc misses.

dirbk/s This is the number of directory block reads issued per second.

The larger the values reported, the more time the kernel is spending to access user
files. The amount of time reflects how heavily programs and applications are using
the file systems. The -a option is helpful for viewing how disk-dependent an
application is.

How to Check Buffer Activity (sar)

Display buffer activity statistics with the sar -b command.
The buffer is used to cache metadata, which includes inodes, cylinder group blocks,
and indirect blocks.

$ sar -b
[Link] bread/s lread/s %rcache bwrit/s lwrit/s %wcache pread/s pwrit/s
[Link] 0 0 100 0 0 57 0 0

The buffer activities displayed by the -b option are described in Table 26–8. The most
important entries are the cache hit ratios %rcache and %wcache, which measure the

508 System Administration Guide, Volume II ♦ October 1998

 effectiveness of system buffering. If %rcache falls below 90, or if %wcache falls
below 65, it may be possible to improve performance by increasing the buffer space.

TABLE 26–8 Output from the sar -b Command

Field Name Description

bread/s Average number of reads per second submitted to the buffer

cache from the disk

lread/s Average number of logical reads per second from the buffer
cache

%rcache Fraction of logical reads found in the buffer cache (100% minus
the ratio of bread/s to lread/s)

bwrit/s Average number of physical blocks (512 blocks) written from

the buffer cache to disk, per second

lwrite/s Average number of logical writes to the buffer cache, per second

%wcache Fraction of logical writes found in the buffer cache(100% minus

the ratio of bwrit/s to lwrit/s)

pread/s Average number of physical reads, per second, using character

device interfaces

pwrit/s Average number of physical write requests, per second, using

character device interfaces

Example—Checking Buffer Activity

The following example of sar -b output shows that the %rcache and %wcache
buffers are not causing any slowdowns, because all the data is within acceptable
limits.

$ sar -b
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] bread/s lread/s %rcache bwrit/s lwrit/s %wcache pread/s pwrit/s

[Link] 0 0 100 0 0 56 0 0
[Link] 0 0 100 0 0 55 0 0
[Link] 0 0 99 0 0 58 0 0
[Link] 0 0 100 0 0 55 0 0
[Link] 0 0 100 0 0 55 0 0

(continued)

Monitoring Performance (Tasks) 509

 (Continuation)

[Link] 0 0 100 0 0 55 0 0
[Link] 0 0 100 0 0 55 0 0
[Link] 0 0 100 0 0 56 0 0
[Link] 0 0 100 0 0 56 0 0
[Link] 0 0 100 0 0 56 0 0
[Link] 0 0 100 0 0 57 0 0
[Link] 0 1 98 0 1 59 0 0
[Link] 0 1 99 0 1 59 0 0
[Link] 0 0 96 0 0 57 0 0
[Link] 0 1 99 0 1 60 0 0

Average 0 0 99 0 0 57 0 0

How to Check System Call Statistics (sar)

Display system call statistics by using the sar -c command.

$ sar -c
[Link] scall/s sread/s swrit/s fork/s exec/s rchar/s wchar/s
[Link] 2071 231 230 0.01 0.00 923483 923298

Table 26–9 describes the following system call categories reported by the -c option.
Typically, reads and writes account for about half of the total system calls,
although the percentage varies greatly with the activities that are being performed by
the system.

TABLE 26–9 Output from the sar -c Command

Field Name Description

scall/s All types of system calls per second (generally about 30 per
second on a busy four- to six-user system)

sread/s read system calls per second

swrit/s write system calls per second

fork/s fork system calls per second (about 0.5 per second on a four- to
six-user system); this number will increase if shell scripts are
running

510 System Administration Guide, Volume II ♦ October 1998

TABLE 26–9 Output from the sar -c Command (continued)

Field Name Description

exec/d exec system calls per second; if exec/s divided by fork/s is

greater than three, look for inefficient PATH variables

rchar/s Characters (bytes) transferred by read system calls per second

wchar/s Characters (bytes) transferred by write system calls per second

Example—Checking System Call Statistics

The following example shows output from the sar -c command.

$ sar -c
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] scall/s sread/s swrit/s fork/s exec/s rchar/s wchar/s

[Link] 2071 231 230 0.01 0.00 923483 923298
[Link] 2071 231 230 0.01 0.00 923789 923603
[Link] 2070 231 229 0.02 0.02 922355 922140
[Link] 2073 231 230 0.01 0.00 924497 924312
[Link] 2071 231 230 0.01 0.00 923577 923392
[Link] 2071 231 230 0.01 0.00 923740 923554
[Link] 2071 231 230 0.01 0.00 923545 923360
[Link] 2074 231 230 0.01 0.00 924737 924552
[Link] 2071 231 229 0.01 0.01 923096 922884
[Link] 2071 231 230 0.00 0.00 923610 923438
[Link] 2071 231 229 0.01 0.01 923343 923163
[Link] 571 70 58 0.03 0.03 226013 218929
[Link] 197 38 16 0.02 0.03 11321 3021
[Link] 207 41 14 0.08 0.07 28534 5795
[Link] 782 183 30 0.49 0.49 148126 14726

Average 1861 212 204 0.03 0.03 9691 3994

How to Check Disk Activity (sar)

Display disk activity statistics with the sar -d command.

$ sar -d
[Link] device %busy avque r+w/s blks/s avwait avserv

[Link] fd0 0 0.0 0 0 0.0 0.0

Monitoring Performance (Tasks) 511

 Table 26–10 describes the disk devices activities reported by the -d option. Note that
queue lengths and wait times are measured when there is something in the queue. If
%busy is small, large queues and service times probably represent the periodic efforts
by the system to ensure that altered blocks are written to the disk in a timely fashion.

TABLE 26–10 Output from the sar -d Command

Field Name Description

device Name of the disk device being monitored

%busy Percentage of time the device spent servicing a transfer request

avque The sum of the average wait time plus the average service time

r+w/s Number of read and write transfers to the device per second

blks/s Number of 512-byte blocks transferred to the device per second

avwait Average time, in milliseconds, that transfer requests wait idly in

the queue (measured only when the queue is occupied)

avserv Average time, in milliseconds, for a transfer request to be

completed by the device (for disks, this includes seek, rotational
latency, and data transfer times)

Examples—Checking Disk Activity

These two examples illustrate the sar -d output. The first example is from a
computer with a non-SCSI (Small Computer System Interface, pronounced “scuzzy”)
integral disk; that is, a disk that does not use a SCSI interface. This example illustrates
data being transferred from a hard disk (hdsk-0) to the floppy disk (fdsk-0).

$ sar -d
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] device %busy avque r+w/s blks/s avwait avserv

[Link] fd0 0 0.0 0 0 0.0 0.0

nfs1 0 0.0 0 0 0.0 0.0
nfs31 0 0.0 0 0 1.4 5.5
nfs32 0 0.0 0 0 0.0 0.0
nfs179 0 0.0 0 0 0.0 0.0

(continued)

512 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

nfs202 0 0.0 0 0 0.0 0.0

sd3 0 0.0 0 2 0.0 53.9
sd3,a 0 0.0 0 1 0.0 59.6
sd3,b 0 0.0 0 0 0.0 14.2
sd3,c 0 0.0 0 0 0.0 0.0
sd3,d 0 0.0 0 0 0.0 0.0
sd3,e 0 0.0 0 0 0.0 0.0
sd3,f 0 0.0 0 0 0.0 0.0
sd3,g 0 0.0 0 0 0.0 77.6
sd3,h 0 0.0 0 0 0.0 0.0

The following example is from a computer with SCSI integral disks; that is, disks
that use a SCSI interface. The example illustrates data being transferred from one
SCSI hard disk (sd00-0) to another SCSI integral disk (sd00-1).

$ sar -d
SunOS venus 5.7 Generic sun4m 06/17/98
[Link] device %busy avque r+w/s blks/s avwait avserv
[Link] sd00-0 2 1.0 1 3 0.0 17.9
sd00-1 6 1.1 3 5 2.0 23.9
[Link] sd00-0 2 1.0 1 2 0.0 19.6
sd00-1 6 1.1 3 5 0.2 24.3
[Link] sd00-0 3 1.0 1 3 0.3 18.3
sd00-1 7 1.1 3 5 1.3 25.4
[Link] sd00-0 3 1.0 1 3 0.0 17.2
sd00-1 5 1.0 2 5 0.0 21.6
Average sd00-0 2 1.0 1 3 0.1 18.2
sd00-1 6 1.0 3 5 0.9 23.0

How to Check Page-Out and Memory (sar)

Use the sar -g option reports page-out and memory freeing activities (in averages).

$ sar -g
[Link] pgout/s ppgout/s pgfree/s pgscan/s %ufs_ipf
[Link] 0.00 0.00 0.00 0.00 0.00

The output displayed by sar -g is a good indicator of whether more memory may
be needed. Use the ps -elf command to show the number of cycles used by the
page daemon. A high number of cycles, combined with high values for pgfree/s
and pgscan/s indicates a memory shortage.

sar -g also shows whether inodes are being recycled too quickly, causing a loss of
reusable pages.

Monitoring Performance (Tasks) 513

 Output from the -g option is described in Table 26–11.

TABLE 26–11 Output From the sar -g Command

Field Name Description

pgout/s The number of page-out requests per second.

ppgout/s The actual number of pages that are paged-out, per second. (A
single page-out request may involve paging-out multiple pages.)

pgfree/s The number of pages, per second, that are placed on the free list.

pgscan/s The number of pages, per second, scanned by the page daemon.
If this value is high, the page daemon is spending a lot of time
checking for free memory. This implies that more memory may
be needed.

%ufs_ipf The percentage of ufs inodes taken off the free list by iget
that had reusable pages associated with them. These pages are
flushed and cannot be reclaimed by processes. Thus, this is the
percentage of igets with page flushes. A high value indicates
that the free list of inodes is page-bound and the number of
ufs inodes may need to be increased.

Example—Checking Page-Out and Memory

The following example shows output from the sar -g command.

$ sar -g
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] pgout/s ppgout/s pgfree/s pgscan/s %ufs_ipf

[Link] 0.00 0.00 0.00 0.00 0.00
[Link] 0.00 0.00 0.00 0.00 0.00
[Link] 0.00 0.00 0.00 0.00 0.00
[Link] 0.00 0.00 0.00 0.00 0.00
[Link] 0.00 0.00 0.00 0.00 0.00
[Link] 0.00 0.00 0.00 0.00 0.00
[Link] 0.00 0.00 0.00 0.00 0.00
[Link] 0.00 0.00 0.00 0.00 0.00
[Link] 0.00 0.00 0.00 0.00 0.00
[Link] 0.00 0.00 0.00 0.00 0.00
[Link] 0.00 0.00 0.00 0.00 0.00
[Link] 0.02 0.07 0.23 6.01 0.00
[Link] 0.06 0.58 1.57 5.83 0.00

(continued)

514 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

[Link] 0.58 2.49 5.72 13.69 0.00

[Link] 0.49 4.66 14.11 31.06 0.00

Average 0.04 0.25 0.70 1.83 0.00

How to Check Kernel Memory Allocation (sar)

Use the sar -k command to report on the following activities of the Kernel
Memory Allocator (KMA).
The KMA allows a kernel subsystem to allocate and free memory as needed. Rather
than statically allocating the maximum amount of memory it is expected to require
under peak load, the KMA divides requests for memory into three categories: small
(less than 256 bytes), large (512 to 4 Kbytes), and oversized (greater than 4 Kbytes). It
keeps two pools of memory to satisfy small and large requests. The oversized
requests are satisfied by allocating memory from the system page allocator.
If you are investigating a system that is being used to write drivers or STREAMS
that use KMA resources, then sar -k will likely prove useful. Otherwise, you will
probably not need the information it provides. Any driver or module that uses KMA
resources, but does not specifically return the resources before it exits, can create a
memory leak. A memory leak causes the amount of memory allocated by KMA to
increase over time. Thus, if the alloc fields of sar -k increase steadily over time,
there may be a memory leak. Another indication of a memory leak is failed requests.
If this occurs, a memory leak has probably caused KMA to be unable to reserve and
allocate memory.
If it appears that a memory leak has occurred, you should check any drivers or
STREAMS that may have requested memory from KMA and not returned it.

$ sar -k
[Link] sml_mem alloc fail lg_mem alloc fail ovsz_alloc fail
[Link] 1949696 1444668 0 5578752 4254136 0 2826240 0

Output from the −k option is described in Table 26–12.

Monitoring Performance (Tasks) 515

 TABLE 26–12 Output From the sar -k Command

Field Name Description

sml_mem The amount of memory, in bytes, that the KMA has available in
the small memory request pool (a small request is less than 256
bytes)

alloc The amount of memory, in bytes, that the KMA has allocated
from its small memory request pool to small memory requests

fail The number of requests for small amounts of memory that failed

lg_mem The amount of memory, in bytes, that the KMA has available in
the large memory request pool (a large request is from 512 bytes
to 4 Kbytes)

alloc The amount of memory, in bytes, that the KMA has allocated
from its large memory request pool to large memory requests

fail The number of failed requests for large amounts of memory

ovsz_alloc The amount of memory allocated for oversized requests (those

greater than 4 Kbytes); these requests are satisfied by the page
allocator—thus, there is no pool

fail The number of failed requests for oversized amounts of memory

Example—Checking Kernel Memory Allocation (sar)

The following is an example of sar -k output.

$ sar -k
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] sml_mem alloc fail lg_mem alloc fail ovsz_alloc fail

[Link] 1949696 1444668 0 5578752 4254136 0 2826240 0
[Link] 1949696 1444800 0 5578752 4254136 0 2826240 0
[Link] 1949696 1445144 0 5578752 4258872 0 2826240 0
[Link] 1949696 1446208 0 5578752 4259784 0 2826240 0
[Link] 1949696 1445528 0 5578752 4256160 0 2826240 0
[Link] 1949696 1445488 0 5578752 4259784 0 2826240 0
[Link] 1949696 1445460 0 5578752 4259784 0 2826240 0
[Link] 1949696 1446308 0 5578752 4258872 0 2826240 0
[Link] 1949696 1440708 0 5578752 4250976 0 2826240 0
[Link] 1949696 1440664 0 5578752 4250976 0 2826240 0

(continued)

516 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

[Link] 1949696 1445280 0 5578752 4259784 0 2826240 0

[Link] 1929216 1369988 0 5324800 4122928 0 2826240 0
[Link] 1929216 1380628 0 5320704 4065992 0 2826240 0
[Link] 1916928 1442364 0 5345280 4142184 0 2826240 0
[Link] 1916928 1415932 0 5373952 4100360 0 2826240 0

Average 1942596 1433278 0 5515401 4216982 0 2826240 0

How to Check Interprocess Communication (sar)

Use the sar -m command to report interprocess communication activities.

$ sar -m
[Link] msg/s sema/s
[Link] 0.00 0.00

These figures will usually be zero (0.00), unless you are running applications that use
messages or semaphores.
The output from the −m option is described in Table 26–13.

TABLE 26–13 Output From the sar -m Command

Field Name Description

msg/s The number of message operations (sends and receives) per

second.

sema/s The number of semaphore operations per second.

Example—Checking Interprocess Communication

The following example shows output from the sar -m command.

Monitoring Performance (Tasks) 517

 $ sar -m
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] msg/s sema/s

[Link] 0.00 0.00
[Link] 0.00 0.00
[Link] 0.00 0.00
[Link] 0.00 0.00
[Link] 0.00 0.00
[Link] 0.00 0.00
[Link] 0.00 0.00
[Link] 0.00 0.00
[Link] 0.00 0.00
[Link] 0.00 0.00
[Link] 0.00 0.00
[Link] 0.00 0.00
[Link] 0.00 0.00
[Link] 0.00 0.00
[Link] 0.00 0.00

Average 0.00 0.00

How to Check Page-In Activity (sar)

Use the sar -p command to report page-in activity which includes protection and
translation faults.

$ sar -p
[Link] atch/s pgin/s ppgin/s pflt/s vflt/s slock/s
[Link] 0.00 0.04 0.05 0.38 0.67 0.00

The reported statistics from the −p option are described in Table 26–14.

TABLE 26–14 Output from the sar -p Command

Field Name Description

atch/s The number of page faults, per second, that are satisfied by
reclaiming a page currently in memory (attaches per second).
Instances of this include reclaiming an invalid page from the
free list and sharing a page of text currently being used by
another process (for example, two or more processes accessing
the same program text).

pgin/s The number of times, per second, that file systems receive
page-in requests.

518 System Administration Guide, Volume II ♦ October 1998

TABLE 26–14 Output from the sar -p Command (continued)

Field Name Description

ppgin/s The number of pages paged in, per second. A single page-in
request, such as a soft-lock request (see slock/s), or a large
block size, may involve paging-in multiple pages.

pflt/s The number of page faults from protection errors. Instances of

protection faults are illegal access to a page and
“copy-on-writes.” Generally, this number consists primarily of
“copy-on-writes.”

vflt/s The number of address translation page faults, per second.

These are known as validity faults, and occur when a valid
process table entry does not exist for a given virtual address.

slock/s The number of faults, per second, caused by software lock

requests requiring physical I/O. An example of the occurrence
of a soft-lock request is the transfer of data from a disk to
memory. The system locks the page that is to receive the data,
so that it cannot be claimed and used by another process.

Example—Checking Page-In Activity

The following example shows output from sar -p.

$ sar -p
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] atch/s pgin/s ppgin/s pflt/s vflt/s slock/s

[Link] 0.00 0.04 0.05 0.38 0.67 0.00
[Link] 0.00 0.00 0.00 0.37 0.61 0.00
[Link] 0.00 0.05 0.07 0.99 1.70 0.00
[Link] 0.00 0.00 0.00 0.38 0.63 0.00
[Link] 0.00 0.00 0.00 0.36 0.60 0.00
[Link] 0.00 0.00 0.00 0.39 0.66 0.00
[Link] 0.00 0.00 0.00 0.38 0.63 0.00
[Link] 0.00 0.00 0.00 0.38 0.63 0.00
[Link] 0.00 0.00 0.00 0.76 1.35 0.00
[Link] 0.00 0.00 0.00 0.24 0.40 0.00
[Link] 0.00 0.00 0.00 0.48 0.77 0.00
[Link] 0.02 3.06 6.10 1.58 8.12 0.00
[Link] 0.19 0.65 0.98 1.36 5.26 0.00
[Link] 0.09 1.28 3.36 3.12 9.47 0.00
[Link] 0.60 6.52 13.52 17.00 46.08 0.00

(continued)

Monitoring Performance (Tasks) 519

 (Continuation)

Average 0.03 0.38 0.79 1.14 2.90 0.00

How to Check Queue Activity (sar)

Use the sar -q command to report the average queue length while the queue is
occupied, and the percentage of time that the queue is occupied.

$ sar -q
[Link] runq-sz %runocc swpq-sz %swpocc
[Link] 1.0 34

Note - The number of LWPs swapped out may greater than zero even if the system
has an abundance of free memory. This happens when a sleeping LWP is swapped
out and has not been awakened (for example, a process or LWP sleeping, waiting for
the keyboard or mouse input).

Output from the −q option is described in Table 26–15.

TABLE 26–15 Output From the sar -q Command

Field Name Description

runq-sz The number of kernel threads in memory waiting for a CPU to

run. Typically, this value should be less than 2. Consistently
higher values mean that the system may be CPU-bound.

%runocc The percentage of time the dispatch queues are occupied.

swpq-sz The average number of swapped out LWPs.

%swpocc The percentage of time LWPs are swapped out.

Example—Checking Queue Activity

The following example shows output from the sar -q command. If %runocc is
high (greater than 90 percent) and runq-sz is greater than 2, the CPU is heavily

520 System Administration Guide, Volume II ♦ October 1998

loaded and response is degraded. In this case, additional CPU capacity may be
required to obtain acceptable system response.

$ sar -q
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] runq-sz %runocc swpq-sz %swpocc

[Link] 1.0 34
[Link] 1.0 34
[Link] 1.0 34
[Link] 1.0 35
[Link] 1.0 35
[Link] 1.0 35
[Link] 1.0 34
[Link] 1.0 35
[Link] 1.0 36
[Link] 1.0 32
[Link] 1.0 36
[Link] 1.1 9
[Link] 1.3 3
[Link] 1.5 4
[Link] 1.4 11
[Link] 1.2 4

Average 1.0 30

How to Check Unused Memory (sar)

Use the sar -r command to report the number of memory pages and swap-file
disk blocks that are currently unused.

$ sar -r
[Link] freemem freeswap
[Link] 4184 320108

Output from the −r option is described in Table 26–16.

TABLE 26–16 Output From the sar -r Command

Field Name Description

freemem The average number of memory pages available to user

processes over the intervals sampled by the command. Page
size is machine-dependent.

freeswap The number of 512-byte disk blocks available for page swapping.

Monitoring Performance (Tasks) 521

 TABLE 26–16 Output From the sar -r Command (continued)

Example—Checking Unused Memory

The following example shows output from the sar -r command.

$ sar -r
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] freemem freeswap

[Link] 4184 320108
[Link] 4181 320120
[Link] 4048 320077
[Link] 3918 320144
[Link] 3917 320131
[Link] 3902 320103
[Link] 3898 320113
[Link] 3897 320124
[Link] 3891 319641
[Link] 3894 320036
[Link] 3898 320214
[Link] 3463 334610
[Link] 436 332371
[Link] 337 329243
[Link] 1610 326295
[Link] 533 326078

Average 3559 321601

How to Check CPU Utilization (sar)

Display CPU utilization with the sar -u command.

$ sar -u
[Link] %usr %sys %wio %idle
[Link] 67 33 0 0

(The sar command without any options is equivalent to sar -u.) At any given
moment, the processor is either busy or idle. When busy, the processor is in either
user or system mode. When idle, the processor is either waiting for I/O completion
or “sitting still” with no work to do.
Output from the −u option is described in Table 26–17.

522 System Administration Guide, Volume II ♦ October 1998

TABLE 26–17 Output From the sar -u Command

Field Name Description

%sys Lists the percentage of time that the processor is in system mode

%user Lists the percentage of time that the processor is in user mode

%wio Lists the percentage of time the processor is idle and waiting for
I/O completion

%idle Lists the percentage of time the processor is idle and is not
waiting for I/O

A high %wio generally means a disk slowdown has occurred.

Example—Checking CPU Utilization

The following example shows output from the sar -u command.

$ sar -u
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] %usr %sys %wio %idle

[Link] 67 33 0 0
[Link] 67 33 0 0
[Link] 67 33 0 0
[Link] 67 33 0 0
[Link] 67 33 0 0
[Link] 67 33 0 0
[Link] 67 33 0 0
[Link] 67 33 0 0
[Link] 67 33 0 0
[Link] 67 33 0 0
[Link] 67 33 0 0
[Link] 19 9 3 69
[Link] 5 2 1 92
[Link] 10 3 0 87
[Link] 23 9 2 66
[Link] 6 3 0 90

Average 59 28 0 13

How to Check System Table Status (sar)

Use the sar -v command to report the status of the process table, inode table, file
table, and shared memory record table.

Monitoring Performance (Tasks) 523

 $ sar -v
[Link] proc-sz ov inod-sz ov file-sz ov lock-sz
[Link] 69/874 0 2698/4032 0 519/519 0 0/0

Output from the −v option is described in Table 26–18.

TABLE 26–18 Output From the sar -v Command

Field Name Description

proc-sz The number of process entries (proc structs) currently being

used, or allocated in the kernel.

inod-sz The total number of inodes in memory verses the maximum

number of inodes allocated in the kernel. This is not a strict
high water mark; it can overflow.

file-sz The size of the open system file table. The sz is given as 0,
since space is allocated dynamically for the file table.

ov The number of shared memory record table entries currently

being used or allocated in the kernel. The sz is given as 0
because space is allocated dynamically for the shared memory
record table.

lock-sz The number of shared memory record table entries currently

being used or allocated in the kernel. The sz is given as 0
because space is allocated dynamically for the shared memory
record table.

Example—Checking System Table Status

The following example shows output from the sar -v command. This example
shows that all tables are large enough to have no overflows. These tables are all
dynamically allocated based on the amount of physical memory.

$ sar -v
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] proc-sz ov inod-sz ov file-sz ov lock-sz

[Link] 69/874 0 2698/4032 0 519/519 0 0/0
[Link] 69/874 0 2698/4032 0 519/519 0 0/0
[Link] 69/874 0 2700/4032 0 519/519 0 0/0
[Link] 69/874 0 2700/4032 0 519/519 0 0/0

(continued)

524 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

[Link] 68/874 0 2700/4032 0 518/518 0 0/0

[Link] 69/874 0 2700/4032 0 519/519 0 0/0
[Link] 69/874 0 2700/4032 0 519/519 0 0/0
[Link] 69/874 0 2700/4032 0 519/519 0 0/0
[Link] 66/874 0 2700/4032 0 516/516 0 0/0
[Link] 66/874 0 2700/4032 0 516/516 0 0/0
[Link] 69/874 0 2700/4032 0 519/519 0 0/0
[Link] 64/874 0 2700/4032 0 515/515 0 0/0
[Link] 66/874 0 2700/4032 0 526/526 0 0/0
[Link] 72/874 0 2704/4032 0 538/538 0 0/0
[Link] 65/874 0 2705/4032 0 526/526 0 0/0
[Link] 65/874 0 2706/4032 0 524/524 0 0/0

How to Check Swap Activity (sar)

Use the sar -w command to report swapping and switching activity.

$ sar -w
[Link] swpin/s bswin/s swpot/s bswot/s pswch/s
[Link] 0.00 0.0 0.00 0.0 479

Target values and observations are described in Table 26–19.

TABLE 26–19 Output From the sar -w Command

Field Name Description

swpin/s The number of LWP transfers into memory per second.

bswin/s The average number of processes swapped out of memory per

second. If the number is greater than 1, you may need to
increase memory.

swpot/s The average number of processes swapped out of memory per

second. If the number is greater than 1, you may need to
increase memory.

bswot/s The number of blocks transferred for swap-outs per second.

pswch/s The number of kernel thread switches per second.

Monitoring Performance (Tasks) 525

 Note - All process swap-ins include process initialization.

Example—Checking Swap Activity

The following example shows output from the sar -w command.

$ sar -w
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] swpin/s bswin/s swpot/s bswot/s pswch/s

[Link] 0.00 0.0 0.00 0.0 479
[Link] 0.00 0.0 0.00 0.0 479
[Link] 0.00 0.0 0.00 0.0 478
[Link] 0.00 0.0 0.00 0.0 479
[Link] 0.00 0.0 0.00 0.0 479
[Link] 0.00 0.0 0.00 0.0 479
[Link] 0.00 0.0 0.00 0.0 479
[Link] 0.00 0.0 0.00 0.0 479
[Link] 0.00 0.0 0.00 0.0 479
[Link] 0.00 0.0 0.00 0.0 479
[Link] 0.00 0.0 0.00 0.0 479
[Link] 0.00 0.0 0.00 0.0 153
[Link] 0.00 0.0 0.00 0.0 68
[Link] 0.00 0.0 0.00 0.0 70
[Link] 0.00 0.0 0.00 0.0 147
[Link] 0.00 0.0 0.00 0.0 112

Average 0.00 0.0 0.00 0.0 421

How to Check Terminal Activity (sar)

Use the sar -y command to monitor terminal device activities.

$ sar -y
[Link] rawch/s canch/s outch/s rcvin/s xmtin/s mdmin/s
[Link] 0 0 0 0 0 0

If you have a lot of terminal I/O, you can use this report to determine if there are
any bad lines. The activities recorded are defined in Table 26–20.

526 System Administration Guide, Volume II ♦ October 1998

TABLE 26–20 Output From the sar -y Command

Field Name Description

rawch/s Input characters (raw queue), per second

canch/s Input characters processed by canon (canonical queue) per

second

outch/s Output characters (output queue) per second

rcvin/s Receiver hardware interrupts per second

xmtin/s Transmitter hardware interrupts per second

mdmin/s Modem interrupts per second

The number of modem interrupts per second (mdmin/s) should be close to zero, and
the receive and transmit interrupts per second (xmtin/s and rcvin/s) should be
less than or equal to the number of incoming or outgoing characters, respectively. If
this is not the case, check for bad lines.

Example—Checking Terminal Activity

The following example shows output from the sar -y command.

$ sar -y
SunOS venus 5.7 Generic sun4m 06/17/98

[Link] rawch/s canch/s outch/s rcvin/s xmtin/s mdmin/s

[Link] 0 0 0 0 0 0
[Link] 0 0 0 0 0 0
[Link] 0 0 0 0 0 0
[Link] 0 0 0 0 0 0
[Link] 0 0 0 0 0 0
[Link] 0 0 0 0 0 0
[Link] 0 0 0 0 0 0
[Link] 0 0 0 0 0 0
[Link] 0 0 0 0 0 0
[Link] 0 0 0 0 0 0
[Link] 0 0 0 0 0 0
[Link] 0 0 6 0 0 0
[Link] 0 0 15 0 0 0
[Link] 0 0 5 0 0 0
[Link] 0 0 10 0 0 0
[Link] 0 0 21 0 0 0

(continued)

Monitoring Performance (Tasks) 527

 (Continuation)

Average 0 0 2 0 0 0

How to Check Overall System Performance (sar)

Use the sar -A command to display a view of overall system performance.
This provides a more global perspective. If data from more than one time segment is
shown, the report includes averages.

Collecting System Activity Data Automatically

(sar)
Three commands are involved in automatic system activity data collection: sadc,
sa1, and sa2.
The sadc data collection utility periodically collects data on system activity and
saves it in a file in binary format—one file for each 24-hour period. You can set up
sadc to run periodically (usually once each hour), and whenever the system boots to
multiuser mode. The data files are placed in the directory /usr/adm/sa. Each file is
named sadd, where dd is the current date. The format of the command is as follows:

/usr/lib/sa/sadc [t n] [ofile]

The command samples n times with an interval of t seconds (t should be greater

than 5 seconds) between samples. It then writes, in binary format, to the file ofile, or
to standard output. If t and n are omitted, a special file is written once.

Running sadc When Booting

The sadc command should be run at system boot time in order to record the
statistics from when the counters are reset to zero. To make sure that sadc is run at
boot time, the /etc/init.d/perf file must contain a command line that writes a
record to the daily data file.
The command entry has the following format:

528 System Administration Guide, Volume II ♦ October 1998

 su sys -c "/usr/lib/sa/sadc /usr/adm/sa/sa‘date +5d‘"

Running sadc Periodically With sa1

To generate periodic records, you need to run sadc regularly. The simplest way to
do this is by putting a line into the /var/spool/cron/sys file, which calls the
shell script, sa1. This script invokes sadc and writes to the daily data files,
/var/adm/sa/sadd. It has the following format:

/usr/lib/sa/sa1 [t n]

The arguments t and n cause records to be written n times at an interval of t seconds.

If these arguments are omitted, the records are written only one time.

Producing Reports With sa2

Another shell script, sa2, produces reports rather than binary data files. The sa2
command invokes the sar command and writes the ASCII output to a report file.

Collecting System Activity Data (sar)

The sar command can be used either to gather system activity data itself or to
report what has been collected in the daily activity files created by sadc.
The sar command has the following formats:

sar [-aAbcdgkmpqruvwy] [-o file] t [n]

sar [-aAbcdgkmpqruvwy] [-s time] [-e time] [-i sec] [-f file]

The sar command below samples cumulative activity counters in the operating
system every t seconds, n times. (t should be 5 seconds or greater; otherwise, the
command itself may affect the sample.) You must specify a time interval between
which to take the samples; otherwise, the command operates according to the second
format. The default value of n is 1. The following example takes two samples
separated by 10 seconds. If the -o option is specified, samples are saved in file in
binary format.

$ sar -u 10 2

Other important information about the sar command:

Monitoring Performance (Tasks) 529

 4 With no sampling interval or number of samples specified, sar extracts data from
a previously recorded file, either the one specified by the -f option or, by default,
the standard daily activity file, /var/adm/sa/sadd, for the most recent day.
4 The -s and -e options define the starting and ending times for the report. Starting
and ending times are of the form hh[:mm[:ss]] (where h, m, and s represent hours,
minutes, and seconds).
4 The -i option specifies, in seconds, the intervals between record selection. If the
-i option is not included, all intervals found in the daily activity file are reported.
Table 26–21 lists the sar options and their actions.

TABLE 26–21 Options for sar Command

Option Actions

-a Checks file access operations

-b Checks buffer activity

-c Checks system calls

-d Checks activity for each block device

-g Checks page-out and memory freeing

-k Checks kernel memory allocation

-m Checks interprocess communication

-p Checks swap and dispatch activity

-q Checks queue activity

-r Checks unused memory

-u Checks CPU utilization

-nv Checks system table status

-w Checks swapping and switching volume

-y Checks terminal activity

-A Reports overall system performance (same as entering all options)

530 System Administration Guide, Volume II ♦ October 1998

TABLE 26–21 Options for sar Command (continued)

If no option is used, it is equivalent to calling the command with the -u option.

How to Set Up Automatic Data Collection

1. Become superuser.

2. Using the editor of your choice, open the /etc/init.d/perf file, which
contains the sadc start-up instructions. Verify that the following lines are
uncommented:

MATCH=‘who -r|grep -c ‘‘[234][ ]*0[ ]*[S1]’’‘ if [ ${MATCH} -eq 1 ]

then su sys -c ‘‘/usr/lib/sa/sadc /var/adm/sa/sa‘date +%d‘’’ fi

This version of the sadc command writes a special record that marks the time
when the counters are reset to zero (boot time). The sadc output is put into the
file sadd (where dd is the current date), which acts as the daily system activity
record.

3. Using the editor of your choice, open the /var/spool/cron/crontabs/sys

file (the system crontab file). Uncomment the following lines:

# 0 * * * 0-6 /usr/lib/sa/sa1
# 20,40 8-17 * * 1-5 /usr/lib/sa/sa1

The first entry writes a record to /var/adm/sa/sadd on the hour, every hour,
seven days a week.
The second entry writes a record to /var/adm/sa/sadd twice each hour during
peak working hours: at 20 minutes and 40 minutes past the hour, from 8 a.m. to 5
p.m., Monday through Friday.
Thus, these two crontab entries cause a record to be written to
/var/adm/sa/sadd every 20 minutes from 8 a.m. to 5 p.m., Monday through
Friday, and every hour on the hour otherwise. You can change these defaults to
meet your needs.

Monitoring Performance (Tasks) 531

532 System Administration Guide, Volume II ♦ October 1998
CHAPTER 27

Monitoring Network Performance

(Tasks)

This chapter describes the how to monitor network performance. This is a list of the
step-by-step instructions in this chapter.
4 “How to Check the Response of Hosts on the Network” on page 534
4 “How to Send Packets to Hosts on the Network” on page 535
4 “How to Capture Packets From the Network” on page 536
4 “How to Check the Network Status” on page 536
4 “How to Display NFS Server and Client Statistics” on page 539

Monitoring Network Performance

Table 27–1 describes the commands available for monitoring network performance.

TABLE 27–1 Network Monitoring Commands

Command Use This Command To ...

ping Look at the response of hosts on the network.

spray Test the reliability of your packet sizes. It can tell you whether
packets are being delayed or dropped.

snoop Capture packets from the network and trace the calls from each
client to each server.

533
 TABLE 27–1 Network Monitoring Commands (continued)

Command Use This Command To ...

netstat Display network status, including state of the interfaces used for
TCP/IP traffic, the IP routing table, and the per-protocol
statistics for UDP, TCP, ICMP, and IGMP.

nfsstat Display a summary of server and client statistics that can be

used to identify NFS problems.

How to Check the Response of Hosts on the

Network
Check the response of hosts on the network with the ping command.

$ ping hostname

If you suspect a physical problem, you can use ping to find the response time of
several hosts on the network. If the response from one host is not what you would
expect, you can investigate that host. Physical problems could be caused by:

4 Loose cables or connectors

4 Improper grounding
4 Missing termination
4 Signal reflection
For more information about this command, see ping(1M).

Examples—Checking the Response of Hosts on the Network

The simplest version of ping sends a single packet to a host on the network. If it
receives the correct response, it prints the message host is alive.

$ ping elvis
elvis is alive

With the -s option, ping sends one datagram per second to a host. It then prints
each response and the time it took for the round trip. For example:

534 System Administration Guide, Volume II ♦ October 1998

 $ ping -s pluto
64 bytes from pluto ([Link]): icmp_seq=0. time=10. ms
64 bytes from pluto ([Link]): icmp_seq=5. time=0. ms
64 bytes from pluto ([Link]): icmp_seq=6. time=0. ms
^C
----pluto PING Statistics----
8 packets transmitted, 8 packets received, 0% packet loss

round-trip (ms) min/avg/max = 0/2/10

How to Send Packets to Hosts on the Network

Test the reliability of your packet sizes with the spray command.

$ spray [ -c count -d interval -l packet_size] hostname

-c count Number of packets to send.

-d interval Number of microseconds to pause between sending packets. If

you don’t use a delay, you may run out of buffers.

-l packet_size Is the packet size.

hostname Is the system to send packets.

For more information about this command, see spray(1M).

Example—Sending Packets to Hosts on the Network

The following example sends 100 packets to a host (-c 100) with each packet
having a size of 2048 bytes (-l 2048). The packets are sent with a delay time of 20
microseconds between each burst (-d 20).

$ spray -c 100 -d 20 -l 2048 pluto

sending 100 packets of length 2048 to pluto ...
no packets dropped by pluto
279 packets/sec, 573043 bytes/sec

Monitoring Network Performance (Tasks) 535

 How to Capture Packets From the Network
To capture packets from the network and trace the calls from each client to each
server, use snoop. This command provides accurate time stamps that allow some
network performance problems to be isolated quickly. For more information, see
snoop(1M).

# snoop

Dropped packets could be caused by insufficient buffer space, or an overloaded CPU.

How to Check the Network Status

Display network status information, such as statistics about the state of network
interfaces, routing tables, and various protocols, with the netstat command.

$ netstat [-i] [-r] [-s]

Displays the state of the TCP/IP interfaces.

−i

Displays the IP routing table.

−r

Displays statistics for the UDP, TCP, ICMP, and IGMP protocols.
−s

For more information, see netstat(1M).

Examples—Checking the Network Status

The following example shows output from the netstat -i command, which
displays the state of the interfaces used for TCP/IP traffic.

$ netstat -i
Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis Queue
lo0 8232 software localhost 1280 0 1280 0 0 0
le0 1500 loopback venus 1628480 0 347070 16 39354 0

This display shows how many packets a machine has transmitted and received on
each interface. A machine with active network traffic should show both Ipkts and
Opkts continually increasing.

Calculate the network collisions rate by dividing the number of collision counts
(Collis) by the number of out packets (Opkts). In the above example, the collision

536 System Administration Guide, Volume II ♦ October 1998

rate is 3.5 percent. A network-wide collision rate greater than 5 to 10 percent can
indicate a problem.

Calculate the input packet error rate by dividing the number of input errors by the
total number of input packets (Ierrs/Ipkts). The output packet error rate is the
number of output errors divided by the total number of output packets
(Oerrs/Opkts). If the input error rate is high (over 0.25 percent), the host may be
dropping packets.

The following example shows output from the netstat -s command, which
displays the per-protocol statistics for the UDP, TCP, ICMP, and IGMP protocols.

UDP
udpInDatagrams =196543 udpInErrors = 0
udpOutDatagrams =187820

TCP
tcpRtoAlgorithm = 4 tcpRtoMin = 200
tcpRtoMax = 60000 tcpMaxConn = -1
tcpActiveOpens = 26952 tcpPassiveOpens = 420
tcpAttemptFails = 1133 tcpEstabResets = 9
tcpCurrEstab = 31 tcpOutSegs =3957636
tcpOutDataSegs =2731494 tcpOutDataBytes =1865269594
tcpRetransSegs = 36186 tcpRetransBytes =3762520
tcpOutAck =1225849 tcpOutAckDelayed =165044
tcpOutUrg = 7 tcpOutWinUpdate = 315
tcpOutWinProbe = 0 tcpOutControl = 56588
tcpOutRsts = 803 tcpOutFastRetrans = 741
tcpInSegs =4587678
tcpInAckSegs =2087448 tcpInAckBytes =1865292802
tcpInDupAck =109461 tcpInAckUnsent = 0
tcpInInorderSegs =3877639 tcpInInorderBytes =-598404107
tcpInUnorderSegs = 14756 tcpInUnorderBytes =17985602
tcpInDupSegs = 34 tcpInDupBytes = 32759
tcpInPartDupSegs = 212 tcpInPartDupBytes =134800
tcpInPastWinSegs = 0 tcpInPastWinBytes = 0
tcpInWinProbe = 456 tcpInWinUpdate = 0
tcpInClosed = 99 tcpRttNoUpdate = 6862
tcpRttUpdate =435097 tcpTimRetrans = 15065
tcpTimRetransDrop = 67 tcpTimKeepalive = 763
tcpTimKeepaliveProbe= 1 tcpTimKeepaliveDrop = 0

IP
ipForwarding = 2 ipDefaultTTL = 255
ipInReceives =11757234 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers =4784901 ipOutRequests =4195180
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 8723
ipReasmOKs = 7565 ipReasmFails = 1158
ipReasmDuplicates = 7 ipReasmPartDups = 0
ipFragOKs = 19938 ipFragFails = 0
ipFragCreates =116953 ipRoutingDiscards = 0

(continued)

Monitoring Network Performance (Tasks) 537

 (Continuation)

tcpInErrs = 0 udpNoPorts =6426577

udpInCksumErrs = 0 udpInOverflows = 473
rawipInOverflows = 0

ICMP
icmpInMsgs =490338 icmpInErrors = 0
icmpInCksumErrs = 0 icmpInUnknowns = 0
icmpInDestUnreachs = 618 icmpInTimeExcds = 314
icmpInParmProbs = 0 icmpInSrcQuenchs = 0
icmpInRedirects = 313 icmpInBadRedirects = 5
icmpInEchos = 477 icmpInEchoReps = 20
icmpInTimestamps = 0 icmpInTimestampReps = 0
icmpInAddrMasks = 0 icmpInAddrMaskReps = 0
icmpInFragNeeded = 0 icmpOutMsgs = 827
icmpOutDrops = 103 icmpOutErrors = 0
icmpOutDestUnreachs = 94 icmpOutTimeExcds = 256
icmpOutParmProbs = 0 icmpOutSrcQuenchs = 0
icmpOutRedirects = 0 icmpOutEchos = 0
icmpOutEchoReps = 477 icmpOutTimestamps = 0
icmpOutTimestampReps= 0 icmpOutAddrMasks = 0
icmpOutAddrMaskReps = 0 icmpOutFragNeeded = 0
icmpInOverflows = 0
IGMP:
0 messages received
0 messages received with too few bytes
0 messages received with bad checksum
0 membership queries received
0 membership queries received with invalid field(s)
0 membership reports received
0 membership reports received with invalid field(s)
0 membership reports received for groups to which we belong
0 membership reports sent

The following example shows output from the netstat -r command, which
displays the IP routing table.

Routing Table:
Destination Gateway Flags Ref Use Interface
------------------ -------------------- ----- ----- ------ ---------
localhost localhost UH 0 2817 lo0
earth-bb pluto U 3 14293 le0
[Link] pluto U 3 0 le0
default mars-gate UG 0 14142

The fields in the netstat -r report are described in Table 27–2.

538 System Administration Guide, Volume II ♦ October 1998

TABLE 27–2 Output From the netstat -r Command

Field Name Description

Flags U The route is up

The route is through a gateway
G
The route is to a host
H The route was dynamically created using a redirect

Ref Shows the current number of routes sharing the same

link layer

Use Indicates the number of packets sent out

Interface Lists the network interface used for the route

How to Display NFS Server and Client Statistics

The NFS distributed file service uses a remote procedure call (RPC) facility which
translates local commands into requests for the remote host. The remote procedure
calls are synchronous. That is, the client application is blocked or suspended until
the server has completed the call and returned the results. One of the major factors
affecting NFS performance is the retransmission rate.
If the file server cannot respond to a client’s request, the client retransmits the request
a specified number of times before it quits. Each retransmission imposes system
overhead, and increases network traffic. Excessive retransmissions can cause network
performance problems. If the retransmission rate is high, you could look for:

4 Overloaded servers that take too long to complete requests

4 An Ethernet interface dropping packets
4 Network congestion which slows the packet transmission
Table 27–3 describes the nfsstat options to display client and server statistics.

Monitoring Network Performance (Tasks) 539

 TABLE 27–3 Commands for Displaying Client/Server Statistics

Use ... To Display ...

nfsstat -c Client statistics

nfsstat -s Server statistics

netstat -m Network statistics for each file system

Use nfsstat -c to show client statistics, and nfsstat -s to show server

statistics. Use netstat -m to display network statistics for each file system. For
more information, see nfsstat(1M).

Examples—Displaying NFS Server and Client Statistics

The following example displays RPC and NFS data for the client, pluto.

$ nfsstat -c

Client rpc:
Connection oriented:
calls badcalls badxids timeouts newcreds badverfs timers
1595799 1511 59 297 0 0 0
cantconn nomem interrupts
1198 0 7
Connectionless:
calls badcalls retrans badxids timeouts newcreds badverfs
80785 3135 25029 193 9543 0 0
timers nomem cantsend
17399 0 0

Client nfs:
calls badcalls clgets cltoomany
1640097 3112 1640097 0
Version 2: (46366 calls)
null getattr setattr root lookup readlink read
0 0% 6589 14% 2202 4% 0 0% 11506 24% 0 0% 7654 16%
wrcache write create remove rename link symlink
0 0% 13297 28% 1081 2% 0 0% 0 0% 0 0% 0 0%
mkdir rmdir readdir statfs
24 0% 0 0% 906 1% 3107 6%
Version 3: (1585571 calls)
null getattr setattr lookup access readlink read
0 0% 508406 32% 10209 0% 263441 16% 400845 25% 3065 0% 117959 7%
write create mkdir symlink mknod remove rmdir
69201 4% 7615 0% 42 0% 16 0% 0 0% 7875 0% 51 0%
rename link readdir readdir+ fsstat fsinfo pathconf

(continued)

540 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

929 0% 597 0% 3986 0% 185145 11% 942 0% 300 0% 583 0%

commit
4364 0%

Client nfs_acl:
Version 2: (3105 calls)
null getacl setacl getattr access
0 0% 0 0% 0 0% 3105 100% 0 0%
Version 3: (5055 calls)
null getacl setacl
0 0% 5055 100% 0 0%

The output of the nfsstat -c command is described in Table 27–4.

TABLE 27–4 Output From the nfsstat -c Command

Field Description

calls Shows the total number of calls sent.

badcalls The total number of calls rejected by RPC.

retrans The total number of retransmissions. For this client, the number
of retransmissions is less than 1 percent (10 time-outs out of
6888 calls). These may be caused by temporary failures. Higher
rates may indicate a problem.

badxid The number of times that a duplicate acknowledgment was

received for a single NFS request.

timeout The number of calls that timed out.

wait The number of times a call had to wait because no client handle
was available.

newcred The number of times the authentication information had to be

refreshed.

timers The number of times the time-out value was greater than or
equal to the specified time-out value for a call.

readlink The number of times a read was made to a symbolic link. If

this number is high (over 10 percent), it could mean that there
are too many symbolic links.

Monitoring Network Performance (Tasks) 541

 TABLE 27–4 Output From the nfsstat -c Command (continued)

The following example shows output from the nfsstat -m command.

pluto$ nfsstat -m
/usr/man from pluto:/export/svr4/man
Flags: vers=2,proto=udp,auth=unix,hard,intr,dynamic,
rsize=8192, wsize=8192,retrans=5
Lookups: srtt=13 (32ms), dev=10 (50ms), cur=6 (120ms)
All: srtt=13 (32ms), dev=10 (50ms), cur=6 (120ms)

This output of the nfsstat -m command, which is displayed in milliseconds, is

described in Table 27–5.

TABLE 27–5 Output From the nfsstat -m Command

Field Description

srtt The smoothed average of the round-trip times

dev The average deviations

cur The current “expected” response time

If you suspect that the hardware components of your network are creating problems,
you need to look carefully at the cabling and connectors.

542 System Administration Guide, Volume II ♦ October 1998

CHAPTER 28

Tuning Kernel Parameters (Tasks)

This chapter describes the procedures for tuning kernel parameters. This is a list of
the step-by-step instructions in this chapter.
4 “Listing the Kernel Parameters” on page 543
4 “How to Change the Value of a Kernel Parameter” on page 544
4 “How to Set the Value of a Kernel Module Variable” on page 544
4 “How to Tune the Interprocess Communication Parameters” on page 548
4 “How to Tune Memory Management Parameters” on page 549
4 “How to Tune Miscellaneous Parameters” on page 550

Listing the Kernel Parameters

Display the current kernel parameters values by using the sysdef -i command.

# sysdef -i
* Hostid
53001b80
*
* sun4m Configuration
* Devices
packages (driver not attached)
disk-label (driver not attached)
deblocker (driver not attached)
obp-tftp (driver not attached)
.
.
.

(continued)

543
 (Continuation)

options, instance #0
aliases (driver not attached)
openprom (driver not attached)
iommu, instance #0
sbus, instance #0
espdma, instance #0
esp, instance #0
sd (driver not attached)
st (driver not attached)
.
.
.

How to Change the Value of a Kernel Parameter

1. Become superuser.

2. Add a line to the /etc/system file in the form:

set parameter=value

3. Verify the kernel parameter change.

# grep parameter /etc/system

4. Reboot the system.

The kernel parses the /etc/system file during autoconfiguration and overrides
the default value for the parameters specified in this file.

Example—Changing the Value of a Kernel Parameter

The following line in the /etc/system file sets the value of the max_nprocs to
500 parameter.
set max_nprocs=500

How to Set the Value of a Kernel Module Variable

1. Become superuser.

544 System Administration Guide, Volume II ♦ October 1998

2. Add a line to the /etc/system file in the form:

set module_name:variable=value

3. Verify the kernel module variable change.

# grep module_name /etc/system

4. Reboot the system.

The kernel parses the /etc/system file during autoconfiguration and overrides
the default value for the parameters specified in this file.

Example—Setting the Value of a Kernel Module Variable

The following line in the /etc/system file sets the value of the msginfo_msgmap
parameter in the msgsys module to 150.
set msgsys:msginfo_msgmap=150

Buffer Cache Parameters

The bufhwm parameter specifies the maximum size for buffer cache memory usage
expressed in units of 1,000 bytes. The default is 2% of physical memory. Use
sar(1M) to measure the buffer cache statistics.

UFS Parameters
Table 28–1 describes the tunable UFS parameters.

TABLE 28–1 Tunable UFS Parameters

Parameter Description

ufs_ninode Maximum size of the inode table (default = max_nprocs + 16

+ maxusers+ 64)

ncsize Number of dnlc entries (default =

max_nprocs+16+maxusers + 64);

dnlc is the directory-name lookup cache.

Tuning Kernel Parameters (Tasks) 545

 STREAMS Parameters
Table 28–2 describes the tunable STREAMS parameters.

TABLE 28–2 Tunable STREAMS Parameters

Parameter Default Description

nstrpush 9 The maximum number of STREAMS pushes

allowed.

strmsgsz 0 The maximum size for the STREAMS

message that a user can create. A value of 0
indicates no upper bound. This parameter
may disappear entirely in a future release.

strctlsz 1024 The maximum size of the ctl part of a

message.

strthresh 0 The maximum amount of dynamic memory

that the STREAMS subsystem can consume,
in bytes. Once this threshold is passed, any
pushes, opens, and writes on a STREAMS
devices will fail for non-root processes. A
value of 0 means no limit.

sadcnt 16 Number of sad devices.

Interprocess Communication (IPC) Parameters

Table 28–3 describes the tunable interprocess communication parameters.

TABLE 28–3 Interprocess Communication Parameters

Parameter Default Description

Message Queue

msginfo_msgmap 100 Number of entries in the message map

msginfo_msgmax 2048 Maximum message size

msginfo_msgmnb 4096 Maximum bytes on queue

546 System Administration Guide, Volume II ♦ October 1998

TABLE 28–3 Interprocess Communication Parameters (continued)

msginfo_msgmni 50 Number of message queue identifiers

msginfo_msgssz 8 Segment size of a message (should be a

multiple of the word size)

msginfo_msgtql 40 Number of system message headers

msginfo_msgseg 1024 Number of message segments (must be <

32768)

Semaphore Facility

seminfo_semmap 10 Number of entries in the semaphore map

seminfo_semmni 10 Number of semaphore identifiers

seminfo_semmns 60 Number of semaphores in the system

seminfo_semmnu 30 Number of processes using the undo facility

seminfo_semmsl 25 Maximum number of semaphores, per id

seminfo_semopm 10 Maximum number of operations, per

semaphore call

seminfo_semume 10 Maximum number of undo structures per

process

Note: The total number of undo structures allocated in the system is:

seminfo_semmnu * seminfo_semume

seminfo_semvmx 32767 Semaphore maximum value

seminfo_semaem 16384 Maximum value for adjustment on exit

Shared Memory

shminfo_shmmax 1048576 Maximum shared memory segment size

shminfo_shmmin 1 Minimum shared memory segment size

Tuning Kernel Parameters (Tasks) 547

 TABLE 28–3 Interprocess Communication Parameters (continued)

shminfo_shmmni 100 Number of shared memory identifiers

shminfo_shmseg 6 Segments, per process

How to Tune the Interprocess Communication

Parameters
1. Become superuser.

2. Add a line to the /etc/system file using the syntax described in Table 28–4.

TABLE 28–4 Tuning Interprocess Communication Parameters

Parameter Type Parameter Tuning Syntax

Message Queue msgsys set msgsys:msginfo_variable = value

Semaphore Facility semsys set semsys:seminfo_variable=value

Shared Memory shmsys set shmsys:shminfo_variable=value

3. Verify the kernel parameter change.

# grep parameter /etc/system

4. Reboot the system.

The kernel parses the /etc/system file during autoconfiguration and overrides
the default value for the parameters specified in this file.

Memory Management Parameters

Table 28–5 describes the tunable memory management parameters.

548 System Administration Guide, Volume II ♦ October 1998

TABLE 28–5 Memory Management Parameters

Parameter Default Description

lotsfree scaled based on If freemem drops below lotsfree, the

physical system starts to steal pages from processes.
memory

tune_t_fsflushr 30 Rate at which fsflush is run, in seconds

tune_t_minarmem 25 The minimum available resident (not

swappable) memory needed to avoid
deadlock, in pages

tune_t_minasmem 25 The minimum available swappable memory

needed to avoid deadlock, in pages

tune_t_flckrec 512 The maximum number of active frlocks

Note - Since the Solaris 2.4 release, the tune_t_gpgslo parameter has been
replaced by a more complicated criteria for swapping based on the number of
runnable threads.

The freemem parameter is defined in pages. Utilities like vmstat translates

freemem into bytes from pages.

How to Tune Memory Management Parameters

1. Become superuser.

2. Add a line to the /etc/system file using the following syntax.

set tune:variable=value

3. Verify the kernel parameter change.

# grep parameter /etc/system

4. Reboot the system.

The kernel parses the /etc/system file during autoconfiguration and overrides
the default value for the parameters specified in this file.

Tuning Kernel Parameters (Tasks) 549

 Miscellaneous Parameters
Table 28–6 describes tunable miscellaneous parameters.

TABLE 28–6 Miscellaneous Parameters

Parameter Default Description

lwp_default_stksize 8192 Size of the kernel stack for lwps. Do not

adjust this value unless there is a kernel
overflow. The value is expressed in bytes and
must be a multiple of PAGESIZE bytes.

npty 48 Total number of 4.0 or 4.1 pseudo-ttys

configured

pt_cnt 48 Total number of 5.7 pseudo-ttys configured

How to Tune Miscellaneous Parameters

1. Become superuser.

2. Add a line to the /etc/system file using the following syntax.

set parameter=value

3. Verify the kernel parameter change.

# grep parameter /etc/system

4. Reboot the system.

If you changed device related kernel parameters, you need to use the −r option
when booting the system. When the system boots, the kernel parses the
/etc/system file during autoconfiguration and overrides the default value for
the parameters specified in this file.

Example—Tuning Miscellaneous Parameters

The following line in the /etc/system file sets the value of the pt_cnt parameter
to 200.

set pt_cnt=200

550 System Administration Guide, Volume II ♦ October 1998

CHAPTER 29

The Scheduler (Reference)

This chapter contains reference information for the SunOS 5.7 scheduler. This is a list
of the overview information in this chapter.
4 “About the Scheduler” on page 551
4 “Scheduler Class Policies” on page 552
4 “Scheduler Configuration” on page 554

About the Scheduler

The scheduler (or dispatcher) is the portion of the kernel that controls the allocation of
the CPU to processes. It determines when processes run and for how long,
depending on their assigned priorities. Priorities are based on scheduling class and
process behavior. Four scheduling classes are supported by default: timesharing,
system, real-time and interactive.
The scheduler has an overriding effect on the performance of a system.

Note - The fundamental scheduling entity is the kernel thread. For single-threaded
processes, scheduling the kernel thread is synonymous with process scheduling.

The SunOS 5.7 scheduler controls the order in which processes run and the amount
of CPU time each process may use before another process can run.
The scheduler allocates CPU time to processes according to the scheduling policies
defined for each scheduling class. Associated with each scheduling class is a set of
priority levels or queues. Ready-to-run processes are moved among these queues.
Within a class, you can view these queues as a contiguous set of priority levels.
These priority levels are mapped into a set of global scheduling priorities.

551
 The global priority of a process determines when it runs—the scheduler runs the
process with the highest global priority that is ready to run. Processes with
numerically higher priorities run first, and processes with the same priority run
using a round robin scheduling policy.
Once the scheduler assigns a process to a CPU, the process runs until one of the
following events occur:
4 The process uses up its time slice.
4 The process blocks waiting for an event (for example, I/O) or a suspended lock.
4 The process is preempted by a higher-priority process.
By default, all real-time processes have higher priorities than any system process,
and all system processes have higher priorities than any timesharing process.
A process inherits its scheduler parameters from its parent process, including its
scheduler class and its priority within that class. A process changes class only from a
user request (with the priocntl command or system call). The system manages the
priority of a process based on user requests and the policy associated with the
scheduling class of the process.

Scheduler Activation
Scheduler activations provide kernel scheduling support for applications with
particular scheduling needs, such as database and multithreaded applications.
Multithreaded support changes for scheduler activation are implemented as a private
interface between the kernel and the libthread library, without changing the
libthread interface. Additionally, applications may give scheduling hints to the
kernel to improve performance. See schedctl_init(3X) for more information.

Scheduler Class Policies

The following sections describe the scheduling policies of the three default classes:
timesharing, system, and real-time.

Timesharing Class Policies

In the default configuration, the initialization process (init) belongs to the
timesharing class. Because processes inherit their scheduler parameters, all user login
shells—and consequently the processes run from those shells—begin as timesharing
processes.

552 System Administration Guide, Volume II ♦ October 1998

The goal of the timesharing policy is to provide good response time for interactive
processes and good throughput for processes that use a lot of CPU time. The
scheduler tries to divide the CPU’s time fairly between processes, subject to the
priorities associated with the processes. Those with higher priorities get more
attention than those with lower priorities. However, to prevent any one job (process)
from hogging the CPU, the scheduler can move jobs from high priorities to low
priorities and vice versa.
The scheduler switches CPU allocation frequently enough to provide good response
time, but not so frequently that it spends too much time doing the switching. Time
slices are typically on the order of a few hundredths of a second.
The timesharing policy changes priorities dynamically and assigns time slices of
different lengths. Once a process has started, its timesharing priority varies according
to how much CPU time it’s getting, how much time it’s spending in queues, and
other factors. The scheduler raises the priority of a process that “sleeps.” (A process
sleeps, for example, when it starts an I/O operation such as a terminal read or a disk
read.) Entering sleep states frequently is characteristic of interactive tasks such as
editing and running simple shell commands. On the other hand, the timesharing
policy lowers the priority of a process that uses the CPU for long periods without
sleeping.
The default timesharing policy gives larger time slices to processes with lower
priorities. A process with a low priority is likely to be stuck in the CPU. Other
processes get the CPU first, but when a lower-priority process finally gets the CPU, it
gets a bigger chunk of time. If a higher-priority process becomes ready to run during
a time slice, however, it preempts the running process.
The scheduler manages timesharing processes using parameters in the timesharing
parameter table ts_dptbl. This table contains information specific to the
timesharing class. It is automatically loaded into core memory from the TS_DPTBL
loadable module located in the /kernel/sched directory.

System Class Policies

The system class uses a fixed-priority policy to run kernel processes such as servers,
and housekeeping processes such as the page daemon. Their priorities are not
dynamically adjusted like timesharing processes. The system class is reserved for use
by the kernel, and users may neither add nor remove a process from the system
class. Priorities for system-class processes are set up in the kernel code for the kernel
processes, and, once established, these priorities do not change. (User processes
running in kernel mode are not in the system class.)

The Scheduler (Reference) 553

 Real-Time Class Policies
The SunOS 5.7 operating system uses a real-time scheduling policy as well as a
timesharing policy. Real-time scheduling allows users to set fixed priorities on a
per-process basis, so that critical processes can run in predetermined order. The
real-time scheduler never moves jobs between priorities. Real-time priorities change
only when a user requests a change (using the priocntl command). Contrast this
fixed-priority policy with the timesharing policy, in which the system changes
priorities to provide good interactive response time.

The user process with the highest real-time priority always gets the CPU as soon as
it can be run, even if other processes are ready to run. An application can be written
so that its real-time processes have a guaranteed response time from the operating
system.

Note - As long as there is a real-time process ready to run, no process and no

timesharing process runs. Other real-time processes can run only if they have a
higher priority. Real-time processes managed carelessly can have a dramatic negative
effect on the performance of timesharing processes.

The real-time policy gives higher-priority processes smaller time slices, by default.
The higher priorities are allocated to real-time processes that are driven by external
events. The operating system must be able to respond instantly to I/O. The
lower-priority real-time processes are those that need more computation time. If a
process with the highest priority uses up its time slice, it runs again because there is
no process with a higher priority to pre-empt it.

The scheduler manages real-time processes by using parameters in the real-time

parameter table rt_dptbl. This table contains information specific to the real-time
class. It is automatically loaded into core from the RT_DPTBL loadable module
located in the /kernel/sched directory.

Scheduler Configuration
This section describes the parameters and tables that control the scheduler
configuration. A basic assumption is that your work load is reasonable for your
system resources, such as CPU, memory, and I/O. If your resources are inadequate
to meet the demands, reconfiguring the scheduler won’t help.

You can display or change (fine tune) the scheduler parameters in a running system
for both the timesharing and real-time classes by using the dispadmin command.
Changes made by the dispadmin command do not survive a reboot. To make
permanent changes in scheduler configuration, you must change the scheduler
parameter tables in the appropriate loadable module: TS_DPTBL or RT_DPTBL

554 System Administration Guide, Volume II ♦ October 1998

provided in the /kernel/sched directory. See ts_dptbl(4) and rt_dptbl(4) for
instructions on replacing these modules.
The primary user command for controlling process scheduling is priocntl(1). With
this command, a user can start a process at a specified priority or manipulate the
priorities of running processes. You can find out what classes are configured on your
system with the priocntl -l command. The primary function call for controlling
process scheduling is priocntl(2).
See Chapter 25 for examples of using the priocntl command. See System Interface
Guide for a detailed description of real-time programming and dispadmin(1M) and
priocntl(1).

Default Global Priorities

The following table shows the scheduling order and ranges of global priorities for
each scheduler class.

TABLE 29–1 Scheduling Order and Global Priorities

Scheduling Order Global Priority Scheduler Class

First 159

. Real-Time

100

99

. System

60

59

. Timesharing

The Scheduler (Reference) 555

 TABLE 29–1 Scheduling Order and Global Priorities (continued)

Scheduling Order Global Priority Scheduler Class

Last 0

How Global Priorities Are Constructed

When your operating system is built, it constructs the global priorities from the
tunable parameters and scheduler parameter tables described in the following
sections. There isn’t any command that will show you this complete global priority
table. However, the dispadmin command displays the priorities (from 0 to n)
specific to the real-time and timesharing classes. You can display the global priority
of an active process with the ps -cl command.

Initial Global Priorities of Processes

A timesharing process inherits its scheduling class and priority from its parent
process. The init process is the first process to entire the timesharing class.
System processes initially run with a priority that depends on the process’s
importance (which is programmed into the kernel). The most important system
processes start with a priority at or near the top of the system class range.

Tunable Parameters
This section describes the tunable parameters that control scheduler configuration. To
change any of these kernel parameters, enter a line in the /etc/system file with the
format:
set parameter=value

See system(4) for more information.

The parameters described in this section control aspects of process scheduling,
timesharing policy, and real-time policy.
The initial priority of a real-time process is determined when the process is put into
the real-time scheduling class.
The priocntl -p command is used to specify the relative priority within the
real-time class.

556 System Administration Guide, Volume II ♦ October 1998

This is added to the base priority of the real-time class, which by default is 100. For
example:
priocntl -e -c RT -p 20 command

This command would put the command into execution at a real-time priority of 120.

Process Scheduling Parameters

The following kernel parameters control aspects of process scheduling:
4 maxclsyspri
maxclsyspri is the maximum global priority of processes in the system class.
When the kernel starts system processes, it assigns their priorities using the value
of maxclsyspri as a reference point. maxclsyspri must have a value of 39 or
greater, because the kernel assumes that the total range of system class priorities is
at least 40.
If you change this parameter, you must rebuild the scheduling class tables with
values that correspond to the maximum priorities that you assign.
4 sys_name
sys_name is the character string name of the system scheduler class. The default
value of sys_name is SYS.

Timesharing Policy
The following parameter is specified in the TS loadable module, which controls the
timesharing policy:
4 ts_maxupri
ts_maxupri specifies the range within which users may adjust the priority of a
timesharing process, using the priocntl(l) command or the priocntl(2)
system call. The valid range for the user-supplied priority in the timesharing class
is from +ts_maxupri to -ts_maxupri. The default value of ts_maxupri is 20
(which sets the range between +20 and -20, emulating the behavior of the older,
less general scheduler interfaces, nice and setpriority.)
The value of ts_maxupri is independent of the configured number of global
timesharing priorities. In the default configuration, there are 0-59 timesharing
priorities, but users may adjust their priorities only within a range of -20 to +20,
relative to the system-calculated priority of the process. See “How to Designate a
Process Priority” on page 491 for more information.
To change the value of this parameter, enter a line in /etc/system with the
format:
set TS:ts_maxupri=value

The Scheduler (Reference) 557

 Real-Time Policy
The following parameter is specified in the RT loadable module, which controls the
real-time policy:
4 rt_maxpri
rt_maxpri specifies the maximum priority to assign to real-time processes. The
default value of rt_maxpri is 159.
If you change this parameter, you must rebuild the scheduling class tables with
values that correspond to the maximum priorities that you assign.
To change the value of this parameter, enter a line in the /etc/system file with
the format:
set RT:rt_maxupri=value

Scheduler Parameter Tables

The scheduler tables are described in Table 29–2.

TABLE 29–2 Scheduler Parameters

Table Used to Manage ...

rt_dptbl Real-time processes

ts_dptbl Timesharing processes

ts_kmdpris Sleeping timesharing processes that own critical resources

These tables define scheduling policy by setting the scheduling parameters to use for
real-time and timesharing processes. The parameters specify how much CPU time
processes get at different priority levels.
Default time slices for the priority levels are specified in the ts_dptbl and
rt_dptbl configuration tables, which are defined in the TS_DPTBL and RT_DPTBL
loadable modules. These modules are automatically loaded from the
/kernel/sched directory into the kernel as needed.
The time slices are specified in units (quanta) with a resolution defined by a
“resolution” line. The default resolution is 1000, which means the time quantum
values are interpreted as milliseconds. This is derived from the reciprocal of the
specified resolution in seconds. The quanta are rounded up to the next integral
multiple of the system clock’s resolution in clock ticks. (The system clock ticks HZ
times per second, where HZ is a hardware-dependent constant defined in the
param.h header file.) For example, if the clock tick is 10 milliseconds, 42 quanta is
rounded up to 50 milliseconds.

558 System Administration Guide, Volume II ♦ October 1998

 Timesharing Parameter Table
A default version of the ts_dptb, is delivered with the system in
/kernel/sched/TS_DPTBL. The default configuration has 60 timesharing
priorities.

The dispadmin -c TS -g command displays a sample ts_dptbl table.

$ dispadmin -c TS -g
# Time Sharing Dispatcher Configuration
RES=1000

# ts_quantum ts_tqexp ts_slpret ts_maxwait ts_lwait PRIORITY LEVEL

200 0 50 0 50 # 0
200 0 50 0 50 # 1
200 0 50 0 50 # 2
200 0 50 0 50 # 3
200 0 50 0 50 # 4
200 0 50 0 50 # 5
200 0 50 0 50 # 6
200 0 50 0 50 # 7
200 0 50 0 50 # 8
200 0 50 0 50 # 9
160 0 51 0 51 # 10
160 1 51 0 51 # 11
160 2 51 0 51 # 12
160 3 51 0 51 # 13
160 4 51 0 51 # 14
160 5 51 0 51 # 15
160 6 51 0 51 # 16
160 7 51 0 51 # 17
160 8 51 0 51 # 18
160 9 51 0 51 # 19
120 10 52 0 52 # 20
120 11 52 0 52 # 21
120 12 52 0 52 # 22
120 13 52 0 52 # 23
120 14 52 0 52 # 24
120 15 52 0 52 # 25
120 16 52 0 52 # 26
120 17 52 0 52 # 27
120 18 52 0 52 # 28
120 19 52 0 52 # 29
80 20 53 0 53 # 30
80 21 53 0 53 # 31
80 22 53 0 53 # 32
80 23 53 0 53 # 33
80 24 53 0 53 # 34
80 25 54 0 54 # 35
80 26 54 0 54 # 36
80 27 54 0 54 # 37
80 28 54 0 54 # 38
80 29 54 0 54 # 39
40 30 55 0 55 # 40
40 31 55 0 55 # 41
40 32 55 0 55 # 42
40 33 55 0 55 # 43

(continued)

The Scheduler (Reference) 559

 (Continuation)

40 34 55 0 55 # 44
40 35 56 0 56 # 45
40 36 57 0 57 # 46
40 37 58 0 58 # 47
40 38 58 0 58 # 48
40 39 58 0 59 # 49
40 40 58 0 59 # 50
40 41 58 0 59 # 51
40 42 58 0 59 # 52
40 43 58 0 59 # 53
40 44 58 0 59 # 54
40 45 58 0 59 # 55
40 46 58 0 59 # 56
40 47 58 0 59 # 57
40 48 58 0 59 # 58
20 49 59 32000 59 # 59
$

Table 29–3 describes the fields in the ts_dptbl table.

TABLE 29–3 Fields in the ts_dptbl Table

Field Name Description

ts_quantum Contains the time slice (in milliseconds by default) that a

process at a given priority is allowed to run before the
(runtime) scheduler reevaluates its priority. If the process uses up its
entire time slice, it is put on the expired-level (ts_tqexp)
queue. Time slices run from 40 milliseconds for the highest
priority (59) to 200 milliseconds (0) for the lowest priority.

ts_tqexp Determines the new process priority for a process whose time
slice has expired. If a process uses its whole time slice without
(expired level) sleeping, the scheduler changes its priority to the level indicated
in the ts_tqexp column. The expired level is lower than the
prior level. For example, a process with a priority of 30 that
used up its time slice (80 milliseconds) will get a new priority of
20.

ts_slpret Determines the priority assigned to a process when it returns

from sleep. A process may sleep during certain system calls or
(sleep level) when waiting for I/O (for example, servicing a page fault or
waiting for a lock). When a process returns from sleep, it is
always a given a priority of 59.

560 System Administration Guide, Volume II ♦ October 1998

TABLE 29–3 Fields in the ts_dptbl Table (continued)

Field Name Description

ts_maxwait Specifies the number of seconds a process will be left on a

dispatch queue without its time slice expiring. If it does not use
(wait time) its time slice (in ts_maxwait seconds), its new priority will be
set to ts_lwait. This is used to prevent a low-priority process
from being starved of CPU time.

ts_lwait Contains the new priority for a ready-to-run process that has
exceeded the maximum wait time (ts_maxwait) without
(wait level) getting its full time slice.

PRIORITY LEVEL Contains global priorities. Processes put in queues at the higher
priority levels run first. The global priorities run from a high of
59 to a low of 0. This is the only column in the table that is not
tunable.

Real-Time Parameter Table

A default version of rt_dptbl is delivered with the system in the
/kernel/sched/RT_DPTBL loadable module.
The dispadmin -c RT -g command displays rt_dptbl information similar to
the following.

$ dispadmin -c RT -g
# Real Time Dispatcher Configuration
RES=1000

# TIME QUANTUM PRIORITY

# (rt_quantum) LEVEL
1000 # 0
1000 # 1
1000 # 2
1000 # 3
1000 # 4
1000 # 5
1000 # 6
1000 # 7
1000 # 8
1000 # 9
800 # 10
800 # 11
800 # 12
800 # 13
800 # 14

(continued)

The Scheduler (Reference) 561

 (Continuation)

800 # 15
800 # 16
800 # 17
800 # 18
800 # 19
600 # 20
600 # 21
600 # 22
600 # 23
600 # 24
600 # 25
600 # 26
600 # 27
600 # 28
600 # 29
400 # 30
400 # 31
400 # 32
400 # 33
400 # 34
400 # 35
400 # 36
400 # 37
400 # 38
400 # 39
200 # 40
200 # 41
200 # 42
200 # 43
200 # 44
200 # 45
200 # 46
200 # 47
200 # 48
200 # 49
100 # 50
100 # 51
100 # 52
100 # 53
100 # 54
100 # 55
100 # 56
100 # 57
100 # 58
100 # 59
$

Table 29–4 describes the fields in the real-time parameter table.

562 System Administration Guide, Volume II ♦ October 1998

TABLE 29–4 Fields in the rt_dptbl Table

Field Name Description

rt_glbpri Contains global priorities. Processes put in queues at the higher

priority levels run first. Note that the dispadmin command,
which you can use to display the table, shows only the relative
priorities within the class, and not the global priorities. This
column cannot be changed with dispadmin.

rt_qntm Describes the default time slice (in milliseconds) a process with
this priority (rt_glbpri) may run before the scheduler gives
another process a chance. The time slice for a real-time process
can be specified with the priocntl -t command.

Kernel-Mode Parameter Table

The scheduler uses the kernel-mode parameter table, ts_kmdpris, to manage
sleeping timesharing processes. A default version of ts_kmdpris is delivered with
the system, in the /kernel/sched/TS_DPTBL loadable module, and is
automatically built into the kernel as part of system configuration. See ts_dptbl(4)
for more information.

Note - The kernel assumes that it has at least 40 priorities in ts_kmdpris. It panics
if it does not.

The kernel-mode parameter table is a one-dimensional array of global priorities from

60 through 99. If a process owns a critical resource, it is assigned a kernel priority so
that it can release the resource as soon as possible. Critical resources are:
4 An exclusive lock on a page
4 A read lock on a readers/writer lock
Prior to the SunOS 5.3 release, processes were assigned kernel priorities while they
were asleep. This ensured that the resources they were waiting for were not paged
out before they had a chance to execute again.
In order to do this after the SunOS 5.3 release, processes return from sleep with the
highest time-share priority (59).

The Scheduler (Reference) 563

564 System Administration Guide, Volume II ♦ October 1998
PART VII Troubleshooting Solaris Software
Problems

This part provides instructions for troubleshooting Solaris software problems. This
part contains these chapters.

Provides overview information about troubleshooting

Chapter 30
common software problems and instructions for
troubleshooting a system crash.

Provides step-by-step instructions for saving crash

Chapter 31
dumps and customizing system error logging.

Provides problem scenarios and possible solutions for

Chapter 32
general software problems such as a hung system or a
system that won’t boot.

Provides solutions for solving common file access

Chapter 33
problems such as incorrect command search paths and
file permissions.

Provides solutions for solving common printer problems

Chapter 34
such as no output or incorrect output.

Provides specific fsck error messages and

Chapter 35
corresponding solutions for solving file system-related
problems.

Provides specific error messages and possible solutions

Chapter 36
for problems encountered when adding or removing
software packages.
CHAPTER 30

Troubleshooting Software Problems

(Overview)

This chapter provides a general overview of troubleshooting software problems,

including information on troubleshooting system crashes and viewing system
messages.
This is a list of information in this chapter.
4 “Where to Find Software Troubleshooting Tasks” on page 567
4 “Troubleshooting a System Crash” on page 568
4 “Troubleshooting a System Crash Checklist” on page 569
4 “Viewing System Messages” on page 570
4 “Customizing System Message Logging” on page 572

Where to Find Software Troubleshooting

Tasks
Use these references to find step-by-step instructions for troubleshooting software
problems.
4 Chapter 31
4 Chapter 32
4 Chapter 33
4 Chapter 34
4 Chapter 35

567
 4 Chapter 36

Troubleshooting a System Crash

If a system running the Solaris operating environment crashes, provide your service
provider with as much information as possible—including crash dump files.

What To Do if The System Crashes

The most important things are:
1. Write down the system console messages.
If a system crashes, making it run again may seem like your most pressing
concern. However, before you reboot the system, examine the console screen for
messages. These messages may provide some insight about what caused the
crash. Even if the system reboots automatically and the console messages have
disappeared from the screen, you may be able to check these messages by viewing
the system error log file that is generated automatically in /var/adm/messages
(or /usr/adm/messages). See “How to View System Messages” on page 571 for
more information about viewing system error log files.
If you have frequent crashes and can’t determine their cause, gather all the
information you can from the system console or the /var/adm/messages files,
and have it ready for a customer service representative to examine. See
“Troubleshooting a System Crash” on page 568 for a complete list of
troubleshooting information to gather for your service provider.
See Chapter 32 if the system fails to reboot successfully after a system crash.
2. Synchronize the disks and reboot.

ok sync

See Chapter 32 if the system fails to reboot successfully after a system crash.
3. Attempt to save the crash information written onto the swap area by running the
savecore command.

# savecore

See Chapter 31 for information about saving crash dumps automatically.

568 System Administration Guide, Volume II ♦ October 1998

Gathering Troubleshooting Data
Answer the following questions to help isolate the system problem. Use
“Troubleshooting a System Crash Checklist” on page 569 for gathering
troubleshooting data for a crashed system.

TABLE 30–1 Identifying System Crash Data

Question Description

Can you reproduce the problem? This is important because a reproducible test case is
often essential for debugging really hard problems. By
reproducing the problem, the service provider can
build kernels with special instrumentation to trigger,
diagnose, and fix the bug.

Are you using any third-party drivers? Drivers run in the same address space as the kernel,
with all the same privileges, so they can cause system
crashes if they have bugs.

What was the system doing just before If the system was doing anything unusual like
it crashed? running a new stress test or experiencing
higher-than-usual load, that may have led to the crash.

Were there any unusual console Sometimes the system will show signs of distress
messages right before the crash? before it actually crashes; this information is often
useful.

Did you add any tuning parameters to Sometimes tuning parameters, such as increasing
the /etc/system file? shared memory segments so that the system tries to
allocate more than it has, can cause the system to
crash.

Did the problem start recently? If so, did the onset of problems coincide with any
changes to the system, for example, new drivers, new
software, different workload, CPU upgrade, or a
memory upgrade.

Troubleshooting a System Crash

Checklist
Use this checklist when gathering system data for a crashed system.

Troubleshooting Software Problems (Overview) 569

 Item Your Data

Is a core file available?

Identify the operating system release and

appropriate software application release
levels.

Identify system hardware.

Include prtdiag output from sun4d
systems.

Are patches installed? If so, include

showrev -p output.

Is the problem reproducible?

Does the system have any third-party

drivers?

What was the system doing before it

crashed?

Were there any unusual console messages

right before the system crashed?

Did you add any parameters to the /etc/

system file?

Did the problem start recently?

Viewing System Messages

When a system crashes, it may display a message on the system console like this:

panic: error message

where error message is one of the panic error messages described in crash(1M).
Less frequently, this message may be displayed instead of the panic message:

Watchdog reset !

The error logging daemon, syslogd, automatically records various system warnings
and errors in message files. By default, many of these system messages are displayed

570 System Administration Guide, Volume II ♦ October 1998

on the system console and are stored in /var/adm (or /usr/adm) or . You can
direct where these messages are stored by setting up system logging. See “How to
Customize System Message Logging” on page 574 for more information. These
messages can alert you to system problems, such as a device that is about to fail.
The /var/adm directory contains several message files. The most recent messages
are in /var/adm/messages (and in messages.0), and the oldest are in
messages.3. After a period of time (usually every ten days), a new messages file
is created. The messages.0 file is renamed messages.1, messages.1 is renamed
messages.2, and messages.2 is renamed messages.3. The current
/var/adm/messages.3 is deleted.
Because /var/adm stores large files containing messages, crash dumps, and other
data, this directory can consume lots of disk space. To keep the /var/adm directory
from growing too large, and to ensure that future crash dumps can be saved, you
should remove unneeded files periodically. You can automate this task by using
crontab. See “How to Delete Crash Dump Files” on page 393 and Chapter 21 for
more information on automating this task.

How to View System Messages

Display recent messages generated by a system crash or reboot by using the dmesg
command.

$ dmesg

Or use the more command to display one screen of messages at a time.

$ more /var/adm/messages

For more information, refer to dmesg(1M).

Example—Viewing System Messages

The following example shows output from the dmesg command.

$ dmesg
SunOS Release 5.7 Version Generic [UNIX(R) System V Release 4.0]
Copyright (c) 1983-1998, Sun Microsystems, Inc.
vac: enabled in write through mode
cpu0: FMI,MB86904 (mid 0 impl 0x0 ver 0x4 clock 110 MHz)
mem = 57344K (0x3800000)
avail mem = 53268480
Ethernet address = [Link]
root nexus = SUNW,SPARCstation-5
iommu0 at root: obio 0x10000000
sbus0 at iommu0: obio 0x10001000

(continued)

Troubleshooting Software Problems (Overview) 571

 (Continuation)

espdma0 at sbus0: SBus slot 5 0x8400000

espdma0 is /iommu@0,10000000/sbus@0,10001000/espdma@5,8400000
esp0: esp-options=0x46
esp0 at espdma0: SBus slot 5 0x8800000 sparc ipl 4
esp0 is /iommu@0,10000000/sbus@0,10001000/espdma@5,8400000/esp@5,8800000
sd3 at esp0: target 3 lun 0
sd3 is /iommu@0,10000000/sbus@0,10001000/espdma@5,8400000/esp@5,8800000/...
root on /iommu@0,10000000/sbus@0,10001000/espdma@5,8400000/esp@5,8800000/
...
obio0 at root
.
.
.

Customizing System Message Logging

You can capture additional error messages that are generated by various system
processes by modifying the /etc/[Link] file. By default,
/etc/[Link] directs many system process messages to the /var/adm
message files. Crash and boot messages are stored here as well. To view /var/adm
messages, see “How to View System Messages” on page 571.
The /etc/[Link] file has two columns separated by tabs:

[Link] ... action

A facility or system source of the message or

[Link]
condition. May be a comma-separated listed of
facilities. Facility values are listed in Table 30–2. A
level, indicates the severity or priority of the condition
being logged. Priority levels are listed in Table 30–3.

The action field indicates where the messages are

action
forwarded.

The following example shows sample lines from a default /etc/[Link] file.

572 System Administration Guide, Volume II ♦ October 1998

 [Link] /dev/console
[Link] /var/adm/messages
[Link] ‘root, operator’
[Link] *

The most common error condition sources are shown in Table 30–2. The most
common priorities are shown in Table 30–3 in order of severity.

TABLE 30–2 Source Facilities for [Link] Messages

Source Description

kern The kernel

auth Authentication

daemon All daemons

mail Mail system

lp Spooling system

user User processes

Note - Starting in the Solaris 2.6 release, the number of syslog facilities that can be
activated in the /etc/[Link] file is unlimited. In previous releases, the
number of facilities was limited to 20.

TABLE 30–3 Priority Levels for [Link] Messages

Priority Description

emerg System emergencies

alert Errors requiring immediate correction

crit Critical errors

err Other errors

Troubleshooting Software Problems (Overview) 573

 TABLE 30–3 Priority Levels for [Link] Messages (continued)

Priority Description

info Informational messages

debug Output used for debugging

none This setting doesn’t log output

How to Customize System Message Logging

1. Become superuser.

2. Using the editor of your choice, edit the /etc/[Link] file, adding or
changing message sources, priorities, and message locations according to the
syntax described in [Link](4) .

3. Exit the file, saving the changes.

Example—Customizing Message System Logging

The following /etc/[Link] lines are provided by default during the Solaris
installation process.

[Link] /dev/console
[Link] /var/adm/messages
[Link] ‘root, operator’
[Link] *

This means the following user messages are automatically logged:

4 User errors are printed to the console and also are logged to the
/var/adm/messages file.
4 User messages requiring immediate action (alert) are sent to the root and
operator users.
4 User emergency messages are sent to individual users.

574 System Administration Guide, Volume II ♦ October 1998

CHAPTER 31

Managing System Crash Information

This section contains information about managing system crash information.

This is a list of the step-by-step instructions in this chapter.
4 “How to Display the Current Crash Dump Configuration” on page 579
4 “How to Modify a Crash Dump Configuration” on page 579
4 “How to Examine a Crash Dump” on page 581
4 “How to Recover From a Full Crash Dump Directory (Optional)” on page 582
4 “How to Disable or Enable Saving Crash Dumps (Optional)” on page 583

What’s New in Managing System Crash

Information?
This section describes the new system crash dump features available in the Solaris 7
release.

New System Crash Dump Features

The Solaris 7 system crash dump features are:
4 The new dumpadm command, which allows system administrators to configure
crash dumps of the operating system. The dumpadm configuration parameters
include the dump content, dump device, and the directory in which crash dump
files are saved. See “The dumpadm Command” on page 576 for more information
about the dumpadm command.

575
 4 Dump data is now stored in compressed format on the dump device. Kernel crash
dump images can be as big as 4 Gbytes or more. Compressing the data means
faster dumping and less disk space needed for the dump device.
4 Saving crash dump files is run in the background when a dedicated dump
device—not the swap area—is part of the dump configuration. This means a
booting system does not wait for the savecore command to complete before
going to the next step. On large memory systems, the system can be available
before savecore completes.
4 System crash dump files, generated by the savecore command, are now saved
by default.
4 The savecore -L command is a new feature which enables you to get a crash
dump of the live running Solaris operating environment. This command is
intended for troubleshooting a running system by taking a snapshot of memory
during some bad state—such as a transient performance problem or service
outage. If the system is up and you can still run some commands, you can execute
the savecore -L to save a snapshot of the system to the dump device, and then
immediately write out the crash dump files to your savecore directory. Because
the system is still running, you may only use savecore -L if you have
configured a dedicated dump device.

The dumpadm Command

The /usr/sbin/dumpadm command manages a system’s crash dump configuration
parameters. The following table describes dumpadm’s configuration parameters.

Dump Parameter Description

dump device The device that stores dump data temporarily as the system
crashes. When the dump device is not the swap area, savecore
runs in the background, which speeds up the boot process.

savecore directory The directory that stores system crash dump files.

dump content Type of data, kernel memory or all of memory, to dump.

minimum free space Minimum amount of free space required in the savecore
directory after saving crash dump files. If no minimum free
space has been configured, the default is one megabyte.

See dumpadm(1M) for more information.

The dump configuration parameters managed by the dumpadm command are stored
in the /etc/[Link] file.

576 System Administration Guide, Volume II ♦ October 1998

Note - Do not /etc/[Link] edit manually. This could result in an
inconsistent system dump configuration.

How the dumpadm Command Works

During system startup, the dumpadm command is invoked by the
/etc/init.d/savecore script to configure crash dumps parameters based on
information in the /etc/[Link] file.
Specifically, it initializes the dump device and the dump content through the
/dev/dump interface.
After the dump configuration is complete, the savecore script looks for the location
of the crash dump file directory by parsing the content of /etc/[Link] file.
Then, savecore is invoked to check for crash dumps. It will also check the content
of the minfree file in the crash dump directory.

System Crashes
System crashes can occur due to hardware malfunctions, i/o problems, and software
errors. If the system crashes, it will display an error message on the console, and
then write a copy of its physical memory to the dump device. The system will then
reboot automatically. When the system reboots, the savecore command is executed
to retrieve the data from the dump device and write the saved crash dump to your
savecore directory. The saved crash dump files provide invaluable information to
your support provider to aid in diagnosing the problem.

Crash Dump Files

The savecore command runs automatically after a system crash to retrieve the
crash dump information from the dump device and writes a pair of files called
unix.X and vmcore.X, where X identifies the dump sequence number. Together,
these files represent the saved system crash dump information. Crash dump files are
sometimes confused with core files, which are images of user applications that are
written when the application terminates abnormally.
Crash dump files are saved in a predetermined directory, which by default, is
/var/crash/hostname. In the Solaris 2.6 release and compatible versions, crash
dump files were overwritten when a system rebooted—unless you manually enabled
the system to save the images of physical memory in a crash dump file. Now the
saving of crash dump files is enabled by default.

Managing System Crash Information 577

 Saving Crash Dumps
You can examine the control structures, active tables, memory images of a live or
crashed system kernel, and other information about the operation of the kernel by
using the crash or adb utilities. Using crash or adb to its full potential requires a
detailed knowledge of the kernel, and is beyond the scope of this manual. See
crash(1M) or adb(1)for more details on using these utilities.

Additionally, crash dumps saved by savecore can be useful to send to a customer

service representative for analysis of why the system is crashing. If you will be
sending crash dump files to a customer service representative, perform the first two
tasks listed in “Managing Crash Dumps Task Map” on page 578.

Managing Crash Dumps Task Map

TABLE 31–1 Managing Crash Dumps Task Map

Task Description For Instructions, Go To

1. Display the Current Crash Display the current crash dump configuration
“How to Display the Current
Dump Configuration by using the dumpadmcommand.
Crash Dump Configuration” on
page 579

2. Modify the Crash Dump Use the dumpadm command to specify the
“How to Modify a Crash Dump
Configuration type of data to dump, whether or not the
Configuration” on page 579
system will use a dedicated dump device, the
directory for saving crash dump files, and
the amount of space that must remain
available after core files are written.

3. Examine a Crash Dump Use the crash command to view crash

“How to Examine a Crash
File dump files.
Dump” on page 581

4. Recover From a Full Crash Optional. The system crashes but there is no “How to Recover From a Full
Dump Directory room in the savecore directory, and you Crash Dump Directory
want to save some critical system crash (Optional)” on page 582
dump information.

4. Disable or Enable the Optional. Use the dumpadm command to “How to Disable or Enable
Saving of Crash Dump Files disable or enable the saving the crash dump Saving Crash Dumps
files. Saving crash dump files is enabled by (Optional)” on page 583
default.

578 System Administration Guide, Volume II ♦ October 1998

TABLE 31–1 Managing Crash Dumps Task Map (continued)

How to Display the Current Crash Dump

Configuration
1. Become superuser.

2. Display the current crash dump configuration by using the dumpadm command
without any options.

# dumpadm
Dump content: kernel pages
Dump device: /dev/dsk/c0t3d0s1 (swap)
Savecore directory: /var/pluto
Savecore enabled: yes

The above example output means:

4 The dump content is kernel memory pages.

4 Kernel memory will be dumped on a swap device, /dev/dsk/c0t3d0s1. You
can identify all your swap areas with the swap -l command.
4 Core files will be written in the /var/crash/venus directory.
4 Saving core files is enabled.

How to Modify a Crash Dump Configuration

1. Become superuser.

2. Identify the current crash dump configuration by using the dumpadm command.

# dumpadm
Dump content: kernel pages
Dump device: /dev/dsk/c0t3d0s1 (swap)
Savecore directory: /var/crash/pluto
Savecore enabled: yes

This the default dump configuration for a system running the Solaris 7 release.

Managing System Crash Information 579

 3. Modify the crash dump configuration by using the dumpadm command.

# dumpadm -c content -d dump-device -m nnnk | nnnm | nnn% -n -s savecore-dir

Specifies the type of data to dump: kernel memory or all of

−c content
memory. The default dump content is kernel memory.

Specifies the device that stores dump data temporarily as the

−d dump-device
system crashes. The primary swap device is the default
dump device.

Specifies the minimum free disk space for saving core files by
−m nnnk | nnnm | nnn%
creating a minfree file in the current savecore directory. This
parameter can be specified in kilobytes (nnnk) , megabytes
(nnnm)or file system size percentage (nnn%). The savecore
command consults this file prior to writing the crash dump
files. If writing the crash dump files, based on their size,
would decrease the amount of free space below the minfree
threshold, the dump files are not written and an error
message is logged. See “How to Recover From a Full Crash
Dump Directory (Optional)” on page 582 for recovering from
this scenario.

Specifies that savecore should not be run when the system

−n
reboots. This dump configuration is not recommended. If
system crash information is written to the swap device, and
savecore is not enabled, the crash dump information will
be overwritten when the system begins to swap.

Specifies an alternate directory for storing crash dump files.

−s
The default directory is /var/crash/hostname where
hostname is the output of the uname -n command..

Example—Modifying a Crash Dump Configuration

In this example, all of memory is dumped to the dedicated dump device,
/dev/dsk/c0t1d0s1, and and the minimum free space that must be available after
the crash dump files are saved is 10% of the file system space.

# dumpadm
Dump content: kernel pages
Dump device: /dev/dsk/c0t3d0s1 (swap)
Savecore directory: /var/crash/pluto
Savecore enabled: yes
# dumpadm -c all -d /dev/dsk/c0t1d0s1 -m 10%
Dump content: all pages

(continued)

580 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

Dump device: /dev/dsk/c0t1d0s1 (dedicated)

Savecore directory: /var/crash/pluto (minfree = 77071KB)
Savecore enabled: yes

How to Examine a Crash Dump

1. Become superuser.

2. Examine a crash dump by using the crash utility.

# /usr/sbin/crash [-d crashdump-file] [-n name-list] [-w output-file]

Specifies a file to contain the system memory

−d crashdump-file
image. The default crash dump file is /dev/mem.

Specifies a text file to contain symbol table

−n name-list
information if you want to examine symbolic
access to the system memory image. The default
file name is /dev/ksyms.

Specifies a file to contain output from a crash

−w output-file
session. The default is standard output.

3. Display crash status information.

# /usr/sbin/crash
dumpfile = /dev/mem, namelist = /dev/ksyms, outfile = stdout
> status
.
.
.
> size buf proc queue
.
.
du .

Managing System Crash Information 581

 Example—Examining a Crash Dump
The following example shows sample output from the crash utility. Information
about status, and about the buffer, process, and queue size is displayed.

# /usr/sbin/crash
dumpfile = /dev/mem, namelist = /dev/ksyms, outfile = stdout
> status
system name: SunOS
release: 5.7
node name: saturn
version: Generic
machine name: sun4m
time of crash: Thu Feb 26 [Link] 1998
age of system: 19 day, 23 hr., 55 min.
panicstr:
panic registers:
pc: 0 sp: 0
> size buf proc queue
120
1552
88

How to Recover From a Full Crash Dump

Directory (Optional)
In this scenario, the system crashes but there is no room in the savecore directory,
and you want to save some critical system crash dump information.
1. Log in as superuser after the system reboots.

2. Clear out the savecore directory, usually /var/crash/hostname, by removing

existing crash dump files that have already been sent to your service provider.
Or, run the savecore command and specify an alternate directory that has
sufficient disk space. (See the next step.)

3. Manually run the savecore command and if necessary, specify an alternate

savecore directory.

# savecore [ directory ]

582 System Administration Guide, Volume II ♦ October 1998

How to Disable or Enable Saving Crash Dumps
(Optional)
1. Become superuser.

2. Disable or enable the saving of crash dumps on your system by using the
dumpadm command.

Example—Disabling the Saving of Crash Dumps

This example illustrates how to disable the saving of crash dumps on your system.

# dumpadm -n
Dump content: all pages
Dump device: /dev/dsk/c0t1d0s1 (dedicated)
Savecore directory: /var/crash/pluto (minfree = 77071KB)
Savecore enabled: no

Example—Enabling the Saving of Crash Dumps

This example illustrates how to enable the saving of crash dump on your system.

# dumpadm -y
Dump content: all pages
Dump device: /dev/dsk/c0t1d0s1 (dedicated)
Savecore directory: /var/crash/pluto (minfree = 77071KB)
Savecore enabled: yes

Managing System Crash Information 583

584 System Administration Guide, Volume II ♦ October 1998
CHAPTER 32

Troubleshooting Miscellaneous Software

Problems

This chapter describes miscellaneous software problems that may occur occasionally
and are relatively easy to fix. Troubleshooting miscellaneous software problems
includes solving problems that aren’t related to a specific software application or
topic, such as unsuccessful reboots and full file systems. Resolving these problems
are described in the following sections.
This is a list of information in this chapter.
4 “What to Do If Rebooting Fails” on page 585
4 “What to Do If a System Hangs” on page 586
4 “What to Do If a File System Fills Up” on page 587
4 “What to Do If File ACLs Are Lost After Copy or Restore” on page 588
4 “Troubleshooting Backup Problems” on page 588

What to Do If Rebooting Fails

If the system does not reboot completely, or if it reboots and then crashes again,
there may be a software or hardware problem that is preventing the system from
booting successfully.

585
 Problem — A System Won’t Boot Because ... How to Fix the Problem

The system can’t find /platform/‘uname You may need to change the boot-device
-m‘/kernel/unix. setting in the PROM on a SPARC system.
See “Booting a SPARC System (Tasks)” in
System Administration Guide, Volume I for
information on changing the default boot
device.

There is no default boot device on an x86 Boot the system using the Configuration
system. The message displayed is: Assistant/Boot diskette and select the disk
from which to boot.
Not a UFS filesystem.

There’s an invalid entry in the /etc/ See “Shutting Down and Booting a System
passwd file. (Overview)” in System Administration Guide,
Volume I for information on recovering from
an invalid passwd file.

There’s a hardware problem with a disk or Check the hardware connections:

another device. 4 Make sure the equipment is plugged in.
4 Make sure all the switches are set
properly.
4 Look at all the connectors and cables,
including the Ethernet cables.
4 If all this fails, turn off the power to the
system, wait 10 to 20 seconds, and then
turn on the power again.

If none of the above suggestions solve the problem, contact your local service
provider.

What to Do If a System Hangs

A system may freeze or hang rather than crash completely if some software process
is stuck. Follow these steps to recover from a hung system.

1. Determine whether the system is running a window environment and follow the
suggestions listed below. If these suggestions don’t solve the problem, go to step
2.

4 Make sure the pointer is in the window where you are typing the commands

4 Press Control-q in case the user accidently pressed Control-s, which freezes the
screen. Control-s freezes only the window, not the entire screen. If a window is
frozen, try using another window.

586 System Administration Guide, Volume II ♦ October 1998

 4 If possible, log in remotely from another system on the network. Use the
pgrep command to look for the hung process. If it looks like the window
system is hung, identify the process and kill it.
2. Press Control-\ to force a “quit” in the running program and (probably) write out
a core file.
3. Press Control-c to interrupt the program that may be running.
4. Log in remotely and attempt to identify and kill the process that is hanging the
system.
5. Log in remotely, become superuser and reboot the system.
6. If the system still does not respond, force a crash dump and reboot. See Chapter
31 for information on forcing a crash dump and booting.
7. If the system still does not respond, turn the power off, wait a minute or so, then
turn the power back on.
8. If you cannot get the system to respond at all, contact your local service provider
for help.

What to Do If a File System Fills Up

When the root (/) file system or any other file system fills up, you will see the
following message in the console window:

.... file system full

There are several reasons why a file system fills up. The following sections describe
several scenarios for recovering from a full file system. See Chapter 19 for information
on routinely cleaning out old and unused files to prevent full file systems.

A File System Fills Up Because a Large File or

Directory Was Created
Reason Error Occurred How to Fix the Problem

Someone accidentally copied a file or Log in as superuser and use the ls -tl
directory to the wrong location. This also command in the specific file system to
happens when an application crashes and identify which large file is newly created
writes a large core file into the file system. and remove it. See “How to Find and Delete
core Files” on page 393 to remove core
files.

Troubleshooting Miscellaneous Software Problems 587

 The tmpfs
File System Is Full Because the System Ran Out
of Memory
Reason Error Occurred How to Fix the Problem

This can occur if tmpfs is trying to write See tmpfs(7FS) for information on
more than it is allowed or some current recovering from tmpfs-related error
processes are using a lot of memory. messages.

What to Do If File ACLs Are Lost After

Copy or Restore
Reason Error Occurred How to Fix the Problem

If files or directories with ACLs are copied or Copy or restore files into the /var/tmp
restored into the /tmp directory, the ACL directory instead.
attributes are lost. The /tmp directory is
usually mounted as a temporary file system,
which doesn’t support UFS file system
attributes such as ACLs.

Troubleshooting Backup Problems

This section describes some basic troubleshooting techniques to use when backing up
and restoring data.

The root (/) File System Fills Up After You Back

Up a File System
You back up a file system, and the root (/) file system fills up. Nothing is written to
the media, and the ufsdump command prompts you to insert the second volume of
media.

588 System Administration Guide, Volume II ♦ October 1998

 Reason Error Occurred How to Fix the Problem

If you used an invalid destination device Use the ls -tl command in the /dev
name with the −f option, the ufsdump directory to identify which file is newly
command wrote to a file in the /dev created and abnormally large, and remove it.
directory of the root (/) file system, filling it
up. For example, if you typed /dev/rmt/
st0 instead of /dev/rmt/0, the backup file
/dev/rmt/st0 was created on the disk
rather than being sent to the tape drive.

Make Sure the Backup and Restore Commands

Match
You can only use ufsrestore to restore files backed up with ufsdump. If you back
up with tar, restore with tar. If you use the ufsrestore command to restore a
tape that was written with another command, an error message tells you that the
tape is not in ufsdump format.

Check to Make Sure You Have the Right Current

Directory
It is easy to restore files to the wrong location. Because the ufsdump command
always copies files with full path names relative to the root of the file system, you
should usually change to the root directory of the file system before running
ufsrestore. If you change to a lower-level directory, after you restore the files you
will see a complete file tree created under that directory.

Use the Old restore Command to Restore

Multivolume Diskette Backups
You cannot use the ufsrestore command to restore files from a multivolume
backup set of diskettes made with the dump command. You must restore the files on
a SunOS 4.1 system.

Interactive Commands
When you use the interactive command, a ufsrestore> prompt is displayed, as
shown in this example:

Troubleshooting Miscellaneous Software Problems 589

 # ufsrestore ivf /dev/rmt/0
Verify volume and initialize maps
Media block size is 126
Dump date: Tue Jun 16 [Link] 1998
Dumped from: the epoch
Level 0 dump of / on mars:/dev/dsk/c0t3d0s0
Label: none
Extract directories from tape
Initialize symbol table.
ufsrestore >

At the ufsrestore> prompt, you can use the commands listed on “The ufsdump
and ufsrestore Commands (Reference)” in System Administration Guide, Volume I to
find files, create a list of files to be restored, and restore them.

590 System Administration Guide, Volume II ♦ October 1998

CHAPTER 33

Troubleshooting File Access Problems

This is a list of troubleshooting topics in this chapter.

4 “Solving Problems With Search Paths (Command not found)” on page 591
4 “Solving File Access Problems” on page 594
4 “Recognizing Problems With Network Access” on page 595
Users frequently experience problems—and call on a system administrator for
help—because they cannot access a program, a file, or a directory that they could
previously use. Whenever you encounter such a problem, investigate one of three
areas:
4 The user’s search path may have been changed, or the directories in the search
path may not be in the proper order.
4 The file or directory may not have the proper permissions or ownership.
4 The configuration of a system accessed over the network may have changed.
This chapter briefly describes how to recognize problems in each of these three areas
and suggests possible solutions.

Solving Problems With Search Paths

(Command not found)
A message of Command not found indicates one of the following:
4 The command is not available on the system.
4 The command directory is not in the search path.

591
 To fix a search path problem, you need to know the pathname of the directory where
the command is stored.
If the wrong version of the command is found, a directory that has a command of
the same name is in the search path. In this case, the proper directory may be later in
the search path or may not be present at all.
You can display your current search path by using the echo $PATH command.

$ echo $PATH
/home/kryten/bin:/sbin:/usr/sbin:/usr/openwin/bin:/usr/openwin/bin/xview:
/usr/dist/local/exe:/usr/dist/exe

Use the which command to determine whether you are running the wrong version
of the command.

$ which maker
/usr/doctools/frame5.1/bin/maker

Note - The which command looks in the .cshrc file for path information. The
which command may give misleading results if you execute it from the Bourne or
Korn shell and you have a .cshrc file than contains aliases for the which
command. To ensure accurate results, use the which command in a C shell, or, in the
Korn shell, use the whence command.

How to Diagnose and Correct Search Path

Problems
1. Display the current search path to verify that the directory for the command is
not in your path or that it isn’t mispelled.

$ echo $PATH

2. Check the following:

4 Is the search path correct?
4 Is the search path listed before other search paths where another version of the
command is found?
4 Is the command in one of the search paths?
If the path needs correction, go to step 3. Otherwise, go to step 4.

3. Add the path to the appropriate file, as shown in this table.

592 System Administration Guide, Volume II ♦ October 1998

 Shell File Syntax Notes

Bourne and $HOME/ $ PATH=$HOME/bin:/sbin:/usr/local A colon separates

Korn .profile /bin ... path names.

$ export PATH

C $HOME/ A blank space

hostname% set path=(~bin /sbin
.cshrc /usr/local/bin ...) separates path
names.
or

$HOME/
.login

4. Activate the new path as follows:

File Where Path Is

Shell Located Activate The Path With ...

Bourne and .profile $ . ./.profile

Korn

C .cshrc hostname% source .cshrc

.login hostname% source .login

5. Verify the path using the command shown below.

$ which command

Example—Diagnosing and Correcting Search Path Problems

This example shows that the OpenWindows executable is not in any of the
directories in the search path using the which command.

venus% openwin
openwin: Command not found
venus% echo $PATH
no openwin in . /home/ignatz /sbin /usr/sbin /usr/bin /etc
/home/ignatz/bin /bin /home/bin /usr/etc

(continued)

Troubleshooting File Access Problems 593

 (Continuation)

venus% vi ~.cshrc
(Add appropriate command directory to the search path)
venus% source .cshrc
venus% openwin

If you cannot find a command, look at the man page for its directory path. For
example, if you cannot find the lpsched command (the lp printer daemon),
lpsched(1M) tells you the path is /usr/lib/lp/lpsched.

Solving File Access Problems

When users cannot access files or directories that they previously could access, the
permissions or ownership of the files or directories probably has changed.

Changing File and Group Ownerships

Frequently, file and directory ownerships change because someone edited the files as
superuser. When you create home directories for new users, be sure to make the user
the owner of the dot (.) file in the home directory. When users do not own “.” they
cannot create files in their own home directory.
Access problems can also arise when the group ownership changes or when a group
of which a user is a member is deleted from the /etc/group database.
Table 33–1 for information about how to change the permissions or ownership of a
file that you are having problems accessing.

594 System Administration Guide, Volume II ♦ October 1998

TABLE 33–1 Solving File Access Problems

If You Need to Change the Use the ... For More Details, See ...
...

Permission on a file
chmod(1) command “How to Change
Permissions in Absolute
Mode” on page 274

Ownership of a file
chown(1) command “How to Change the Owner
of a File” on page 269

Group ownership of a file

chgrp(1) command “How to Change Group
Ownership of a File” on
page 270

Recognizing Problems With Network

Access
If users have problems using the rcp remote copy command to copy files over the
network, the directories and files on the remote system may have restricted access by
setting permissions. Another possible source of trouble is that the remote system and
the local system are not configured to allow access.

See NFS Administration Guide for information about problems with network access
and problems with accessing systems through AutoFS.

Troubleshooting File Access Problems 595

596 System Administration Guide, Volume II ♦ October 1998
CHAPTER 34

Troubleshooting Printing Problems

This chapter explains how to troubleshoot printing problems that may occur when
you set up or maintain printing services.
This is a list of step-by-step instructions in this chapter.
4 “How to Troubleshoot No Printer Output” on page 603
4 “How to Troubleshoot Incorrect Output” on page 618
4 “How to Unhang the LP Print Service” on page 624
4 “How to Troubleshoot an Idle (Hung) Printer” on page 625
4 “How to Resolve Conflicting Printer Status Messages” on page 627
See for information about printing and the LP print service.

Tips on Troubleshooting
Sometimes after setting up a printer, you find that nothing prints. Or, you may get a
little farther in the process: something prints, but it is not what you expect—the
output is incorrect or illegible. Then, when you get past these problems, other
problems may occur, such as:
4 LP commands hanging
4 Printers becoming idle
4 Users getting conflicting messages

Note - Although many of the suggestions in this chapter are relevant to parallel
printers, they are geared toward the more common serial printers.

597
 Troubleshooting Adding a Printer
If you use Admintool to add access to a remote printer after installing the Solaris
release, and you get the following message:

Admintool: Error
add remote printer failed

It is possible that the SunSoft Print Client software is installed in your network and
the remote printer is already available to you. Use the lpstat -t command before
adding a printer to see if the printer is available.

Troubleshooting No Output (Nothing Prints)

When nothing prints, there are three general areas to check:
4 The printer hardware
4 The network
4 The LP print service
If you get a banner page, but nothing else, this is a special case of incorrect output.
See “Troubleshooting Incorrect Output” on page 600.

Check the Hardware

The hardware is the first area to check. As obvious as it sounds, you should make
sure that the printer is plugged in and turned on. In addition, you should refer to the
manufacturer’s documentation for information about hardware settings. Some
computers use hardware switches that change the characteristics of a printer port.
The printer hardware includes the printer, the cable that connects it to the computer,
and the ports into which the cable plugs at each end. As a general approach, you
should work your way from the printer to the computer. Check the printer. Check
where the cable connects to the printer. Check the cable. Check where the cable
connects to the computer.

Check the Network

Problems are more common with remote print requests—those going from a print
client to a print server. You should make sure that network access between the print
server and print clients is enabled.
If the network is running the Network Information Service Plus (NIS+), see the
Solaris Naming Administration Guide for instructions to enable access between

598 System Administration Guide, Volume II ♦ October 1998

systems. If the network is not running the Network Information Service (NIS) or
NIS+, before you set up print servers and print clients, include the Internet address
and system name for each client system in the /etc/hosts file on the print server.
Also, the Internet address and system name for the print server must be included in
the /etc/hosts file of each print client system.

Check the LP Print Service

For printing to work, the LP scheduler must be running on both the print server and
print client. If it is not running, you need to start it using the
/usr/lib/lp/lpsched command. If you have trouble starting the scheduler, see
“How to Restart the Print Scheduler” on page 66.
In addition to the scheduler running, a printer must be enabled and accepting
requests before it will produce any output. If the LP print service is not accepting
requests for a printer, the submitted print requests are rejected. Usually, in that
instance, the user receives a warning message after submitting a print request. If the
LP print service is not enabled for a printer, print requests remain queued on the
system until the printer is enabled.
In general, you should analyze a printing problem as follows:
4 Follow the path of the print request step-by-step.
4 Examine the status of the LP print service at each step.

4 Is the configuration correct?

4 Is the printer accepting requests?
4 Is the printer enabled to process requests?

4 If the request is hanging on transmission, set up [Link] in [Link] to

display the flow.
4 If the request is hanging locally, examine the lpsched log
(/var/lp/logs/lpsched).
4 If the request is hanging locally, have notification of the printer device errors
(faults) mailed to you, and re-enable the printer.
The procedures found in “Troubleshooting Printing Problems” on page 603 use this
strategy to help you troubleshoot various problems with the LP print service.
If basic troubleshooting of the LP print service does not solve the problem, you need
to follow the troubleshooting steps for the specific client/server case that applies:
4 SunOS 5.7 or compatible print client using a SunOS 5.7 or compatible print server
(for instructions, see “To check printing from a SunOS 5.7 or compatible print
client to a SunOS 5.7 or compatible print server:” on page 610)
4 SunOS 5.7 or compatible print client using a SunOS 4.1 print server (for
instructions, see “To check printing from a SunOS 5.7 or compatible print client to
a SunOS 4.1 print server:” on page 611)

Troubleshooting Printing Problems 599

 4 SunOS 4.1 print client using a SunOS 5.7 or compatible print server (for
instructions, see “To check printing from a SunOS 4.1 client to a SunOS 5.7 or
compatible print server: ” on page 614)

Troubleshooting Incorrect Output

If the printer and the print service software are not configured correctly, the printer
may print, but it may provide output that is not what you expect.

Check the Printer Type and File Content Type

If you used the wrong printer type when you set up the printer with the LP print
service, inappropriate printer control characters can be sent to the printer. The results
are unpredictable: nothing may print, the output may be illegible, or the output may
be printed in the wrong character set or font.
If you specified an incorrect file content type on a SunOS 5.7 or compatible print
client or a SunOS 5.7 or compatible print server, the banner page may print, but that
is all. The file content types specified for a printer indicate the types of files the
printer can print directly, without filtering. When a user sends a file to the printer,
the file is sent directly to the printer without any attempt to filter it. The problem
occurs if the printer cannot handle the file content type.
When setting up print clients, you increase the chance for a mistake because the file
content types must be correct on both the print server and the print client. If you set
up the print client as recommended with any as the file content type, files are sent
directly to the print server and the print server determines the need for filtering.
Therefore, the file content types have to be specified correctly only on the server.
You can specify a file content on the print client to off-load filtering from the server
to the client, but the content type must be supported on the print server.

Check the stty Settings

Many formatting problems can result when the default stty (standard terminal)
settings do not match the settings required by the printer. The following sections
describe what happens when some of the settings are incorrect.

Wrong Baud Settings

When the baud setting of the computer does not match the baud setting of the
printer, usually you get some output, but it does not look like the file you submitted
for printing. Random characters are displayed, with an unusual mixture of special
characters and undesirable spacing. The default for the LP print service is 9600 baud.

600 System Administration Guide, Volume II ♦ October 1998

Note - If a printer is connected by a parallel port, the baud setting is irrelevant.

Wrong Parity Setting

Some printers use a parity bit to ensure that data received for printing has not been
garbled during transmission. The parity bit setting for the computer and the printer
must match. If they do not match, some characters either will not be printed at all, or
will be replaced by other characters. In this case, the output looks approximately
correct; the word spacing is all right and many letters are in their correct place. The
LP print service does not set the parity bit by default.

Wrong Tab Settings

If the file contains tabs, but the printer expects no tabs, the printed output may
contain the complete contents of the file, but the text may be jammed against the right
margin. Also, if the tab settings for the printer are incorrect, the text may not have a
left margin, it may run together, it may be concentrated to a portion of the page, or it
may be incorrectly double-spaced. The default is for tabs to be set every eight spaces.

Wrong Return Setting

If the output is double-spaced, but it should be single-spaced, either the tab settings
for the printer are incorrect or the printer is adding a line feed after each return. The
LP print service adds a return before each line feed, so the combination causes two
line feeds.
If the print zigzags down the page, the stty option onlcr that sends a return
before every line feed is not set. The stty=onlcr option is set by default, but you
may have cleared it while trying to solve other printing problems.

Troubleshooting Hung LP Print Service

Commands
If you type any of the LP commands (such as lpsystem, lpadmin, or lpstat) and
nothing happens (no error message, status information, or prompt is displayed),
chances are something is wrong with the LP scheduler. Such a problem can usually
be resolved by stopping and restarting the LP scheduler. See “How to Stop the Print
Scheduler” on page 65 and for instructions.

Troubleshooting Printing Problems 601

 Troubleshooting Idle (Hung) Printers
You may find a printer that is idle, even though it has print requests queued to it. A
printer may seem idle when it should not be for one of the following reasons:
4 The current print request is being filtered.
4 The printer has a fault.
4 Networking problems may be interrupting the printing process.

Check the Print Filters

Slow print filters run in the background to avoid tying up the printer. A print
request that requires filtering will not print until it has been filtered.

Check Printer Faults

When the LP print service detects a fault, printing resumes automatically, but not
immediately. The LP print service waits about five minutes before trying again, and
continues trying until a request is printed successfully. You can force a retry
immediately by enabling the printer.

Check Network Problems

When printing files over a network, you may encounter the following types of
problems:
4 Requests sent to print servers may back up in the client system (local) queue.
4 Requests sent to print servers may back up in the print server (remote) queue.

Print Requests Backed Up in the Local Queue

Print requests submitted to a print server may back up in the client system queue for
the following reasons:
4 The print server is down.
4 The printer is disabled on the print server.
4 The network between the print client and print server is down.
4 Underlying SunOS 5.7 or compatible network software was not set up properly.
While you are tracking the source of the problem, you should stop new requests
from being added to the queue. See “How to Accept or Reject Print Requests for a
Printer” on page 81 for more information.

602 System Administration Guide, Volume II ♦ October 1998

Print Requests Backed Up in the Remote Queue
If print requests back up in the print server queue, the printer has probably been
disabled. When a printer is accepting requests, but not processing them, the requests
are queued to print. Unless there is a further problem, once the printer is enabled,
the print requests in the queue should print.

Troubleshooting Conflicting Status Messages

A user may enter a print request and be notified that the client system has accepted
it, then receive mail from the print server that the print request has been rejected.
These conflicting messages may occur for the following reasons:
4 The print client may be accepting requests, while the print server is rejecting
requests.
4 The definition of the printer on the print client might not match the definition of
that printer on the print server. More specifically, the definitions of the print job
components, like filters, character sets, print wheels, or forms are not the same on
the client and server systems.
You should check that identical definitions of these job components are registered on
both the print clients and print servers so that local users can access printers on the
print servers.

Troubleshooting Printing Problems

This section contains step-by-step instructions that explain:
4 How to troubleshoot no output
4 How to troubleshoot incorrect output
4 How to unhang the LP commands
4 How to troubleshoot an idle (hung) printer
4 How to resolve conflicting status messages

How to Troubleshoot No Printer Output

This task includes the following troubleshooting procedures to try when you submit
a print request to a printer and nothing prints:

4 Check the hardware (“To check the hardware:” on page 604).

4 Check the network (“To check the network:” on page 605).

Troubleshooting Printing Problems 603

 4 Check the LP print service basic functions (“To check the basic functions of the LP
print service: ” on page 606)
4 Check printing from a SunOS 5.7 or compatible print client to a SunOS 5.7 or
compatible print server (“To check printing from a SunOS 5.7 or compatible print
client to a SunOS 5.7 or compatible print server:” on page 610).
4 Check printing from a SunOS 5.7 or compatible print client to a SunOS 4.1 print
server (“To check printing from a SunOS 5.7 or compatible print client to a SunOS
4.1 print server:” on page 611).
4 Check printing from a SunOS 4.1 print client to a SunOS 5.7 or compatible print
server (“To check printing from a SunOS 4.1 client to a SunOS 5.7 or compatible
print server: ” on page 614).
Try the first three procedures in the order in which they are listed, before going to
the specific print client/server case that applies. However, if the banner page prints,
but nothing else does, turn to the instructions under “How to Troubleshoot Incorrect
Output” on page 618.

To check the hardware:

1. Check that the printer is plugged in and turned on.

2. Check that the cable is connected to the port on the printer and to the port on
the system or server.

3. Make sure that the cable is the correct cable and that it is not defective.
Refer to the manufacturer‘s documentation. If the printer is connected to a serial
port, verify that the cable supports hardware flow control; a NULL modem
adapter supports this. Table 34–1 shows the pin configuration for NULL modem
cables.

TABLE 34–1 Pin Configuration for NULL Modem Cables

Host Printer

Mini-Din-8 25-Pin D-sub 25-Pin D-sub

- 1 (FG) 1(FG)

3(TD) 2(TD) 3(RD)

5(RD) 3(RD) 2(TD)

6(RTS) 4(RTS) 5(CTS)

604 System Administration Guide, Volume II ♦ October 1998

TABLE 34–1 Pin Configuration for NULL Modem Cables (continued)

Host Printer

Mini-Din-8 25-Pin D-sub 25-Pin D-sub

2(CTS) 5(CTS) 4(RTS)

4(SG) 7(SG) 7(SG)

7(DCD) 6(DSR), 8(DCD) 20(DTR)

1(DTR) 20(DTR) 6(DSR), 8(DCD)

4. Check that any hardware switches for the ports are set properly.
See the printer documentation for the correct settings.

5. Check that the printer is operational.

Use the printer’s self-test feature, if the printer has one. Check the printer
documentation for information about printer self-testing.

6. Check that the baud settings for the computer and the printer are correct.
If the baud settings are not the same for both the computer and the printer,
sometimes nothing will print, but more often you get incorrect output. For
instructions, see “How to Troubleshoot Incorrect Output” on page 618.

To check the network:

1. Check that the network link between the print server and the print client is
setup correctly.

print_client# ping print_server

print_server is alive
print_server# ping print_client
print_client not available

If the message says the system is alive, you know you can reach the system, so
the network is all right. The message also tells you that either a name service or
the local /etc/hosts file has translated the host (system) name you entered into
an IP address; otherwise, you would need to enter the IP address.

Troubleshooting Printing Problems 605

 If you get a not available message, try to answer the following questions:
How is NIS or NIS+ set up at your site? Do you need to take additional steps so
that print servers and print clients can communicate with one another? If your
site is not running NIS or NIS+, have you entered the IP address for the print
server in each print client’s /etc/hosts file, and entered all print client IP
addresses in the /etc/hosts file of the print server?

2. (On a SunOS 5.0–5.1 print server only) Check that the listen port monitor is
configured correctly.

3. (On a SunOS 5.0–5.1 print server only) Check that the network listen services
are registered with the port monitor on the print server.

To check the basic functions of the LP print service:

This procedure uses the printer luna as an example of checking basic LP print
service functions.
1. On both the print server and print client, make sure that the LP print service is
running.
a. Check whether the LP scheduler is running.

# lpstat -r
scheduler is running

b. If the scheduler is not running, become superuser or lp, and start the
scheduler.

# /usr/lib/lp/lpsched

If you have trouble starting the scheduler, see “How to Unhang the LP Print
Service” on page 624.

2. On both the print server and print client, make sure that the printer is
accepting requests.
a. Check that the printer is accepting requests.

606 System Administration Guide, Volume II ♦ October 1998

 # lpstat -a
mars accepting requests since Jun 16 10:37 1998
luna not accepting requests since Jun 16 10:37 1998
unknown reason

This command verifies that the LP system is accepting requests for each
printer configured for the system.

b. If the printer is not accepting requests, become superuser or lp, and allow
the printer to accept print requests.

# accept luna

The specified printer now accepts requests.

3. On both the print server and print client, make sure that the printer is enabled
to print submitted print requests.
a. Check that the printer is enabled.

# lpstat -p luna
printer luna disabled since Jun 16 10:40 1998.
available.
unknown reason

This command displays information about printer status. You can omit the
printer name to obtain information about all printers set up for the system.
The following example shows a printer that is disabled.

b. If the printer is disabled, become superuser or lp, and enable the printer.

# enable luna
printer "luna" now enabled.

The specified printer is enabled to process print requests.

4. On the print server, make sure that the printer is connected to the correct serial
port.
a. Check that the printer is connected to the correct serial port.

Troubleshooting Printing Problems 607

 # lpstat -t
scheduler is running
system default destination: luna
device for luna: /dev/term/a

The message device for printer-name shows the port address. Is the cable
connected to the port to which the LP print service says is connected? If the
port is correct, skip to Step 5 on page 608.

b. Become superuser or lp.

c. Change the file ownership of the device file that represents the port.

# chown lp device-filename

This command assigns the special user lp as the owner of the device file. In
this command, device-filename is the name of the device file.

d. Change the permissions on the printer port device file.

# chmod 600 device-filename

This command allows only superuser or lp to access the printer port device
file.

5. On both the print server and print client, make sure that the printer is
configured properly.
a. Check that the printer is configured properly.

# lpstat -p luna -l
printer luna is idle. enabled since Jun 16 10:38 1998. available.
Content types: postscript
Printer types: PS

The above example shows a PostScript printer that is configured properly, and
that is available to process print requests. If the printer type and file content
type are correct, skip to Step 6 on page 609.

b. If the printer type or file content type is incorrect, try setting the print type
to unknown and the content type to any on the print client.

608 System Administration Guide, Volume II ♦ October 1998

 # lpadmin -p printer-name -T printer-type -I file-content-type

6. On the print server, make sure that the printer is not faulted.
a. Check that the printer is not waiting because of a printer fault.

# lpadmin -p printer-name -F continue

This command instructs the LP print service to continue if it is waiting

because of a fault.

b. Force an immediate retry by re-enabling the printer.

# enable printer-name

c. (Optional) Instruct the LP print service to enable quick notification of

printer faults.

# lpadmin -p printer-name -A ’write root’

This command instructs the LP print service to set a default policy of writing
root—sending the printer fault message to the terminal on which root is
logged in—if the printer fails. This may help you get quick notification of
faults as you try to fix the problem.

7. Make sure that the printer is not set up incorrectly as a login terminal.

Note - It is easy to mistakenly set up a printer as a login terminal, so be sure to

check this possibility even if you think it does not apply.

a. Look for the printer port entry in the ps -ef command output.

# ps -ef
root 169 167 0 Apr 04 ? 0:08 /usr/lib/saf/listen tcp
root 939 1 0 [Link] ? 0:02 /usr/lib/lpsched
root 859 858 0 [Link] term/a 0:01 /bin/sh -c \ /etc/lp
/interfaces/luna
luna-294 rocket!smith ‘‘passwd\n##
#

Troubleshooting Printing Problems 609

 In the output from this command, look for the printer port entry. In the above
example, port /dev/term/a is set up incorrectly as a login terminal. You can
tell by the "passwd\n## information at the end of the line. If the port is set
correctly, skip the last steps in this procedure.

b. Cancel the print request(s).

# cancel request-id

In this command, request-id is the request ID number for a print request to be

canceled.

c. Set the printer port to be a nonlogin device.

# lpadmin -p printer-name -h

d. Check the ps -ef command output to verify that the printer port is no
longer a login device.
If you do not find the source of the printing problem in the basic LP print
service functions, continue to one of the following procedures for the specific
client/server case that applies.

To check printing from a SunOS 5.7 or compatible print client

to a SunOS 5.7 or compatible print server:
1. Check the basic functions of the LP print service on the print server, if you
have not done so already.
For instructions on checking basic functions, see “To check the basic functions of
the LP print service: ” on page 606. Make sure that the printer works locally
before trying to figure out why nothing prints when a request is made from a
print client.

2. Check the basic functions of the LP print service on the print client, if you
have not done so already.
For instructions on checking basic functions, see “To check the basic functions of
the LP print service: ” on page 606. On the print client, the LP scheduler has to be
running, and the printer has to be enabled and accepting requests before any
request from the client will print.

Note - For most of the following steps, you must be logged in as root or lp.

610 System Administration Guide, Volume II ♦ October 1998

3. Make sure that the print server is accessible.
a. On the print client, send an “are you there?” request to the print server.

print_client# ping print_server

If you receive the message print_server not available, you may have a
network problem.

4. On SunOS 5.1 print client only, make sure that the print server is identified as
type s5 by viewing the Modify Printer window in Admintool.

5. Verify that the print server is operating properly.

# lpstat -t luna
scheduler is running
system default destination: luna
device for luna: /dev/term/a
luna accepting requests since Jun 16 10:39 1998. available.
printer luna now printing luna-314. enabled since Jun 16 10:39 1998.
available.
luna-129 root 488 Jun 16 10:45
#

The above example shows a print server up and running.

6. If the print server is not operating properly, go back to step 1.

To check printing from a SunOS 5.7 or compatible print client

to a SunOS 4.1 print server:

1. Check the basic functions of the LP print service on the print client, if you
have not done so already.
For instructions, see “To check the basic functions of the LP print service: ” on
page 606.

2. Make sure that the print server is accessible.

a. On the print client, send an “are you there?” request to the print server.

print_client# ping print_server

Troubleshooting Printing Problems 611

 If you receive the message print_server not available, you may have a
network problem.

3. Make sure that the lpd daemon on the print server is running.
a. On the print server, verify the lpd daemon is running.

$ ps -ax | grep lpd

126 ? IW 0:00 /usr/lib/lpd
200 p1 S 0:00 grep lpd
$

If the lpd daemon is running, a line is displayed, as shown in the above

example. If it is not running, no process information is shown.

b. If lpd is not running on the print server, become superuser on the print
server, and restart it.

# /usr/lib/lpd &

4. Make sure that the remote lpd daemon is configured properly.

a. On the print server, become superuser, and invoke the lpc command.

# /usr/etc/lpc
lpc>

b. Get LP status information.

612 System Administration Guide, Volume II ♦ October 1998

 lpc> status
luna:
queuing is enabled
printing is enabled
no entries
no daemon present
lpc>

Status information is displayed. In the above example, the daemon is not

running and needs to be restarted.

c. If no daemon is present, restart the daemon.

lpc> restart luna

The daemon is restarted.

d. Verify that the lpd daemon has started.

lpc> status

e. Quit the lpc command.

lpc> quit

The shell prompt is redisplayed.

5. Make sure that the print client has access to the print server.
a. Check if there is an /etc/[Link] file on the 4.1 print server.
On a 4.1 print server, if this file exists, it is used to determine whether an
incoming print request can be accepted. If the file does not exist, all print
client systems have access, so skip steps b and c.

b. If the file exists, see if the print client is listed in the file.
Requests from client systems not listed in the file are not transferred to the
print server.

c. If the client is not listed, add the print client to the file.

Note - If you get this far without pinpointing the problem, the SunOS 4.1
system is probably set up and working properly.

Troubleshooting Printing Problems 613

 6. Make sure that the connection to the remote lpd print daemon from the print
client is made correctly.
a. On the print client, become superuser, and verify the lpsched daemon is
running.

# ps -ef | grep lp
root 154 1 80 Jan 07 ? 0:02 /usr/lib/lpsched

The lpsched daemon should be running, as shown in the above example.

b. Stop the LP print service.

# lpshut

The LP print service is stopped.

c. Restart the LP print service.

# /usr/lib/lp/lpsched

The LP print service is restarted.

7. Make sure that the remote print server is identified correctly as a SunOS 4.1
system.

To check printing from a SunOS 4.1 client to a SunOS 5.7 or

compatible print server:
1. Check the basic functions of the LP print service on the print server, if you
have not done so already.
For instructions, see “To check the basic functions of the LP print service: ” on
page 606. Make sure that the printer works locally before trying to figure out why
nothing prints when a request is made from a print client.

Note - You should be logged in as superuser or lp on the system specified in the

following steps.

2. Make sure that the print client is accessible.

614 System Administration Guide, Volume II ♦ October 1998

 a. On the SunOS 5.7 or compatible print server, send an “are you there?”
request to the print client.

print_server# ping print_client

print_client is alive

If you receive the message print_client not available, you may have a
network problem.

3. On the print client, verify the printer is set up correctly.

# lpr -P luna /etc/fstab

lpr: cannot access luna
#

This command shows whether the print client is working. The above example
shows that the print client is not working correctly.

4. Make sure that the lpd daemon is running on the print client.
a. Verify the lpd daemon is running.

# ps -ax | grep lpd

118 ? IW 0:02 /usr/lib/lpd
#

This command shows if the lpd daemon is running on the print client. The
above example shows that the daemon is running.

b. On the print client, start the lpd daemon.

Troubleshooting Printing Problems 615

 # /usr/lib/lpd &

5. On the print client, make sure that there is a printcap entry identifying the
printer.
a. Verify the printer is known.

# lpr -P mercury /etc/fstab

lpr: mercury: unknown printer
#

The above example shows that the /etc/printcap file does not have an
entry for the specified printer.

b. If there is no entry, edit the /etc/printcap file and add the following
information:

printer-name|print-server:\
:lp=:rm=print-server:rp=printer-name:br#9600:rw:\
:lf=/var/spool/lpd/printer-name/log:\
:sd=/var/spool/lpd/printer-name:

The following example shows an entry for printer luna connected to print
server neptune.

luna|neptune:\
:lp=:rm=neptune:rp=luna:br#9600:rw:\
:lf=/var/spool/lpd/luna/log:\
:sd=/var/spool/lpd/luna:

c. Create a spooling directory (/var/spool/lpd/printer-name) for the printer.

6. Make sure that the print client lpd is not in a wait state by forcing a retry.
If the print server is up and responding, the print client lpd may be in a wait
state before attempting a retry.

616 System Administration Guide, Volume II ♦ October 1998

 a. As superuser on the print client, invoke the lpc command.
The lpc> prompt is displayed.

b. Restart the printer.

c. Quit the lpc command.

The shell prompt is redisplayed.

# lpc
lpc> restart luna
luna:
no daemon to abort
luna:
daemon started
# quit
$

7. Check the connection to the print server.

a. On the print client, become superuser, and check the printer log file.

# more /var/spool/lpd/luna/log

Frequently, no information is displayed.

b. Also check the printer status log.

# more /var/spool/lpd/luna/status
waiting for luna to come up
#

c. If the connection is all right, on the print server, verify the print server is
setup correctly.

Troubleshooting Printing Problems 617

 # lpstat -t
scheduler is running
system default destination: luna
device for luna: /dev/term/a
luna accepting requests since Jun 16 10:41 1998
printer luna now printing luna-314. enabled since
Jun 16 10:41 1998. available.
luna-314 root 488 Jun 16 10:41
#

The above example shows a print server that is up and running.

If the print server is not running, go back to Step 1 on page 614 before
continuing.

How to Troubleshoot Incorrect Output

1. Log in as superuser or lp.

2. Make sure that the printer type is correct.

An incorrect printer type may cause incorrect output. For example, if you specify
printer type PS and the pages print in reverse order, try printer type PSR. (These
type names must be in uppercase.) Also, an incorrect printer type may cause
missing text, illegible text, or text with the wrong font. To determine the printer
type, examine the entries in the terminfo database. For information on the
structure of the terminfo database, see “Printer Type” on page 24.
a. On the print server, display the printer’s characteristics.

$ lpstat -p luna -l
printer luna is idle. enabled since Jun 16 10:43 1998.
available.
Form mounted:
Content types: any
Printer types: NeWSprinter20
Description:
Connection: direct
Interface: /etc/lp/interfaces/alamosa
After fault: continue
Users allowed:
(all)
Forms allowed:
(none)
Banner not required
Character sets:

(continued)

618 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

Default pitch:
Default page size: 80 wide 66 long
Default port settings:
$

b. Consult the printer manufacturer’s documentation to determine the printer

model.

c. If the printer type is not correct, change it with Admintool’s Modify Printer
option, or use the following lpadmin command.

# lpstat -p printer-name -T printer-type

On the print client, the printer type should be unknown. On the print server,
the printer type must match a terminfo entry that is defined to support the
model of printer you have. If there is no terminfo entry for the type of
printer you have, see “How to Add a terminfo Entry for an Unsupported
Printer” on page 127.

3. If the banner page prints, but there is no output for the body of the document,
check the file content types.
File content types specified for a printer indicate the types of files the printer can
print directly without filtering. An incorrect file content type causes filtering to be
bypassed when it may be needed.
a. Note the information on file content type that was supplied in the previous
step by the lpstat command.
On the print client, the file content type should be any, unless you have good
reason to specify one or more explicit content types. If a content is specified
on the client, filtering is done on the print client, rather than the print server.
In addition, content types on the client must match the content types specified
on the print server, which in turn must reflect the capabilities of the printer.

b. Consult your printer manufacturer’s documentation to determine which

types of files the printer can print directly.
The names you use to refer to these types of files do not have to match the
names used by the manufacturer. However, the names you use must agree
with the names used by the filters known to the LP print service.

Troubleshooting Printing Problems 619

 c. If the file content type is not correct, change it with Admintool’s Modify
Printer option, or the following lpadmin command.

# lpadmin -p printer-name -I file-content-type(s)

Run this command on either the print client, or print server, or both, as
needed. Try -I any on the print client, and -I "" on the print server. The
latter specifies a null file content type list, which means an attempt should be
made to filter all files, because the printer can directly print only files that
exactly match its printer type.
This combination is a good first choice when files are not printing. If it works,
you may want to try specifying explicit content types on the print server to
reduce unnecessary filtering. For a local PostScript printer, you should use
postscript, or postscript,simple— if the printer supports these types.
Be aware that PS and PSR are not file content types; they are printer types.
If you omit -I, the file content list defaults to simple. If you use the -I
option and want to specify file content types in addition to simple, simple
must be included in the list.
When specifying multiple file content types, separate the names with commas.
Or you can separate names with spaces and enclose the list in quotation
marks. If you specify any as the file content type, no filtering will be done and
only file types that can be printed directly by the printer should be sent to it.

4. Check that the print request does not bypass filtering needed to download
fonts.
If a user submits a print request to a PostScript printer with the command
lp -T PS, no filtering is done. Try submitting the request with the command
lp -T postscript to force filtering, which may result in the downloading of
non-resident fonts needed by the document.

5. Make sure that the stty settings for the printer port are correct.
a. Read the printer documentation to determine the correct stty settings for
the printer port.

Note - If a printer is connected by a parallel port, the baud setting is irrelevant.

b. Examine the current settings by using the stty command.

# stty -a < /dev/term/a

speed 9600 baud;
rows = 0; columns = 0; ypixels = 0; xpixels = 0;

(continued)

620 System Administration Guide, Volume II ♦ October 1998

 (Continuation)

eucw [Link], scrw [Link]

intr = ^c; quit = ^|; erase = ^?; kill = ^u;
eof = ^d; eol = <undef>; eol2 = <undef>; swtch = <undef>;
start = ^q; stop = ^s; susp = ^z; dsusp = ^y;
rprnt = ^r; flush = ^o; werase = ^w; lnext = ^v;
parenb -parodd cs7 -cstopb -hupcl cread -clocal -loblk -parext
-ignbrk brkint -ignpar -parmrk -inpck istrip -inlcr -igncr icrnl -iuclc
ixon -ixany -ixoff imaxbel
isig icanon -xcase echo echoe echok -echonl -noflsh
-tostop echoctl -echoprt echoke -defecho -flusho -pendin iexten
opost -olcuc onlcr -ocrnl -onocr -onlret -ofill -ofdel tab3
#

This command shows the current stty settings for the printer port.
Table 34–2 shows the default stty options used by the LP print service’s
standard printer interface program.

TABLE 34–2 Default stty Settings Used by the Standard Interface Program

Option Meaning

Set baud rate to 9600

−9600

Set 8-bit bytes

−cs8

Send one stop bit per byte

−cstopb

Do not generate parity

−parity

Enable XON/XOFF (also known as START/STOP or DC1/

−ixon
DC3)

Do “output post-processing” using all the settings that

−opost
follow in this table

Do not map lowercase to uppercase

−olcuc

Change line feed to carriage return/line feed

−onlcr

Troubleshooting Printing Problems 621

 TABLE 34–2 Default stty Settings Used by the Standard Interface Program (continued)

Option Meaning

Do not change carriage returns into line feeds

−ocrnl

Output carriage returns even at column 0

−onocr

No delay after line feeds

−n10

No delay after carriage returns

−cr0

No delay after tabs

−tab0

No delay after backspaces

−bs0

No delay after vertical tabs

−vt0

No delay after form feeds

−ff0

c. Change the stty settings.

# lpadmin -p printer-name -o "stty= options"

Use Table 34–3 to choose stty options to correct various problems affecting
print output.

622 System Administration Guide, Volume II ♦ October 1998

 TABLE 34–3 stty Options to Correct Print Output Problems

Possible Problem From

stty Values Result Incorrect Setting

110, 300, 600, Sets baud rate to the Random characters and special
1200, 1800, specified value (enter only characters may be printed and
2400, 4800, one baud rate) spacing may be inconsistent
9600, 19200,
38400

oddp Sets odd parity Missing or incorrect characters

appear randomly
Sets even parity
evenp
Sets no parity
-parity

-tabs Sets no tabs Text is jammed against right

margin

tabs Sets tabs every eight spaces Text has no left margin, is run
together, or is jammed together

-onlcr Sets no carriage return at the Incorrect double spacing

beginning of line(s)

onlcr Sets carriage return at The print zigzags down the

beginning of line(s) page

You can change more than one option setting by enclosing the list of options
in single quotation marks and separating each option with spaces. For
example, suppose the printer requires you to enable odd parity and set a 7-bit
character size. You would type a command similar to that shown in the
following example:

# lpadmin -p neptune -o "stty=’parenb parodd cs7’"

The stty option parenb enables parity checking/generation, parodd sets

odd parity generation, and cs7 sets the character size to 7 bits.

6. Verify that the document prints correctly.

# lp -d printer-name filename

Troubleshooting Printing Problems 623

 How to Unhang the LP Print Service
1. Log in as superuser or lp.

2. Stop the LP print service.

# lpshut

If this command hangs, press Control-c and proceed to the next step. If this
command succeeds, skip to step 4.

3. Identify the LP process IDs.

# ps -el | grep lp
134 term/a 0:01 lpsched
#

Use the process ID numbers (PIDs) from the first column in place of the pid
variables in the next step.

4. Stop the LP processes by using the kill -15 command.

# kill -15 103 134

This should stop the LP print service processes. If the processes do not stop, as a
last resort go to step 5.

5. As a last resort, terminate the processes abruptly.

# kill -9 103 134

All the lp processes are terminated.

6. Remove the SCHEDLOCK file so you can restart the LP print service.

# rm /usr/spool/lp/SCHEDLOCK

7. Restart the LP print service.

# /usr/lib/lp/lpsched

624 System Administration Guide, Volume II ♦ October 1998

 The LP print service should restart. If you are having trouble restarting the
scheduler, see “How to Restart the Print Scheduler” on page 66.

How to Troubleshoot an Idle (Hung) Printer

This task includes a number of procedures to use when a printer appears idle but it
should not be. It makes sense to try the procedures in order, but the order is not
mandatory.

To check that the printer is ready to print:

1. Display printer status information.

# lpstat -p printer-name

The information displayed shows you whether the printer is idle or active,
enabled or disabled, or available or not accepting print requests. If everything
looks all right, continue with other procedures in this section. If you cannot run
the lpstat command, see “How to Unhang the LP Print Service” on page 624.

2. If the printer is not available (not accepting requests), allow the printer to
accept requests.

# accept printer-name

The printer begins to accept requests into its print queue.

3. If the printer is disabled, re-enable it.

# enable printer-name

This command re-enables the printer so that it will act on the requests in its queue.

To check for print filtering:

Check for print filtering by using the lpstat -o command.

$ lpstat -o luna
luna-10 fred 1261 Mar 12 17:34 being filtered
luna-11 iggy 1261 Mar 12 17:36 on terra
luna-12 jack 1261 Mar 12 17:39 on terra

(continued)

Troubleshooting Printing Problems 625

 (Continuation)

See if the first waiting request is being filtered. If the output looks like the above
example, the file is being filtered; the printer is not hung, it just is taking a while to
process the request.

To resume printing after a printer fault:

1. Look for a message about a printer fault and try to correct the fault if there is
one.
Depending on how printer fault alerts have been specified, messages may be sent
to root by email or written to a terminal on which root is logged in.

2. Re-enable the printer.

# enable printer-name

If a request was blocked by a printer fault, this command will force a retry. If this
command does not work, continue with other procedures in this section.

To send print requests to a remote printer when they back up

in the local queue:
1. On the print client, stop further queuing of print requests to the print server.

# reject printer-name

2. On the print client, send an “are you there?” request to the print server.

print_client# ping print_server

print_server is alive

If you receive the message print_server not available, you may have a
network problem.

3. After you fix the above problem, allow new print requests to be queued.

626 System Administration Guide, Volume II ♦ October 1998

 # accept printer-name

4. If necessary, re-enable the printer.

# enable printer-name

To free print requests from a print client that back up in the

print server queue:

1. On the print server, stop further queuing of print requests from any print
client to the print server.

# reject printer-name

2. Display the lpsched log file.

# more /var/lp/logs/lpsched

The information displayed may help you pinpoint what is preventing the print
requests from the print client to the print server from being printed.

3. After you fix the problem, allow new print requests to be queued.

# accept printer-name

4. If necessary, re-enable the printer on the print server.

# enable printer-name

How to Resolve Conflicting Printer Status

Messages
1. On the print server, verify the printer is enabled and is accepting requests.

# lpstat -p printer-name

Users will see conflicting status messages when the print client is accepting
requests, but the print server is rejecting requests.

Troubleshooting Printing Problems 627

 2. On the print server, check that the definition of the printer on the print client
matches the definition of the printer on the print server.

# lpstat -p -l printer-name

Look at the definitions of the print job components, like print filters, character
sets, print wheels, and forms, to be sure they are the same on both the client and
server systems so that local users can access printers on print server systems.

628 System Administration Guide, Volume II ♦ October 1998

CHAPTER 35

Troubleshooting File System Problems

This is a list of the information in this chapter.

4 “General fsck Error Messages ” on page 631
4 “Initialization Phase fsck Messages” on page 632
4 “Phase 1: Check Blocks and Sizes Messages” on page 636
4 “Phase 1B: Rescan for More DUPS Messages” on page 640
4 “Phase 2: Check Path Names Messages” on page 641
4 “Phase 3: Check Connectivity Messages” on page 650
4 “Phase 4: Check Reference Counts Messages” on page 653
4 “Phase 5: Check Cylinder Groups Messages” on page 657
4 “Cleanup Phase Messages” on page 659
See “Checking File System Integrity” in System Administration Guide, Volume I for
information about the fsck program and how to use it to check file system integrity.

Error Messages
Normally, fsck is run non-interactively to preen the file systems after an abrupt
system halt in which the latest file system changes were not written to disk. Preening
automatically fixes any basic file system inconsistencies and does not try to repair
more serious errors. While preening a file system, fsck fixes the inconsistencies it
expects from such an abrupt halt. For more serious conditions, the command reports
the error and terminates.
When you run fsck interactively, fsck reports each inconsistency found and fixes
innocuous errors. However, for more serious errors, the command reports the

629
 inconsistency and prompts you to choose a response. When you run fsck using the
-y or -n options, your response is predefined as yes or no to the default response
suggested by fsck for each error condition.
Some corrective actions will result in some loss of data. The amount and severity of
data loss may be determined from the fsck diagnostic output.
fsck is a multipass file system check program. Each pass invokes a different phase
of the fsck program with different sets of messages. After initialization, fsck
performs successive passes over each file system, checking blocks and sizes, path
names, connectivity, reference counts, and the map of free blocks (possibly rebuilding
it). It also performs some cleanup.
The phases (passes) performed by the UFS version of fsck are:
4 Initialization
4 Phase 1 – Check blocks and sizes
4 Phase 2 – Check path names
4 Phase 3 – Check connectivity
4 Phase 4 – Check reference counts
4 Phase 5 – Check cylinder groups
The next sections describe the error conditions that may be detected in each phase,
the messages and prompts that result, and possible responses you can make.
Messages that may appear in more than one phase are described in “General fsck
Error Messages ” on page 631. Otherwise, messages are organized alphabetically by
the phases in which they occur.
Many of the messages include the abbreviations shown in Table 35–1:

TABLE 35–1 Error Message Abbreviations

Abbreviation Meaning

BLK Block number

DUP Duplicate block number

DIR Directory name

CG Cylinder group

630 System Administration Guide, Volume II ♦ October 1998

TABLE 35–1 Error Message Abbreviations (continued)

Abbreviation Meaning

MTIME Time file was last modified

UNREF Unreferenced

Many of the messages also include variable fields, such as inode numbers, which are
represented in this book by an italicized term, such as inode-number. For example,
this screen message:

INCORRECT BLOCK COUNT I=2529

is shown as:

INCORRECT BLOCK COUNT I=inode-number

General fsck Error Messages

The error messages in this section may be displayed in any phase after initialization.
Although they offer the option to continue, it is generally best to regard them as
fatal. They reflect a serious system failure and should be handled immediately. When
confronted with such a message, terminate the program by entering n(o). If you
cannot determine what caused the problem, contact your local service provider or
another qualified person.

CANNOT SEEK: BLK block-number (CONTINUE)

Reason Error Occurred How to Solve the Problem

A request to move to a specified block If the disk is experiencing hardware

number, block-number, in the file system problems, the problem will persist. Run fsck
failed. This message indicates a serious again to recheck the file system.
problem, probably a hardware failure.
If the recheck fails, contact your local service
If you want to continue the file system provider or another qualified person.
check, fsck will retry the move and display
a list of sector numbers that could not be
moved. If the block was part of the virtual
memory buffer cache, fsck will terminate
with a fatal I/O error message.

CANNOT READ: BLK block-number (CONTINUE)

Troubleshooting File System Problems 631

 Reason Error Occurred How to Solve the Problem

A request to read a specified block number, If the disk is experiencing hardware

block-number, in the file system failed. The problems, the problem will persist. Run
message indicates a serious problem, fsck again to recheck the file system.
probably a hardware failure.
If the recheck fails, contact your local service
If you want to continue the file system provider or another qualified person.
check, fsck will retry the read and display a
list of sector numbers that could not be read.
If the block was part of the virtual memory
buffer cache, fsck will terminate with a
fatal I/O error message.
If fsck tries to write back one of the blocks
on which the read failed, it will display the
following message:

WRITING ZERO’ED BLOCK sector-numbers TO

DISK

CANNOT WRITE: BLK block-number (CONTINUE)

Reason Error Occurred How to Solve the Problem

A request to write a specified block number, The disk may be write-protected. Check the
block-number, in the file system failed. write-protect lock on the drive.
If you continue the file system check, fsck If the disk has hardware problems, the
will retry the write and display a list of problem will persist. Run fsck again to
sector numbers that could not be written. If recheck the file system.
the block was part of the virtual memory
If the write-protect is not the problem or the
buffer cache, fsck will terminate with a
recheck fails, contact your local service
fatal I/O error message.
provider or another qualified person.

Initialization Phase fsck Messages

In the initialization phase, command-line syntax is checked. Before the file system
check can be performed, fsck sets up tables and opens files.
The messages in this section relate to error conditions resulting from command-line
options, memory requests, the opening of files, the status of files, file system size
checks, and the creation of the scratch file. All such initialization errors terminate
fsck when it is preening the file system.

bad inode number inode-number to ginode

632 System Administration Guide, Volume II ♦ October 1998

Reason Error Occurred How to Solve the Problem

An internal error occurred because of a Contact your local service provider or

nonexistent inode inode-number. fsck exits. another qualified person.

cannot alloc size-of-block map bytes for blockmap

cannot alloc size-of-free map bytes for freemap

cannot alloc size-of-state map bytes for statemap

cannot alloc size-of-lncntp bytes for lncntp

Reason Error Occurred How to Solve the Problem

Request for memory for its internal tables Killing other processes may solve the
failed. fsck terminates. This message problem. If not, contact your local service
indicates a serious system failure that should provider or another qualified person.
be handled immediately. This condition may
occur if other processes are using a very
large amount of system resources.

Can’t open checklist file: filename

Reason Error Occurred How to Solve the Problem

The file system checklist file filename (usually Check if the file exists and if its access
/etc/vfstab) cannot be opened for modes permit read access.
reading. fsck terminates.

Can’t open filename

Reason Error Occurred How to Solve the Problem

fsck cannot open file system filename. When Check to see if read and write access to the
running interactively, fsck ignores this file raw device file for the file system is
system and continues checking the next file permitted.
system given.

Troubleshooting File System Problems 633

 Can’t stat root

Reason Error Occurred How to Solve the Problem

fsck request for statistics about the root This message indicates a serious system
directory failed. fsck terminates. failure. Contact your local service provider
or another qualified person.

Can’t stat filename

Can’t make sense out of name filename

Reason Error Occurred How to Solve the Problem

fsck request for statistics about the file Check if the file system exists and check its
system filename failed. When running access modes.
interactively, fsck ignores this file system
and continues checking the next file system
given.

filename: (NO WRITE)

Reason Error Occurred How to Solve the Problem

Either the -n option was specified or fsck If -n was not specified, check the type of the
could not open the file system filename for file specified. It may be the name of a
writing. When fsck is running in no-write regular file.
mode, all diagnostic messages are displayed,
but fsck does not attempt to fix anything.

IMPOSSIBLE MINFREE=percent IN SUPERBLOCK (SET TO DEFAULT)

Reason Error Occurred How to Solve the Problem

The superblock minimum space percentage To set the minfree parameter to the default
is greater than 99 percent or less than 0 10 percent, type y at the default prompt. To
percent. ignore the error condition, type n at the
default prompt.

634 System Administration Guide, Volume II ♦ October 1998

filename: BAD SUPER BLOCK: message
USE AN ALTERNATE SUPER-BLOCK TO SUPPLY NEEDED INFORMATION;
e.g., fsck[-f ufs] -o b=# [special ...]
where # is the alternate superblock. See fsck_ufs(1M)

Reason Error Occurred How to Solve the Problem

fsck has had an internal error, whose If one of the following messages are
message is message. displayed, contact your local service
provider or another qualified person:
CPG OUT OF RANGE
FRAGS PER BLOCK OR FRAGSIZE WRONG
INODES PER GROUP OUT OF RANGE
INOPB NONSENSICAL RELATIVE TO BSIZE
MAGIC NUMBER WRONG
NCG OUT OF RANGE
NCYL IS INCONSISTENT WITH NCG*CPG
NUMBER OF DATA BLOCKS OUT OF RANGE
NUMBER OF DIRECTORIES OUT OF RANGE
ROTATIONAL POSITION TABLE SIZE OUT OF RANGE
SIZE OF CYLINDER GROUP SUMMARY AREA WRONG
SIZE TOO LARGE
BAD VALUES IN SUPERBLOCK

Reason Error Occurred How to Solve the Problem

The superblock has been corrupted. Use an alternative superblock to supply

needed information. Specifying block 32 is a
good first choice. You can locate an
alternative copy of the superblock by
running the newfs -N command on the slice.
Be sure to specify the -N option; otherwise,
newfs overwrites the existing file system.

UNDEFINED OPTIMIZATION IN SUPERBLOCK (SET TO DEFAULT)

Reason Error Occurred How to Solve the Problem

The superblock optimization parameter is To minimize the time to perform operations

neither OPT_TIME nor OPT_SPACE. on the file system, type y at the SET TO
DEFAULT prompt. To ignore this error
condition, type n.

Troubleshooting File System Problems 635

 Phase 1: Check Blocks and Sizes Messages
This phase checks the inode list. It reports error conditions encountered while:
4 Checking inode types
4 Setting up the zero-link-count table
4 Examining inode block numbers for bad or duplicate blocks
4 Checking inode size
4 Checking inode format
All errors in this phase except INCORRECT BLOCK COUNT,
PARTIALLY TRUNCATED INODE, PARTIALLY ALLOCATED INODE, and
UNKNOWN FILE TYPE terminate fsck when it is preening a file system.
The other possible error messages displayed in this phase are referenced below.
4 BAD STATE state-number TO BLKERR
4 block-number DUP I=inode-number
4 EXCESSIVE BAD BLOCKS I=inode-number (CONTINUE)
4 EXCESSIVE DUP BLKS I=inode-number (CONTINUE)
4 INCORRECT BLOCK COUNT I=inode-number
(number-of-BAD-DUP-or-missing-blocks should be number-of-blocks-in-filesystem)
(CORRECT)
4 LINK COUNT TABLE OVERFLOW (CONTINUE)
4 PARTIALLY ALLOCATED INODE I=inode-number (CLEAR)
4 PARTIALLY TRUNCATED INODE I=inode-number (SALVAGE)
4 UNKNOWN FILE TYPE I=inode-number (CLEAR)
These messages (in alphabetical order) may occur in phase 1:

block-number BAD I=inode-number

636 System Administration Guide, Volume II ♦ October 1998

Reason Error Occurred How to Solve the Problem

Inode inode-number contains a block number N/A

block-number with a number lower than the
number of the first data block in the file
system or greater than the number of the last
block in the file system. This error condition
may generate the EXCESSIVE BAD BLKS
error message in phase 1 if inode
inode-number has too many block numbers
outside the file system range. This error
condition generates the BAD/DUP error
message in phases 2 and 4.

BAD MODE: MAKE IT A FILE?

Reason Error Occurred How to Solve the Problem

The status of a given inode is set to all 1s, Type y to reinitialize the inode to a
indicating file system damage. This message reasonable value.
does not indicate physical disk damage,
unless it is displayed repeatedly after fsck
-y has been run.

BAD STATE state-number TO BLKERR

Reason Error Occurred How to Solve the Problem

An internal error has scrambled the fsck Contact your local service provider or
state map so that it shows the impossible another qualified person.
value state-number. fsck exits immediately.

block-number DUP I=inode-number

Troubleshooting File System Problems 637

 Reason Error Occurred How to Solve the Problem

Inode inode-number contains a block number N/A

block-number, which is already claimed by
the same or another inode. This error
condition may generate the EXCESSIVE DUP
BLKS error message in phase 1 if inode
inode-number has too many block numbers
claimed by the same or another inode. This
error condition invokes phase 1B and
generates the BAD/DUP error messages in
phases 2 and 4.

DUP TABLE OVERFLOW (CONTINUE)

Reason Error Occurred How to Solve the Problem

There is no more room in an internal table in To continue the program, type y at the
fsck containing duplicate block numbers. If CONTINUE prompt. When this error occurs, a
the -o p option is specified, the program complete check of the file system is not
terminates. possible. If another duplicate block is found,
this error condition repeats. Increase the
amount of virtual memory available (by
killing some processes, increasing swap
space) and run fsck again to recheck the file
system. To terminate the program, type n.

EXCESSIVE BAD BLOCKS I=inode-number (CONTINUE)

Reason Error Occurred How to Solve the Problem

Too many (usually more than 10) blocks To continue the program, type y at the
have a number lower than the number of the CONTINUE prompt. When this error occurs, a
first data block in the file system or greater complete check of the file system is not
than the number of the last block in the file possible. You should run fsck again to
system associated with inode inode-number. If recheck the file system. To terminate the
the -o p (preen) option is specified, the program, type n.
program terminates.

EXCESSIVE DUP BLKS I=inode-number (CONTINUE)

638 System Administration Guide, Volume II ♦ October 1998

Reason Error Occurred How to Solve the Problem

Too many (usually more than 10) blocks are To continue the program, type y at the
claimed by the same or another inode or by CONTINUE prompt. When this error occurs, a
a free-list. If the -o p option is specified, the complete check of the file system is not
program terminates. possible. You should run fsck again to
recheck the file system. To terminate the
program, type n.

INCORRECT BLOCK COUNT I=inode-

number (number-of-BAD-DUP-or-missing-blocks should be
number-of-blocks-in-filesystem) (CORRECT)

Reason Error Occurred How to Fix the Problem

The block count for inode inode-number is To replace the block count of inode
number-of-BAD-DUP-or-missing-blocks, but inode-number by number-of-blocks-in-filesystem,
should be number-of-blocks-in-filesystem. When type y at the CORRECT prompt. To terminate
preening, fsck corrects the count. the program, type n.

LINK COUNT TABLE OVERFLOW (CONTINUE)

Reason Error Occurred How to Fix the Problem

There is no more room in an internal table To continue the program, type y at the
for fsck containing allocated inodes with a CONTINUE prompt. If another allocated
link count of zero. If the -o p (preen) option inode with a zero-link count is found, this
is specified, the program exits and fsck has error condition repeats. When this error
to be completed manually. occurs, a complete check of the file system is
not possible. You should run fsck again to
recheck the file system. Increase the virtual
memory available by killing some processes
or increasing swap space, then run fsck
again. To terminate the program, type n.

PARTIALLY ALLOCATED INODE I=inode-number (CLEAR)

Troubleshooting File System Problems 639

 Reason Error Occurred How to Solve the Problem

Inode inode-number is neither allocated nor To deallocate the inode inode-number by

unallocated. If the -o p (preen) option is zeroing out its contents, type y. This may
specified, the inode is cleared. generate the UNALLOCATED error condition
in phase 2 for each directory entry pointing
to this [Link] ignore the error condition,
type n. A no response is appropriate only if
you intend to take other measures to fix the
problem.

PARTIALLY TRUNCATED INODE I=inode-number (SALVAGE)

Reason Error Occurred How to Solve the Problem

fsck has found inode inode-number whose To complete the truncation to the size
size is shorter than the number of blocks specified in the inode, type y at the
allocated to it. This condition occurs only if SALVAGE prompt. To ignore this error
the system crashes while truncating a file. condition, type n.
When preening the file system, fsck
completes the truncation to the specified size.

UNKNOWN FILE TYPE I=inode-number (CLEAR)

Reason Error Occurred How to Solve the Problem

The mode word of the inode inode-number To deallocate the inode inode-number by
shows that the inode is not a pipe, special zeroing its contents, which results in the
character inode, special block inode, regular UNALLOCATED error condition in phase 2 for
inode, symbolic link, FIFO file, or directory each directory entry pointing to this inode,
inode. If the -o p option is specified, the type y at the CLEAR prompt. To ignore this
inode is cleared. error condition, type n.

Phase 1B: Rescan for More DUPS Messages

When a duplicate block is found in the file system, this message is displayed:

block-number DUP I=inode-number

640 System Administration Guide, Volume II ♦ October 1998

 Reason Error Occurred How to Solve the Problem

Inode inode-number contains a block number When a duplicate block is found, the file
block-number that is already claimed by the system is rescanned to find the inode that
same or another inode. This error condition previously claimed that block.
generates the BAD/DUP error message in
phase 2. Inodes that have overlapping blocks
may be determined by examining this error
condition and the DUP error condition in
phase 1.

Phase 2: Check Path Names Messages

This phase removes directory entries pointing to bad inodes found in phases 1 and
1B. It reports error conditions resulting from:
4 Incorrect root inode mode and status
4 Directory inode pointers out of range
4 Directory entries pointing to bad inodes
4 Directory integrity checks
When the file system is being preened (−o p option), all errors in this phase
terminate fsck, except those related to directories not being a multiple of the block
size, duplicate and bad blocks, inodes out of range, and extraneous hard links.
Other possible error messages displayed in this phase are referenced below.
4 BAD INODE state-number TO DESCEND
4 BAD INODE NUMBER FOR ’.’ I=inode-number OWNER=UID MODE=file-mode
SIZE=file-size MTIME=modification-time DIR=filename (FIX)
4 BAD INODE NUMBER FOR ’..’ I=inode-number OWNER=UID MODE=file-mode
SIZE=file-size MTIME=modification-time DIR=filename (FIX)
4 BAD RETURN STATE state-number FROM DESCEND
4 BAD STATE state-number FOR ROOT INODE
4 BAD STATE state-number FOR INODE=inode-number
4 DIRECTORY TOO SHORT I=inode-number OWNER=UID MODE=file-mode
SIZE=file-size MTIME=modification-time DIR=filename (FIX)
4 DIRECTORY filename: LENGTH file-size NOT MULTIPLE OF block-number (ADJUST)
4 DIRECTORY CORRUPTED I=inode-number OWNER=UID MODE=file-mode
SIZE=file-size MTIME=modification-time DIR=filename (SALVAGE)
4 DUP/BAD I=inode-number OWNER=O MODE=M SIZE=file-size
MTIME=modification-time TYPE=filename (REMOVE)
4 DUPS/BAD IN ROOT INODE (REALLOCATE)

Troubleshooting File System Problems 641

 4 EXTRA ’.’ ENTRY I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time DIR=filename (FIX)
4 EXTRA ’..’ ENTRY I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time DIR=filename (FIX)
4 hard-link-number IS AN EXTRANEOUS HARD LINK TO A DIRECTORY filename
(REMOVE)
4 inode-number OUT OF RANGE I=inode-number NAME=filename (REMOVE)
4 MISSING ’.’ I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time DIR=filename (FIX)
4 MISSING ’.’ I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time DIR=filename CANNOT FIX, FIRST ENTRY IN
DIRECTORY CONTAINS filename
4 MISSING ’.’ I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time DIR=filename CANNOT FIX, INSUFFICIENT SPACE TO
ADD ’.’
4 MISSING ’..’ I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time DIR=filename (FIX)
4 MISSING ’..’ I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time DIR=filename CANNOT FIX, SECOND ENTRY IN
DIRECTORY CONTAINS filename
4 MISSING ’..’ I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time DIR=filename CANNOT FIX, INSUFFICIENT SPACE TO
ADD ’..’
4 NAME TOO LONG filename
4 ROOT INODE UNALLOCATED (ALLOCATE)
4 ROOT INODE NOT DIRECTORY (REALLOCATE)
4 UNALLOCATED I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time type=filename (REMOVE)
4 ZERO LENGTH DIRECTORY I=inode-number OWNER=UID MODE=file-mode
SIZE=file-size MTIME=modification-time DIR=filename (REMOVE)

BAD INODE state-number TO DESCEND

Reason Error Occurred How to Solve the Problem

An fsck internal error has passed an invalid If this error message is displayed, contact
state state-number to the routine that your local service provider or another
descends the file system directory structure. qualified person.
fsck exits.

642 System Administration Guide, Volume II ♦ October 1998

BAD INODE NUMBER FOR ’.’ I=inode-number OWNER=UID MODE=file-mode
SIZE=file-size MTIME=modification-time DIR=filename (FIX)

Reason Error Occurred How to Solve the Problem

A directory inode-number has been found To change the inode number for “.” to be
whose inode number for “.” does not equal equal to inode-number, type y at the FIX
inode-number. prompt To leave the inode numbers for “.”
unchanged, type n.

BAD INODE NUMBER FOR ’..’ I=inode-number OWNER=UID MODE=file-mode

SIZE=file-size MTIME=modification-time DIR=filename (FIX)

Reason Error Occurred How to Solve the Problem

A directory inode-number has been found To change the inode number for “..” to be
whose inode number for “..” does not equal to the parent of inode-number, type y at
equal the parent of inode-number. the FIX prompt. (Note that “..’’ in the root
inode points to itself.)To leave the inode
number for “..” unchanged, type n.

BAD RETURN STATE state-number FROM DESCEND

Reason Error Occurred How to Solve the Problem

An fsck internal error has returned an If this message is displayed, contact your
impossible state state-number from the local service provider or another qualified
routine that descends the file system person.
directory structure. fsck exits.

BAD STATE state-number FOR ROOT INODE

Reason Error Occurred How to Solve the Problem

An internal error has assigned an impossible If this error message is displayed, contact
state state-number to the root inode. fsck your local service provider or another
exits. qualified person.

Troubleshooting File System Problems 643

 BAD STATE state-number FOR INODE=inode-number

Reason Error Occurred How to Solve the Problem

An internal error has assigned an impossible If this error message is displayed, contact
state state-number to inode inode-number. your local service provider or another
fsck exits. qualified person.

DIRECTORY TOO SHORT I=inode-number OWNER=UID MODE=file-mode

SIZE=file-size MTIME=modification-time DIR=filename (FIX)

Reason Error Occurred How to Solve the Problem

A directory filename has been found whose To increase the size of the directory to the
size file-size is less than the minimum minimum directory size, type y at the FIX
directory size. The owner UID, mode prompt. To ignore this directory, type n.
file-mode, size file-size, modify time
modification-time, and directory name filename
are displayed.

DIRECTORY filename: LENGTH file-size NOT MULTIPLE OF block-number (ADJUST)

Reason Error Occurred How to Solve the Problem

A directory filename has been found with To round up the length to the appropriate
size file-size that is not a multiple of the block size, type y. When preening the file
directory block size block-number. system (-o p option), fsck only displays a
warning and adjusts the [Link] ignore
this condition, type n.

DIRECTORY CORRUPTED I=inode-number OWNER=UID MODE=file-mode

SIZE=file-size MTIME=modification-time DIR=filename (SALVAGE)

644 System Administration Guide, Volume II ♦ October 1998

Reason Error Occurred How to Solve the Problem

A directory with an inconsistent internal To throw away all entries up to the next
state has been found. directory boundary (usually a 512-byte
boundary), type y at the SALVAGE prompt.
This drastic action can throw away up to 42
entries. Take this action only after other
recovery efforts have failed. To skip to the
next directory boundary and resume
reading, but not modify the directory, type n.

DUP/BAD I=inode-number OWNER=O MODE=M SIZE=file-size

MTIME=modification-time TYPE=filename (REMOVE)

Reason Error Occurred How to Solve the Problem

Phase 1 or phase 1B found duplicate blocks To remove the directory or file entry filename,
or bad blocks associated with directory or type y at the REMOVE prompt. To ignore this
file entry filename, inode inode-number. The error condition, type n.
owner UID, mode file-mode, size file-size,
modification time modification-time, and
directory or file name filename are displayed.
If the -p (preen) option is specified, the
duplicate/bad blocks are removed.

DUPS/BAD IN ROOT INODE (REALLOCATE)

Troubleshooting File System Problems 645

 Reason Error Occurred How to Solve the Problem

Phase 1 or phase 1B has found duplicate To clear the existing contents of the root
blocks or bad blocks in the root inode inode and reallocate it, type y at the
(usually inode number 2) of the file system. REALLOCATE prompt. The files and
directories usually found in the root will be
recovered in phase 3 and put into the
lost+found directory. If the attempt to
allocate the root fails, fsck will exit with:
CANNOT ALLOCATE ROOT INODE. Type n to
get the CONTINUE prompt. Type: y to
respond to the CONTINUE prompt, and
ignore the DUPS/BAD error condition in the
root inode and continue running the file
system check. If the root inode is not correct,
this may generate many other error
messages. Type n to terminate the program.

EXTRA ’.’ ENTRY I=inode-number OWNER=UID MODE=file-mode

SIZE=file-size MTIME=modification-time DIR=filename (FIX)

Reason Error Occurred How to Solve the Problem

A directory inode-number has been found that To remove the extra entry for “.” type y at
has more than one entry for “.”. the FIX prompt. To leave the directory
unchanged, type n.

EXTRA ’..’ ENTRY I=inode-number OWNER=UID MODE=file-mode

SIZE=file-size MTIME=modification-time DIR=filename(FIX)

Reason Error Occurred How to Solve the Problem

A directory inode-number has been found that To remove the extra entry for ‘..’ (the
has more than one entry for “..” (the parent parent directory), type y at the FIX prompt.
directory). To leave the directory unchanged, type n.

hard-link-number IS AN EXTRANEOUS HARD LINK TO A DIRECTORY filename (REMOVE)

646 System Administration Guide, Volume II ♦ October 1998

Reason Error Occurred How to Solve the Problem

fsck has found an extraneous hard link To delete the extraneous entry
hard-link-number to a directory filename. hard-link-number type y at the REMOVE
When preening (-o p option), fsck ignores prompt. To ignore the error condition, type n.
the extraneous hard links.

inode-number OUT OF RANGE I=inode-number NAME=filename (REMOVE)

Reason Error Occurred How to Solve the Problem

A directory entry filename has an inode To delete the directory entry filename type y
number inode-number that is greater than the at the REMOVE prompt. To ignore the error
end of the inode list. If the -p (preen) option condition, type n.
is specified, the inode will be removed
automatically.

MISSING ’.’ I=inode-number OWNER=UID MODE=file-mode SIZE=file-size

MTIME=modification-time DIR=filename (FIX)

Reason Error Occurred How to Solve the Problem

A directory inode-number has been found To build an entry for “.” with inode number
whose first entry (the entry for “.”) is equal to inode-number, type y at the FIX
unallocated. prompt. To leave the directory unchanged,
type n.

MISSING ’.’ I=inode-number OWNER=UID MODE=file-mode SIZE=file-size

MTIME=modification-time DIR=filename CANNOT FIX, FIRST ENTRY IN
DIRECTORY CONTAINS filename

Troubleshooting File System Problems 647

 Reason Error Occurred How to Solve the Problem

A directory inode-number has been found Mount the file system and move entry
whose first entry is filename. fsck cannot filename elsewhere. Unmount the file system
resolve this problem. and run fsck again.

MISSING ’.’ I=inode-number OWNER=UID MODE=file-mode SIZE=file-size

MTIME=modification-time DIR=filename CANNOT FIX, INSUFFICIENT
SPACE TO ADD ’.’

Reason Error Occurred How to Solve the Problem

A directory inode-number has been found If this error message is displayed, contact
whose first entry is not “.”. fsck cannot your local service provider or another
resolve the problem. qualified person.

MISSING ’..’ I=inode-number OWNER=UID MODE=file-mode SIZE=file-size

MTIME=modification-time DIR=filename (FIX)

Reason Error Occurred How to Solve the Problem

A directory inode-number has been found To build an entry for “..” with inode
whose second entry is unallocated. number equal to the parent of inode-number,
type y at the FIX prompt. (Note that “..’’ in
the root inode points to itself.) To leave the
directory unchanged, type n.

MISSING ’..’ I=inode-number OWNER=UID MODE=file-mode SIZE=file-size

MTIME=modification-time DIR=filename CANNOT FIX, SECOND ENTRY IN
DIRECTORY CONTAINS filename

648 System Administration Guide, Volume II ♦ October 1998

Reason Error Occurred How to Solve the Problem

A directory inode-number has been found Mount the file system and move entry
whose second entry is filename. fsck cannot filename elsewhere. Then unmount the file
resolve this problem. system and run fsck again.

MISSING ’..’ I=inode-number OWNER=UID MODE=file-mode SIZE=file-size

MTIME=modification-time DIR=filename CANNOT FIX, INSUFFICIENT SPACE
TO ADD ’..’

Reason Error Occurred How to Solve the Problem

A directory inode-number has been found Mount the file system and move the second
whose second entry is not “..” (the parent entry in the directory elsewhere. Then
directory). fsck cannot resolve this problem. unmount the file system and run fsck again.

NAME TOO LONG filename

Reason Error Occurred How to Solve the Problem

An excessively long path name has been Remove the circular links.
found, which usually indicates loops in the
file system name space. This error can occur
if a privileged user has made circular links
to directories.

ROOT INODE UNALLOCATED (ALLOCATE)

Reason Error Occurred How to Solve the Problem

The root inode (usually inode number 2) has To allocate inode 2 as the root inode, type y
no allocate-mode bits. at the ALLOCATE prompt. The files and
directories usually found in the root will be
recovered in phase 3 and put into the
lost+found directory. If the attempt to
allocate the root fails, fsck displays this
message and exits: CANNOT ALLOCATE ROOT
INODE. To terminate the program, type n.

Troubleshooting File System Problems 649

 ROOT INODE NOT DIRECTORY (REALLOCATE)

Reason Error Occurred How to Solve the Problem

The root inode (usually inode number 2) of To clear the existing contents of the root
the file system is not a directory inode. inode and reallocate it, type y at the
REALLOCATE prompt. The files and
directories usually found in the root will be
recovered in phase 3 and put into the
lost+found directory. If the attempt to
allocate the root fails, fsck displays this
message and exits :CANNOT ALLOCATE ROOT
INODE. To have fsck prompt with FIX,
type n.

UNALLOCATED I=inode-number OWNER=UID MODE=file-mode SIZE=file-size

MTIME=modification-time type=filename(REMOVE)

Reason Error Occurred How to Solve the Problem

A directory or file entry filename points to an To delete the directory entry filename, type y
unallocated inode inode-number. The owner at the REMOVE prompt. To ignore the error
UID, mode file-mode, size file-size, modify condition, type n.
time modification-time, and file name filename
are displayed.

ZERO LENGTH DIRECTORY I=inode-number OWNER=UID MODE=file-mode

SIZE=file-size MTIME=modification-time DIR=filename (REMOVE)

Reason Error Occurred How to Solve the Problem

A directory entry filename has a size file-size To remove the directory entry filename, type
that is zero. The owner UID, mode file-mode, y at the REMOVE prompt. This results in the
size file-size, modify time modification-time, BAD/DUP error message in phase 4. To
and directory name filename are displayed. ignore the error condition, type n.

Phase 3: Check Connectivity Messages

This phase checks the directories examined in phase 2 and reports error conditions
resulting from:
4 Unreferenced directories

650 System Administration Guide, Volume II ♦ October 1998

4 Missing or full lost+found directories
Other possible error messages displayed in this phase are referenced below.
4 BAD INODE state-number TO DESCEND
4 DIR I=inode-number1 CONNECTED. PARENT WAS I=inode-number2
4 DIRECTORY filename LENGTH file-size NOT MULTIPLE OF block-number (ADJUST)
4 lost+found IS NOT A DIRECTORY (REALLOCATE)
4 NO lost+found DIRCTORY (CREATE)
4 NO SPACE LEFT IN /lost+found (EXPAND)
4 UNREF DIR I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time (RECONNECT)

BAD INODE state-number TO DESCEND

Reason Error Occurred How to Solve the Problem

An internal error has caused an impossible If this occurs, contact your local service
state state-number to be passed to the routine provider or another qualified person.
that descends the file system directory
structure. fsck exits.

DIR I=inode-number1 CONNECTED. PARENT WAS I=inode-number2

Reason Error Occurred How to Solve the Problem

This is an advisory message indicating a N/A

directory inode inode-number1 was
successfully connected to the lost+found
directory. The parent inode inode-number2 of
the directory inode inode-number1 is replaced
by the inode number of the lost+found
directory.

DIRECTORY filename LENGTH file-size NOT MULTIPLE OF block-number (ADJUST)

Troubleshooting File System Problems 651

 Reason Error Occurred How to Solve the Problem

A directory filename has been found with size To round up the length to the appropriate
file-size that is not a multiple of the directory block size, type y at the ADJUST prompt.
block size B. (This condition can recur in When preening, fsck displays a warning
phase 3 if it is not adjusted in phase 2.) and adjusts the directory. To ignore this error
condition, type n.

lost+found IS NOT A DIRECTORY (REALLOCATE)

Reason Error Occurred How to Solve the Problem

The entry for lost+found is not a directory. To allocate a directory inode and change the
lost+found directory to reference it, type y
at the REALLOCATE prompt. The previous
inode reference by the lost+found
directory is not cleared and it will either be
reclaimed as an unreferenced inode or have
its link count adjusted later in this phase.
Inability to create a lost+found directory
displays the message: SORRY. CANNOT
CREATE lost+found DIRECTORY and
aborts the attempt to link up the lost inode,
which generates the UNREF error message in
phase 4. To abort the attempt to link up the
lost inode, which generates the UNREF error
message in phase 4, type n.

NO lost+found DIRECTORY (CREATE)

Reason Error Occurred How to Solve the Problem

There is no lost+found directory in the To create a lost+found directory in the

root directory of the file system. When root of the file system, type y at the CREATE
preening, fsck tries to create a prompt. This may lead to the message NO
lost+found directory. SPACE LEFT IN / (EXPAND). If the
lost+found directory cannot be created,
fsck displays the message: SORRY. CANNOT
CREATE lost+found DIRECTORY and
aborts the attempt to link up the lost inode.
This in turn generates the UNREF error
message later in phase 4. To abort the
attempt to link up the lost inode, type n.

NO SPACE LEFT IN /lost+found (EXPAND)

652 System Administration Guide, Volume II ♦ October 1998

 Reason Error Occurred How to Solve the Problem

Another entry cannot be added to the To expand the lost+found directory to

lost+found directory in the root directory make room for the new entry, type y at the
of the file system because no space is EXPAND prompt. If the attempted expansion
available. When preening, fsck expands the fails, fsck displays: SORRY. NO SPACE IN
lost+found directory. lost+found DIRECTORY and aborts the
request to link a file to the lost+found
directory. This error generates the UNREF
error message later in phase 4. Delete any
unnecessary entries in the lost+found
directory. This error terminates fsck when
preening is in effect. To abort the attempt to
link up the lost inode, type n.

UNREF DIR I=inode-number OWNER=UID MODE=file-mode SIZE=file-size

MTIME=modification-time (RECONNECT)

Reason Error Occurred How to Solve the Problem

The directory inode inode-number was not To reconnect the directory inode inode-number
connected to a directory entry when the file into the lost+found directory, type y at the
system was traversed. The owner UID, mode RECONNECT prompt. If the directory is
file-mode, size file-size, and modification time successfully reconnected, a CONNECTED
modification-time of directory inode message is displayed. Otherwise, one of the
inode-number are displayed. When preening, lost+found error messages is displayed. To
fsck reconnects the non-empty directory ignore this error condition, type n. This error
inode if the directory size is non-zero. causes the UNREF error condition in phase 4.
Otherwise, fsck clears the directory inode.

Phase 4: Check Reference Counts Messages

This phase checks the link count information obtained in phases 2 and 3. It reports
error conditions resulting from:
4 Unreferenced files
4 A missing or full lost+found directory
4 Incorrect link counts for files, directories, symbolic links, or special files
4 Unreferenced files, symbolic links, and directories
4 Bad or duplicate blocks in files and directories
4 Incorrect total free-inode counts
All errors in this phase (except running out of space in the lost+found directory)
are correctable when the file system is being preened.

Troubleshooting File System Problems 653

 Other possible error messages displayed in this phase are referenced below.
4 BAD/DUP type I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time (CLEAR)
4 (CLEAR)
4 LINK COUNT type I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time COUNT link-count SHOULD BE corrected-link-count
(ADJUST)
4 lost+found IS NOT A DIRECTORY (REALLOCATE)
4 NO lost+found DIRECTORY (CREATE)
4 NO SPACE LEFT IN /lost+found (EXPAND)
4 UNREF FILE I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time (RECONNECT)
4 UNREF type I=inode-number OWNER=UID MODE=file-mode SIZE=file-size
MTIME=modification-time (CLEAR)
4 ZERO LENGTH DIRECTORY I=inode-number OWNER=UID MODE=file-mode
SIZE=file-size MTIME=modification-time (CLEAR)

BAD/DUP type I=inode-number OWNER=UID MODE=file-mode SIZE=file-size

MTIME=modification-time (CLEAR)

Reason Error Occurred How to Solve the Problem

Phase 1 or phase 1B found duplicate blocks To deallocate inode inode-number by zeroing

or bad blocks associated with file or its contents, type y at the CLEAR prompt. To
directory inode inode-number. The owner ignore this error condition, type n.
UID, mode file-mode, size file-size, and
modification time modification-time of inode
inode-number are displayed.

(CLEAR)

Reason Error Occurred How to Solve the Problem

The inode mentioned in the UNREF error To deallocate the inode by zeroing out its
message immediately preceding cannot be contents, type y at the CLEAR prompt. To
reconnected. This message does not display if ignore the preceding error condition, type n.
the file system is being preened because lack
of space to reconnect files terminates fsck.

654 System Administration Guide, Volume II ♦ October 1998

LINK COUNT type I=inode-number OWNER=UID MODE=file-mode
SIZE=file-size
MTIME=modification-time COUNT link-count SHOULD BE
corrected-link-count (ADJUST)

Reason Error Occurred How to Solve the Problem

The link count for directory or file inode To replace the link count of directory or file
inode-number is link-count but should be inode inode-number with corrected-link-count,
corrected-link-count. The owner UID, mode type y at the ADJUST prompt. To ignore this
file-mode, size file-size, and modification time error condition, type n.
modification-time of inode inode-number are
displayed. If the -o p option is specified, the
link count is adjusted unless the number of
references is increasing. This condition does
not occur unless there is a hardware failure.
When the number of references is increasing
during preening, fsck displays this message
and exits: LINK COUNT INCREASING

lost+found IS NOT A DIRECTORY (REALLOCATE)

Reason Error Occurred How to Solve the Problem

The entry for lost+found is not a directory. To allocate a directory inode and change the
lost+found directory to reference it, type y
at the REALLOCATE prompt. The previous
inode reference by the lost+found
directory is not cleared. It will either be
reclaimed as an unreferenced inode or have
its link count adjusted later in this phase.
Inability to create a lost+found directory
displays this message: SORRY. CANNOT
CREATE lost+found DIRECTORY and
aborts the attempt to link up the lost inode.
This error generates the UNREF error
message later in phase 4. To abort the
attempt to link up the lost inode, type n.

NO lost+found DIRECTORY (CREATE)

Troubleshooting File System Problems 655

 Reason Error Occurred How to Solve the Problem

There is no lost+found directory in the To create a lost+found directory in the

root directory of the file system. When root of the file system, type y at the CREATE
preening, fsck tries to create a prompt. If the lost+found directory cannot
lost+found directory. be created, fsck displays the message:
SORRY. CANNOT CREATE lost+found
DIRECTORY and aborts the attempt to link
up the lost inode. This error in turn
generates the UNREF error message later in
phase 4. To abort the attempt to link up the
lost inode, type n.

NO SPACE LEFT IN / lost+found (EXPAND)

Reason Error Occurred How to Solve the Problem

There is no space to add another entry to the To expand the lost+found directory to
lost+found directory in the root directory make room for the new entry, type y at the
of the file system. When preening, fsck EXPAND prompt. If the attempted expansion
expands the lost+found directory. fails, fsck displays the message: SORRY. NO
SPACE IN lost+found DIRECTORY and
aborts the request to link a file to the
lost+found directory. This error generates
the UNREF error message later in phase 4.
Delete any unnecessary entries in the
lost+found directory. This error terminates
fsck when preening (-o p option) is in
[Link] abort the attempt to link up the lost
inode, type n.

UNREF FILE I=inode-number OWNER=UID MODE=file-mode SIZE=file-size

MTIME=modification-time (RECONNECT)

656 System Administration Guide, Volume II ♦ October 1998

 Reason Error Occurred How to Solve the Problem

File inode inode-number was not connected to To reconnect inode inode-number to the file
a directory entry when the file system was system in the lost+found directory, type y.
traversed. The owner UID, mode file-mode, This error may generate the lost+found
size file-size, and modification time error message in phase 4 if there are
modification-time of inode inode-number are problems connecting inode inode-number to
displayed. When fsck is preening, the file is the lost+found directory. To ignore this
cleared if either its size or its link count is error condition, type n. This error always
zero; otherwise, it is reconnected. invokes the CLEAR error condition in phase
4.

UNREF type I=inode-number OWNER=UID MODE=file-mode SIZE=file-size

MTIME=modification-time (CLEAR)

Reason Error Occurred How to Solve the Problem

Inode inode-number (whose type is directory To deallocate inode inode-number by zeroing

or file) was not connected to a directory its contents, type y at the CLEAR prompt. To
entry when the file system was traversed. ignore this error condition, type n.
The owner UID, mode file-mode, size file-size,
and modification time modification-time of
inode inode-number are displayed. When
fsck is preening, the file is cleared if either
its size or its link count is zero; otherwise, it
is reconnected.

ZERO LENGTH DIRECTORY I=inode-number OWNER=UID MODE=file-mode

SIZE=file-size MTIME=modification-time(CLEAR)

Reason Error Occurred How to Solve the Problem

A directory entry filename has a size file-size To deallocate the directory inode
that is zero. The owner UID, mode file-mode, inode-number by zeroing out its contents,
size file-size, modification time type y. To ignore the error condition, type n.
modification-time, and directory name filename
are displayed.

Phase 5: Check Cylinder Groups Messages

This phase checks the free-block and used-inode maps. It reports error conditions
resulting from:

Troubleshooting File System Problems 657

 4 Allocated inodes missing from used-inode maps
4 Free blocks missing from free-block maps
4 Free inodes in the used-inode maps
4 Incorrect total free-block count
4 Incorrect total used inode count
The possible error messages displayed in this phase are referenced below.
4 BLK(S) MISSING IN BIT MAPS (SALVAGE)
4 CG character-for-command-option: BAD MAGIC NUMBER
4 SUMMARY INFORMATION BAD (SALVAGE)
4 number-of files, number-of-files used, number-of-files free (number-of frags, number-of
blocks, percent fragmentation)
4 ***** FILE SYSTEM WAS MODIFIED *****
4 filename FILE SYSTEM STATE SET TO OKAY
4 filename FILE SYSTEM STATE NOT SET TO OKAY

BLK(S) MISSING IN BIT MAPS (SALVAGE)

Reason Error Occurred How to Solve the Problem

A cylinder group block map is missing some To reconstruct the free-block map, type y at
free blocks. During preening, fsck the SALVAGE prompt. To ignore this error
reconstructs the maps. condition, type n.

CG character-for-command-option: BAD MAGIC NUMBER

Reason Error Occurred How to Solve the Problem

The magic number of cylinder group If this occurs, contact your local service
character-for-command-option is wrong. This provider or another qualified person.
error usually indicates that the cylinder
group maps have been destroyed. When
running interactively, the cylinder group is
marked as needing reconstruction. fsck
terminates if the file system is being preened.

FREE BLK COUNT(S) WRONG IN SUPERBLK (SALVAGE)

658 System Administration Guide, Volume II ♦ October 1998

 Reason Error Occurred How to Solve the Problem

The actual count of free blocks does not To reconstruct the superblock free-block
match the count of free blocks in the information, type y at the SALVAGE prompt.
superblock of the file system. If the -o p To ignore this error condition, type n.
option was specified, the free-block count in
the superblock is fixed automatically.

SUMMARY INFORMATION BAD (SALVAGE)

Reason Error Occurred How to Solve the Problem

The summary information is incorrect. When To reconstruct the summary information,

preening, fsck recomputes the summary type y at the SALVAGE prompt. To ignore
information. this error condition, type n.

Cleanup Phase Messages

Once a file system has been checked, a few cleanup functions are performed. The
cleanup phase displays the following status messages.

number-of files, number-of-files

used, number-of-files free (number-of frags, number-of blocks,
percentfragmentation)

This message indicates that the file system checked contains number-of files using
number-of fragment-sized blocks, and that there are number-of fragment-sized blocks
free in the file system. The numbers in parentheses break the free count down into
number-of free fragments, number-of free full-sized blocks, and the percent
fragmentation.

***** FILE SYSTEM WAS MODIFIED *****

This message indicates that the file system was modified by fsck. If this file system
is mounted or is the current root (/) file system, reboot. If the file system is mounted,
you may need to unmount it and run fsck again; otherwise, the work done by
fsck may be undone by the in-core copies of tables.

filename FILE SYSTEM STATE SET TO OKAY

This message indicates that file system filename was marked as stable. Use the
fsck -m command to determine if the file system needs checking.

Troubleshooting File System Problems 659

 filename FILE SYSTEM STATE NOT SET TO OKAY

This message indicates that file system filename was not marked as stable. Use the
fsck -m command to determine if the file system needs checking.

660 System Administration Guide, Volume II ♦ October 1998

CHAPTER 36

Troubleshooting Software
Administration Problems

This chapter describes problems you may encounter when installing or removing
software packages. There are two sections: Specific Software Administration Errors,
which describes package installation and administration errors you might encounter,
and General Software Administration Problems, which describes behavioral
problems that might not result in a particular error message.
This is a list of information in this chapter.
4 “Specific Software Administration Errors ” on page 661
4 “General Software Administration Problems” on page 662
See “Software Administration (Overview)” in System Administration Guide, Volume I
for information about managing software packages.

Specific Software Administration Errors

WARNING: filename <not present on Read Only file system>

661
 Reason Error Occurred How to Fix the Problem

This error message indicates that not all of a If you see this warning message during a
package’s files could be installed. This package installation, you must also install
usually occurs when you are using pkgadd the package on the server. See “How to Add
to install a package on a client. In this case, Packages to a Server” on page 308 for details.
pkgadd attempts to install a package on a
file system that is mounted from a server, but
pkgadd doesn’t have permission to do so.

General Software Administration

Problems
Reason Error Occurred How to Fix the Problem

There is a known problem with adding or Set the following environment variable and
removing some packages developed prior to try to add the package again.
the Solaris 2.5 release. Sometimes, when
adding or removing these packages, the NONABI_SCRIPTS=TRUE
installation fails during user interaction or
you are prompted for user interaction and
your responses are ignored.

662 System Administration Guide, Volume II ♦ October 1998

 Index

Special Characters security, 248, 251

ACLs, 252, 280
* (asterisk)
file access restriction, 249
in crontab file, 416
firewall setup, 250
wildcard character, 348
login access restrictions, 253
+ (plus sign)
login control, 248
/etc/[Link] file syntax, 174
monitoring system usage, 249
. (dot)
network control, 249
path variable entry, 250
path variable setting, 249, 250
rcp command syntax, 194, 197
physical site security, 248
? (question mark) in ASET tune files, 348
reporting problems, 251
~ (tilde)
root access restrictions, 300
abbreviated pathnames, 191, 192
root login tracking, 256
rcp command syntax, 194, 197
setuid programs, 250
sharing files, 260
Numbers system logins, 253, 254
4.1 systems (running with 5.7 systems), 18 to forms
limiting for printers, 114
limiting for users, 113
A to printers
absolute mode deleting, 60
changing file permissions, 271, 274 access control lists, , see ACLs (access control
described, 271 lists)\x0d,
setting special permissions, 272, 282 security, 245
accept command, 82 accounting, 433, 440, 443, 461
accepting print requests, 81, 82, 109 automatic, 434
access, 245 billing users, 437, 446, 450
root access connect, 443 to 445, 449, 450, 456, 459
displaying attempts on console, 301, daily, 445, 461
302 reports, 447, 454
monitoring su command use, 256, 301 step-by-step summary of, 445, 447
restricting, 260, 300 disk, 444 to 446, 450
files for, 458, 461

Index-663
 fixing corrupted files forms, 107
tacct file, 439 local printers, 38
wtmp file, 438, 456 printer description, 66
installation-dependent local programs, 456 swap space, 475
maintaining, 438, 440 terminfo entry, 124
process, 444, 446, 449, 450 address space map, 470, 484
raw data, 445 address translation page faults, 518
reports, 447, 454 adjusting printer port characteristics, 121
daily command summary, 451, 452, adm file, 415, 435
456, 459 to 461 adm login account, 253
daily report (tty line utilization), 448, administering
449 character sets, 10, 92, 99
daily usage report, 449, 450 fonts, 10, 115, 119
last login report, 453 forms, 10, 105, 115
overview, 447 print filters, 10, 100, 104
total command summary printers, 59, 90
(monthly), 447, 452, 460, 461 Admintool
setting up, 437 ability to define printer with, 22
types of, 437, 443 Add Access To Printer window, 42
user fee calculation, 437, 446, 450 Add Local Printer window, 37
acct file, 434 Browse menu, 35
acct.h format files, 454 main window, 35, 36
acctcms command, 456, 461 prerequisites for using, 35
acctcom command, 452, 454 Printers window, 36, 37, 42
acctcon command, 438, 456, 459 starting, 35
acctdusg command, 444, 450, 458 terminals and modems, 204
acctprc command, 456 alert message priority, 573
acctwtmp command, 444, 445, 448 alerts
ACLs (access control lists), 280 for mounting character sets, 96
adding entries, 286 for mounting font cartridges, 94
changing entries, 286 for mounting forms, 106, 110
checking entries, 285 for mounting print wheels, 94
commands, 252 for printer faults, 72
default entries for directories, 282 alias for selectable character set, 93, 98, 99
deleting entries, 252, 287 aliases file (ASET)
described, 252, 280 described, 339
directory entries, 282 example, 349
displaying entries, 252, 288 format, 349
format of entries, 280 specification, 342
setting entries, 283, 285 alignment pattern
valid file entries, 281 defining, 146
active file, 439, 456, 459 printing, 109
[Link] file, 439, 459 protection of, 107
adapter board (serial port), 203 allow list
Add Access To Printer window, 42 for printer access to forms, 114
Add Local Printer window, 37 for user access to forms, 114
adding for user access to printers, 76
access to remote printers, 42
Index-664 System Administration Guide, Volume II ♦ October 1998
alphanumeric terminal, , see terminal, deleting, 428, 429
anonymous ftp accounts, 183, 185 described, 363, 364
application threads, 468, 469 displaying, 427, 428
ASCII file displaying queue of, 427
file content type of, 26 location of, 364
ASET CKLISTPATH_level variable, 348 submitting, 425
aset command, 245 verifying, 427
-d option, 350 [Link] file, 413, 425, 429, 430
-n option, 335 /atjobs directory, 364, 413, 415
-p option, 351 atq command, 427
initiating ASET sessions, 332 atrun command, 364
running ASET interactively, 350 audio devices, 248
running ASET periodically, 351 auth facility, 573
stop running periodically, 352 authentication
ASET environment file asetenv not found defined, 258
message, 354 DH, 305, 315
ASET error messages, 354 KERB, 309, 315
ASET task list TASKLIST undefined network security, 258, 260
message, 354 remote logins using ftp, 183, 185
ASET working directory $ASETDIR missing remote logins using rlogin, 172, 175, 182
message, 354 /etc/[Link] file, 174
ASET, , see Automated Security Enhancement .rhosts files, 175
Tool (ASET)\x0d, direct vs. indirect logins, 177
[Link] utility, 343 network vs. remote system
aset: invalid/undefined security level authentication, 172, 174, 177
message, 354 types, 258
ASETDIR variable, 344, 345 authorization
asetenv file defined, 258
described, 340 network security, 258, 260
error messages, 354 types, 258
modifying, 340 AUTH_DH authentication, 314
running ASET periodically, 351 AUTH_DH client-server session, 305, 308
ASETSECLEVEL variable additional transaction, 308
described, 344 client authenticates server, 308
setting security levels, 345 contacting the server, 306
asterisk (*) decrypting the conversation key, 307
in crontab file, 416 generating public and secret keys, 305
wildcard character, 348 generating the conversation key, 306
at command, 363, 425, 426, 430 running keylogin, 305
-l option (list), 427, 428 storing information on the server, 307
-m option (mail), 426 verifier returned to client, 307
automatic scheduling of, 415 AUTH_KERB authentication, 315
controlling access to, 413, 425, 429, 430 Automated Security Enhancement Tool
error messages, 430 (ASET), 331, 349, 354
overview, 363, 364, 413, 425, 476 automatic accounting, 434
quitting, 363 automatic quota turn on, 362, 397
at job files, 425, 429
creating, 426, 427
Index-665
automatic system activity data collection, 528, caches
531 buffer cache, 476, 508, 509, 530, 545
automatic system activity reporting, 528, 529 directory name lookup cache, 476, 477,
automatic system event execution 508, 545
repetitive events, 362, 413, 422, 424 cancel command, 85
single events, 363, 413, 425, 426, 430 canceling
print requests, 85
by disabling printer, 84
B
for specific user, 86
background processing, 253 remote logins, 172
backup files, 363, 426, 427 cartridges, , see font cartridges,
banner option, 69 catman database, 363
banner pages centralized
making optional, 69 print administration, 7
nothing else prints, 619 print configuration, 17
reasons to turn off, 68 CERT/CC, , see Computer Emergency
setting Response Team/Coordination
with Admintool, 22, 68 Center (CERT/CC)\x0d,
with lpadmin command, 68, 69 changing
with nobanner variable, 70 /etc/system file, 371, 375, 378
troubleshooting incorrect output, 600 crontab files, 417, 418
turning off, 70 date, 371, 373, 374
baud settings, 600 forms paper, 109
bidirectional modem service, 202, 228 kernel parameter values, 544
billing users, 437, 446, 450 message of the day, 374, 375
/bin directory, 470, 484 number of lock requests, 371
bin login account, 253 number of processes per user, 371, 375, 376
block devices number of pseudo-ttys, 371, 376
checking activity, 530 number of shared memory segments, 371,
booting 377
displaying messages generated priority, 490 to 492, 495
during, 571 real-time processes, 554, 556
running sadc command when, 528 timesharing processes, 492, 494, 495
Bourne shell priority of print requests, 79, 89
ASET working directory specification, 345 quotas for individual users, 408, 409
Browse menu (Admintool), 36 scheduling classes, 493, 494, 552
buffer cache soft limit time, 407, 408
checking activity, 508, 509, 530 time, 371, 373
overview, 476 character sets
setting maximum memory usage for, 545 hardware, 92, 93
bufhwm parameter, 545 managing, 92, 99
bye command, 184, 186 number, 92
selectable, 92, 93
C software, 92
C shell characters transferred
ASET working directory specification, 345 read/write system calls, 452, 454, 510
cable pin configuration, 604 terminal I/O, 526

Index-666 System Administration Guide, Volume II ♦ October 1998

chargefee command, 437, 446, 450 connect accounting, 443 to 445, 449, 450, 456,
chgrp(1) command 459
described, 251 consistency checking, 402
syntax, 270 console
chkey command, 305, 313 displaying su command use on, 301, 302
chmod command root access restriction to, 300
changing special permissions, 275, 276 context switches
described, 251 displaying information on, 498
syntax, 275 controlling
chown command access to at command, 413, 425, 429, 430
described, 251 access to crontab command, 413, 421, 422,
syntax, 269 424
[Link] file printer access to forms, 114
described, 334, 337 processes, 487
format, 338 user access to forms, 113
ckpacct command, 433, 435, 446 conversation key
class (printer), 70 decrypting, 307
checking status for, 80 generating, 306
defining with lpadmin command, 71 “copy-on-writes”, 518
not valid for enabling/disabling copying (remote)
printer, 84 using ftp, 184
clients using rcp, 191, 197
AUTH_DH client-server session, 305, 308 core files
displaying information about, 533, 540, automatically deleting, 425
542 finding and deleting, 389, 393
tracing calls to servers, 533, 536 core program name, 452
close command, 184 CPU (central processing unit)
closewtmp command, 456 defined, 468
closing remote system connections, 186 displaying information on
cmsn file, 461 context switch rate, 498
cmsprev file, 460 daily command summary, 452
collision rate (network), 537 dead processes, 454
Command not found error message, 591 queue activity and, 521
commands time usage, 450, 482, 496, 498, 503,
monitoring usage of, 459, 461 522, 523, 530
comment lines in crontab file, 416 high-usage processes, 496
common key, 305 when to add capacity, 521
calculation, 307 cpu fields
Computer Emergency Response iostat report, 503
Team/Coordination Center /crash directory, 393
(CERT/CC), 251 crash utility, 570, 581, 582
configuration scheduler, 554, 563 crashes, 572, 587
configuring customer service and, 568, 578
ASET, 340, 342 deleting crash dump files, 393
printer ports, 24 displaying system information generated
for x86 systems, 24 by, 570, 582
with Admintool, 37 examining crash dumps, 581, 582

Index-667
 procedure following, 568, 587 verifying existence of, 419
rebooting fails after, 585 crypt command, 252
saving crash dump information, 577 csh program, 297, 298
saving other system information, 571 .cshrc file, 250
creating [Link] file, 456, 459
at jobs, 426, 427 ctmp file, 459
crontab files, 417, 418 current user, 192
directories on remote system, 184 customer service, 568, 578
form definitions, 147 customizing
forms, 144 exit codes, printer, 130
print filters, 133, 142 LP print service, 10, 121, 149
cred database, 305, 311 printer interface program, 128, 131
cred table stty modes, 129
information stored by server, 307 system logging, 572
credentials, 484
described, 306
D
cron daemon, 364, 415
[Link] file, 421 to 424 daemon facility, 573
[Link] file, 421, 423 daemon login account, 253
crontab command, 363, 422 daemons
accounting commands run by, 433, 436 keyserv, 310
controlling access to, 421, 422, 424 lpd, 612
denying access, 421, 423 lpsched, 160, 163, 168
limiting access to specific users, 422 to print, 152
424 daily accounting, 445, 461
overview, 413, 421, 422 reports, 447, 454
cron daemon and, 415 daily command summary, 451, 452,
-e option (edit), 417, 418 456, 459 to 461
-l option (list), 419, 420 daily report (tty line utilization), 448,
-r option (remove), 420, 421 449
/var/adm maintenance and, 571 daily usage report, 449, 450
daily tasks, 363 last login report, 453
error messages, 424 overview, 447
files used by, 415 step-by-step summary of, 445, 447
overview, 363, 413 daily tasks (scheduling with crontab), 363
quitting without saving changes, 418 Data Encryption Standard, , see DES,
scheduling of, 415 date
/crontab directory, 413, 415, 417 changing, 371, 373
crontab files displaying, 367, 370
creating, 417, 418 synchronizing with another system, 371,
deleting, 420, 421 373
described, 415, 416 date command
displaying, 419, 420 accounting data and, 444, 445
editing, 417, 418 described, 367, 370, 371
location of, 415 daytacct file, 450, 456, 459, 461
running ASET periodically, 332 deadfiles file, 391
stop running ASET periodically, 352 deadlock avoidance, 549
syntax, 416
Index-668 System Administration Guide, Volume II ♦ October 1998
decrypting destination printer, 67
conversation key, 307 /dev/term/a, 23
secret key, 305 /dev/term/b, 23
default printer device drivers, 515
ability to set with Admintool, 22 device interrupts, 498, 502, 526, 527
setting with Admintool, 67 devices
setting with lpadmin command, 67, 68 system device access control, 248, 300
defaults, 545, 557 df command, 381, 506, 507
ACL entries for directories, 282 -F option (unmounted file systems), 381,
[Link] file, 429 383
[Link] file, 422 -g option (statvfs structure), 381
crontab files, 415 -k option (kilobytes), 381, 383, 506, 507
/etc/[Link] file, 330 -t option (total blocks), 381, 383
maxusers parameter, 476 examples, 382, 506, 507
message of the day, 375 overview, 381, 506
nice number, 495 dfstab file, 260
priority levels, 472, 473 DH authentication, 305
real-time parameter table, 561 AUTH_DH client-server session, 305, 308
scheduling classes, 491, 553 mounting files, 314
soft limit time, 407, 408 sharing files, 314
time slices, 558 DH security
timesharing parameter table, 559 for an NIS client, 312
defining for an NIS+ client, 311
font cartridges, 94 dial-in modem service, 202
print wheels, 94 dial-out modem service, 202
printer characteristics, 66 dial-up passwords, 295, 298
delete command, 184 basic sequence, 296
deleting /etc/dialups file, 296
access to printers, 60 /etc/d_passwd file, 296 to 298
ACL entries, 252, 287 disabling dial-up logins temporarily, 300
at jobs, 428, 429 dialups file
backup files, 363, 426, 427 creating, 298
core files, 393 described, 296
crash dump files, 393 diff utility (ASET), 339
crontab files, 420, 421 direct printing, 26, 27
.rhosts files, 175 direct remote logins
directories on remote system, 184 indirect logins vs.
files from remote directories, 184 rlogin, 176, 177
forms, 108 using rlogin, 181, 182
log files, 418 directio command, 473
old/inactive files, 363, 389, 394, 418 directories
print filters, 103 abbreviated pathnames, 191, 192
temporary files, 392 ACL entries, 282
deny list
for printer access to forms, 114
for user access to forms, 114
for user access to printers, 76
DES encryption, 304
Index-669
 ASET files, 332 displaying information about, 503, 511,
checklist task (CKLISTPATH) 512
setting, 341, 347 basic activity statistics, 498, 503, 511,
master files, 339 512
reports, 337 df command, 381, 506
working directory, 345, 350 directory sizes, 387, 389
current working directory for extended activity statistics, 505
processes, 470, 484 file sizes, 384, 385, 387, 389
displaying files and related free disk space, 381, 506
information, 251, 267, 268 iostat command, 473, 503
displaying information about, 384, 385, mount point, 383, 506
387, 389 overview, 473
ftp commands, 184 sar command, 511, 512
permissions UFS file system user allocation, 388,
defaults, 267 389
described, 264 vmstat command, 498
public directories, 266 file system usage, 381, 473, 506
remote copying, 193 finding and deleting old/inactive
setgid permissions, 266 files, 389, 394, 418, 426, 427
size of, 387, 389 finding files exceeding a size limit, 386
sticky bit permissions, 266 finding large files, 385, 386
temporary, clearing out, 389, 392 fragmentation of, 473
working directory, 192 optimizing, 381, 394
directory name lookup cache, 476, 477, 508, overview, 473
545 slowdowns
disable command, 81, 84 avoiding, 473
disabling, 245 checking for, 523
dial-up logins temporarily, 300 defined, 473
printers, 61, 84 space
quotas for individual users, 409, 410 amount of free, 381, 506
user logins, 293 optimizing usage, 381, 394
disk accounting, 444 to 446, 450 disk space for print queue, 20
disk drives DiskSuite, 473
described, 473 disktacct file, 445, 446, 456, 459
[Link] file, 456
diskusg command, 444, 445
dispadmin command
overview, 490
real-time parameter table display, 561, 562
rebooting and, 555
timesharing parameter table display, 559
dispatch activity, 518, 519, 530
displaying, 498
acct.h format files, 454
ACL entries, 252, 288
ASET task status, 333, 336
at jobs, 427, 428

Index-670 System Administration Guide, Volume II ♦ October 1998

 at queue, 427 overview, 444 to 446
booting messages, 571 domains (remote logins), 172
cache flushing information, 502 dot (.)
context switch information, 498 path variable entry, 250
crash information, 570, 582 rcp command syntax, 194, 197
crontab files, 419, 420 download filter, 116, 117
date, 367, 370 downloaded PostScript fonts, 118
directory information, 384, 385, 387, 389 downloading
file information, 384, 385, 387, 389, 390 fonts, 116, 620
file system information, 381, 473, 506 host-resident fonts, 117
files and related information, 251, 267, 268 dropped packets, 536
host ID, 367, 369 dtmp file, 458
interrupt information, 498, 502, 526, 527 du command, 387, 389
kernel parameters, 543 dump command, 589
linked libraries, 470, 484 d_passwd file
LWP information, 470, 501 creating, 298
network information, 533, 534, 536, 542 described, 296 to 298
operating system information, 368, 369 disabling dial-up logins temporarily, 300
pacctn file, 454 /etc/passwd file and, 297
priority information, 482, 491, 556
queue information, 505, 512, 520, 521, 530
E
quota information, 397, 403, 404
remote directory contents, 184 editing
remote directory name, 184 crontab files, 417, 418
root access attempts on console, 301, 302 edquota command
scheduling class information, 482, 490, 491 changing quotas for individual users, 408
status of forms, 113 disabling quotas for individual users, 409,
su command use on console, 301, 302 410
swap area information, 498, 521, 522 -p option (prototype), 401
swapping information, 501, 520, 522, 525, -t option (time limit), 408
526, 530 overview, 397, 398, 406
switching information, 525, 526, 530 setting up user quotas, 400, 401
system activity information, 507, 529, 531 [Link] file, 335, 337, 338
system call information, 498, 510, 530 enable command, 81
system event information, 500 enabling
system information printers, 84
commands for, 367, 370 encrypting
terminal I/O information, 503, 526, 528, capturing encrypted passwords, 299
530 files, 252
time, 367, 370 encryption, 304
tty line I/O information, 503, 526, 528, 530 [Link] file, 335, 337, 338
unmounted file system list, 381 environment file (ASET)
user’s login status, 291, 292 described, 340
dmesg command, 571 error messages, 354
dodisk command, 444, 445, 456 modifying, 340
caution, 445 running ASET periodically, 351
crontab entry that runs, 436 environment variables
files created by, 445, 446, 456, 459
Index-671
 ASET, 344, 348 /etc/lp/classes/printer-class file, 71
ASETDIR, 345 /etc/lp/default file, 68
ASETSECLEVEL, 345 /etc/lp/fd directory, 101, 162
CKLISTPATH_level, 341, 347 /etc/lp/[Link] file, 101
PERIODIC_SCHEDULE, 342, 346, 347, /etc/lp/[Link] file
351, 354 filter added in, 102, 103
summary table, 344 /etc/lp/forms directory, 107
TASKS, 341, 347 /etc/lp/forms/form-name file, 108
UID_ALIASES, 339, 342, 347 /etc/lp/forms/form-name/[Link] file, 111
YPCHECK, 342, 347 /etc/lp/forms/form-name/allow file, 114
LPDEST, 68 /etc/lp/forms/form-name/deny file, 114
PRINTER, 68 /etc/lp/forms/form-name/describe file, 107
equals sign (=) /etc/lp/interfaces directory, 70
file permissions symbol, 272 /etc/lp/printers directory, 152
error messages /etc/lp/printers directory
at command, 430 of print client, 61
crash messages, 570, 571 of print server, 62
crontab command, 424 /etc/lp/printers/printer-name/[Link] file, 73
customizing logging of, 572 /etc/lp/printers/printer-name/comment
log file for, 568, 571 file, 67
priorities for, 573 /etc/lp/printers/printer-name/configuration
runacct command, 439 file, 69, 75
sources of, 572 /etc/lp/printers/printer-name/configuration
specifying storage location for, 571 to 573 file, 95, 109
error protection, 456 banner page setting entered in, 70, 94, 96,
/etc/acct/holidays file, 435, 436, 450 109
/etc/cron.d/[Link] file, 425, 429, 430 /etc/lp/printers/printer-name/[Link]
/etc/cron.d/[Link] file, 421 to 424 file, 115
/etc/cron.d/[Link] file, 421, 423 /etc/lp/printers/printer-name/[Link]
/etc/default/login file file, 115
restricting root access to console, 300 /etc/lp/printers/printer-name/[Link]
/etc/default/su file file, 77
displaying su command use on /etc/lp/printers/printer-name/[Link]
console, 301, 302 file, 78
/etc/dfs/dfstab file, 260 /etc/lp/pwheels/charset-name/[Link]
/etc/dialups file file, 97
described, 296, 298 /etc/lp/Systems file, 61
/etc/d_passwd file /etc/motd file, 371, 374, 375
described, 296 to 298, 300 /etc/nologin file, 294
/etc/passwd file and, 297 /etc/[Link] file, 173, 253
/etc/[Link] file, 174 /etc/passwd file
/etc/[Link] file, 613 ASET checks, 334
/etc/init.d/acct file, 434 /etc/d_passwd file and, 297
/etc/init.d/perf file, 528, 531 /etc/password file, 183
/etc/inittab file, 226 /etc/printcap file, 151, 616
/etc/logindevperm file, 248 /etc/saf/_sactab file, 226
/etc/lp directory, 8 /etc/[Link] file, 572
/etc/lp directory, 151
Index-672 System Administration Guide, Volume II ♦ October 1998
/etc/system file PostScript, 26
changing, 371, 375, 378 simple, 26
kernel module variables, 545 troubleshooting incorrect output, 600
kernel parameter values, 544, 548, 550 file systems
maxusers parameter, 476 disk space usage, 381, 506
max_nprocs parameter, 544 displaying information about, 381, 473,
number of lock requests, 371 506
number of processes per user, 375, 376 for swapping, 475
number of pseudo-ttys, 371, 376 mount point, 383, 506
number of shared memory segments, 371, network statistics for, 540, 542
377 restoring, 437, 450
scheduler configuration tuning and, 556, statvfs structure for mounted, 381
558 unmounted, 381, 383
number of processes per user, 371 file table, 523, 524
/etc/utmp file, 228 File Transfer Protocol, , see ftp command,
/etc/vfstab file, 399, 402 file transfers, 253
/etc/publickey file, 305 filename doesn’t exist or is not readable
execute permissions message, 354
symbolic mode, 272 files, 529, 530
execution log (ASET), 335, 336 accounting, 458, 461
exit codes (printer interface), 130 backup, 363
standard, 129 checking access operations, 507, 508, 530
table of, 130 deleting old/inactive, 363, 389, 394, 418
exit command, 182, 183 displaying information about
export command, 345 listing, 384, 385
listing newest, 390
size, 384, 385, 387, 389
F
finding and deleting old/inactive, 389,
failed login attempts, 294, 295 394, 418, 426, 427
fast print filters, 117 finding files exceeding a size limit, 386
fault notification (printer) fixing corrupted
ability to set with Admintool, 22 tacct file, 439
setting with Admintool, 37, 71 wtmp file, 438, 456
setting with lpadmin command, 71, 73 for setting search path, 592
values for alerts, 72 fstat and fcntl information display, 470,
fault recovery (printer), 22, 74 484, 486
faults lock requests, 371
page, 498, 518, 519 sa filename prefix, 531
fcntl information, 470, 484, 486 size of, 384, 385, 387, 389
fd2log file, 439, 456, 459 usage monitoring, 444, 445, 450
fee file, 437, 446, 456, 458 used by LP print service, 152
fees (user), 437, 446, 450 files and file systems
file content type, 26 abbreviated pathnames, 191, 192
ability to set with Admintool, 22
converted by print filters, 100, 134
for common printers, 27
menu in Admintool, 27
non-PostScript printers, 27

Index-673
 ACL entries searching .rhosts files, 179
adding or modifying, 286 finding
checking, 285 files exceeding a size limit, 386
deleting, 252, 287 large files, 385
displaying, 252, 288 old/inactive files, 389, 394, 418, 427
setting, 283, 285 finding and deleting, old/inactive files, 427
valid entries, 281 firewall systems
administration commands, 251 ASET setup, 258, 335
ASET checks, 333, 334 described, 250, 257
ownership packet smashing, 258
changing, 251 trusted hosts, 258
setgid permission and, 266 [Link] file, 335, 337, 338
setuid permission and, 265 /fiscal directory, 459, 461
permissions fiscrptn file, 461
absolute mode, 271, 274 font cartridges, 93
changing, 251, 271, 277 alerts for mounting, 94, 96
defaults, 267 defining, 94
described, 264 mounting, 95
setgid, 266 naming, 93
setuid, 265 unmounting, 95
sticky bit, 266 fonts
symbolic mode, 271, 272, 276, 277 downloaded PostScript, 118
umask setting, 267 downloading, 116, 117, 620
security, 251, 263, 280 host-resident, 116, 117
access restriction, 249 installing, 118
ACLs (access control lists), 252, 280 managing, 115
changing ownership, 269, 271 permanently downloaded, 116
changing permissions, 271, 277 PostScript, 115
directory permissions, 264 printer-resident, 116
displaying file information, 251, 267, styles, 92
269 forcing programs to quit, 587
encryption, 252 forms
file permissions, 264 adding, 105, 107
file types, 268 alerts for mounting, 106
overview, 247 allowing user access, 113
special file permissions, 266, 272, 278 changing, 105
umask default, 267 controlling access to, 107
user classes, 264 creating, 144
sharing files, 260 default values for, 145, 146
system logins, 253 definition, creating, 147
files entry in [Link] file, 253 deleting, 105, 108
filtering, 26 denying user access, 113
printing without, 26 displaying attributes of, 106
filters, 100 limiting printer access to, 114
download, 116, 117 limiting user access to, 113
find command, 386, 389, 391, 393 managing, 105
finding files with setuid permissions, 277, mounting, 106, 108
278
Index-674 System Administration Guide, Volume II ♦ October 1998
 paper (loading and removing), 109 construction of, 556
printer access required for, 108 defined, 490
setting alerts for mounting, 110 displaying, 491, 556
tracking forms mounted, 106 initial, 556
unmounting, 108 maximum, 557
viewing status of, 113 real-time processes, 555, 562
fragmentation, 473 scheduler and, 552, 555, 556
frame buffers, 248 system processes, 555
free list, 498 timesharing processes, 556, 560
freeing memory, 476, 513, 514, 530 group 14, 35
freemem parameter, 549 group ACL entries
fsck command, 363 default entries for directories, 282
fsflush command, 549 described, 281
fstat information, 470, 484, 486 setting, 283, 285
ftp command group identifier numbers (GIDs), 253
authenticating remote logins, 183 groups
authentication, 258 ASET check, 334
described, 184 changing file ownership, 270
interrupting logins, 172
opening remote system connections, 185
H
remote logins compared to rlogin and
rcp, 183 hard disk
ftp command interpreter, 184 recommended for print server, 21
ftp sessions, 169 held signals, 470, 484
anonymous ftp accounts, 183, 185 help command, 184
authenticating remote logins, 183 hex+symbolic stack trace, 470
closing remote system connections, 186 high ASET security level, 332
commands, 184 history log (print requests), 154
copying files hog factor
from remote system, 186 reporting on, 452, 454
to remote system, 188 holidays file, 435, 436, 450
opening remote system connections, 185 host-resident fonts
remote logins compared to rlogin and downloading, 117
rcp, 183 PostScript, 118
hostid command, 367, 369
hosts
G checking response of, 534
get command in /etc/[Link] file, 174
copying from remote systems, 186 sending packets to, 534, 535
described, 184 trusted hosts, 258
example, 187 [Link] file, 174
getfacl command
described, 252
I
displaying ACL entries, 288
examples, 288 I/O (input/output) devices
verifying ACLs set on files, 284 described, 468
getty, 203 I/O, direct, 473
global priorities

Index-675
I/O-intensive processes, 476 acquiring a ticket for root, 315
ICMP protocol, 537 destroying tickets, 318
idle mode (CPU), 500, 503, 522 logging into, 316
igets command Kerberos authentication, 308
with page flushes, 514 implementing, 309
number of requests for inodes not in sharing file systems with, 315
directory name lookup kern facility, 573
table, 508 kernel
IGMP protocol, 537 buffer cache and, 476
indirect remote logins, 176, 177 memory allocation for, 515, 516, 530
init process, 444, 445, 552, 556 module variable setting, 544, 545
init program, 226 paging and, 475
initializing quotas, 398, 402 parameters
inode table buffer cache, 545
size of, 476, 545 changing value of, 544
status of, 523, 524 IPC, 546
inodes, 508, 513, 514 kernel-mode parameter table, 563
installing memory management, 548, 550
local printers, 38 miscellaneous, 550
PostScript fonts, 118 overview, 476, 477
interactive scheduler configuration, 556, 558
commands for restore, 589 STREAMS, 546
interactive processes, 473 tuning, 548, 550, 556, 558
interactively running ASET, 350 UFS, 476, 477, 545
interface program (printer) system process priority and, 473
customizing, 128, 131 Kernel Memory Allocator, 515, 516, 530
standard, 132 kernel thread
Internet firewall setup, 250 displaying information on, 520, 521, 525
interprocess communication scheduling and, 482, 551
checking, 517, 530 structures, 469, 482
increasing shared memory, 377 kernel-mode parameter table, 563
parameters, 546 /kernel/sched directory, 553, 554, 558
tuning parameters, 548 key distribution center, 309
interrupting programs, 587 key, how to create for an NIS user, 313
interrupting remote logins, 172 keyboards, 248
interrupts, 498, 502, 526, 527 keylogin command, 311, 312
iostat command, 503 running, 305
basic information display, 503, 504 keyserv daemon, verifying, 310
-xtc option (extended), 504, 505 keyserver, starting, 310
overview, 473, 503 kill command, 472, 489
IP routing table, 538 killing processes, 470, 472, 489
kilobytes
file system disk usage in, 506
K
read/write statistics in, 505
KDC, , see key distribution center, kinit command, 308, 309, 316
kdestroy command, 308, 309, 318 klwp structure, 469
kerbd, 309 Korn shell
Kerberos, 308

Index-676 System Administration Guide, Volume II ♦ October 1998

 ASET working directory specification, 345 print queue, 153
ksh program, 297, 298 print request history log, 154
ksrvrtgt command, 316 requests, 163
kthread structure, 469 [Link] file, 459
logging in
displaying user’s login status, 291, 292
L
remote logins, 172, 186
large files, 385, 386 authentication (ftp), 183
last login report, 453 authentication (rlogin), 172, 175
lastdate file, 456, 459 direct vs. indirect (rlogin), 176, 177
lastlogin command, 456 finding who is logged in, 181
lcd command, 184 ftp commands, 184
leaks, memory, 515 interrupting, 172
libraries (linked), 470, 484 linking logins, 175
limiting opening ftp connection, 185
printer access to forms, 114 using rlogin, 181, 182
user access to forms, 113 root login
line discipline, 227 access restrictions, 300
line usage monitoring, 443, 444, 448, 449, 456, account, 253, 300
459, 461 restricting to console, 300
lineuse file, 456, 459, 461 tracking, 256
linked libraries, 470, 484 security
linking remote logins, 175 access restrictions, 253
listing saving failed attempts, 294, 295
files and directories, 384, 385, 390 system access control, 248
kernel parameters, 543 system device access control, 248
processes being executed, 483 tracking root login, 256
listing, , see displaying\x0d, system logins, 253, 254
loading form paper, 109 logging out (remote systems), 182, 183
local printer login command, 444, 445
adding by using Admintool, 38 .login file, 250
defined, 18 restricting root access to console, 300
task map for setting up, 33 restricting root access to devices, 300
local printing, 164 login monitoring
lock file, 439, 456, 459 last login, 453, 456, 461
lock1 file, 456 number of logins, 450
locks time usage, 443, 444, 446, 450, 456
as critical resources, 563 logindevperm file, 248
increasing number of requests for, 371 loginlog file, 456, 460, 461
software, 518 overview, 294
log file, 459 saving failed login attempts, 294, 295
log files, 163 logins command
ASET execution log, 335, 336 displaying user’s login status, 291, 292
cleaning out, 163 displaying users with no passwords, 293
codes in request log, 155 syntax, 292, 293
deleting automatically, 418 lotsfree parameter, 549
for LP print service, 153, 599 low ASET security level, 332
monitoring su command, 256, 301

Index-677
LP commands, 624 lpset command, 6
lp login account, 253 ls command, 384, 385, 390
LP print service -l option (size in bytes), 384, 385
checking basic functions of, 610, 606 -s option (size in blocks), 384, 385
configuration files in, 150 -t option (newest files), 390
customizing, 10, 121, 147 LWPs (lightweight processes)
daemons, 152 defined, 468
defined, 149 displaying information on, 470, 501, 520,
defining printer characteristics to, 18 525
directories in, 150 kernel stack size for, 550
files used by, 152 processes and, 468, 469
hung LP commands, 624 structures for, 469
interface program, 163 swapping, 475, 520, 525
log files, 153, 599
overview of, 10, 149
M
structure of, 150
tracking forms, 106 madvise command, 476
tracking print wheels, 94 mail facility, 573
troubleshooting, 599, 601 mask ACL entries
LP print service, see print scheduler default entries for directories, 282
scheduler,, described, 281
LP print spooler, 53 setting, 283, 285
lpadmin command master files (ASET), 333, 339
adding printer description with, 66 maxclsyspri parameter, 557
adjusting printer port characteristics maximums
with, 123 acctdusg users processed, 445
defining font cartridges with, 94 buffer cache memory, 545
defining print wheels with, 94 finding files exceeding maximum size, 386
defining printer class with, 71 frlocks, 549
limiting access to printers with, 77 global priority, 557
limiting printer access to forms with, 114 inode table size, 476
making banner pages optional with, 69 nice number, 495
mounting font cartridge with, 96 pacct file size, 444
mounting forms with, 109 priority, 491, 557, 558
mounting print wheel with, 96 process size, 476, 477
setting alerts to mount forms with, 110 real-time process priority, 558
setting alerts to mount print wheels user processes per user-id, 476, 477
with, 97 users, 476
setting default printer with, 68 maxuprc parameter, 375, 376, 476, 477
setting printer fault alerts with, 72 maxusers parameter, 476
setting printer fault recovery with, 75 max_nprocs parameter, 476, 477, 544
unmounting forms with, 109 mdelete command, 184
lpd daemon, 612 medium ASET security level, 332
LPDEST environment variable, 68 memory
lpfilter command, 101 deadlock avoidance, 549
lpsched daemon, 160, 163, 168 described, 468
lpsched log file, 163 disk slowdowns and, 473

Index-678 System Administration Guide, Volume II ♦ October 1998

 displaying information on file permissions symbol, 272
amount installed, 367, 370 /etc/[Link] file syntax, 174
daily command summary, 452 mmap command, 476
daily usage report, 450 modem
dead processes, 454 defined, 202
free space, 498 modem interrupts, 526, 527
freeing activities, 513, 514, 530 modems
kernel allocation, 515, 516 bidirectional service, 202, 228
swap activity, 525, 526 dial-in service, 202
swap space, 498, 521, 522 dial-out service, 202
swapping activities, 501, 520, 522, 530 different ways to use, 202
unused memory, 521, 522 menu items in Serial Port Manager, 211
virtual memory statistics, 367, 370, 498 overview of Serial Port Manager, 207
free list, 498 setting up, 215
freeing, 476, 513, 514, 530 setting up for use with UUCP, 217
leaks in, 515 tools for managing, 204
parameters, 548, 550 monacct command
preventing monopolization of, 476 crontab entry that runs, 435
process structures and, 469 files used/produced by, 461
shared monthly command summary and, 451, 452
increasing number of segments, 371, runacct command and, 447, 456
377 scheduling running of, 433
interprocess communication monitoring
parameters, 548 su command use, 256, 301
process virtual memory, 469 system usage, 249
record table, 523, 524 monthly command summary, 447, 452
unused, 521, 522, 530 monthly tasks, 363
virtual MOTD (message of the day) facility, 371, 374,
displaying information on, 367, 370, 375
498 motd file, 371, 374, 375
process, 469 mount point, 383, 506
when to add more, 513, 514 mounting
MERGE command, 456 font cartridges, 95
MERGETACCT command, 456 forms, 106, 108
message of the day (MOTD) facility, 371, 374, print wheels, 95
375 mouse (system device access control), 248
messages file, 568, 572 moving print requests, 87, 88
messages.n file, 571 mput command
metadata, 508 copying to remote systems, 188
mget command described, 184
copying from remote systems, 186 example, 190
described, 184 msginfo_xxxxxx parameters, 545, 548
example, 188 multiple files (ftp), 186
minimums multiuser state, 448
memory to avoid deadlocks, 549
nice number, 495
priority, 491
minus sign (-)
Index-679
N packets
name service capturing from network, 533, 536
advantages of, 7 dropped, 536
names, 364 error rates, 537
directory name lookup cache, 476 number transmitted, 536
.a file extension, 425 reliability testing, 533 to 535
sa filename prefix, 529 to 531 sending to hosts, 534, 535
ncsize parameter, 476, 545 recognizing access problems, 595
ndquot parameter, 476, 477 tracing client calls to servers, 533, 536
netpr file, 6 troubleshooting
netstat command, 536, 538 hardware components, 542
-i option (interfaces), 536, 537 high retransmission rate, 539
-r option (IP routing table), 538 newkey command, 305, 313
-s option (per protocol), 537 NFS system, 304
overview, 533, 536 NFS systems (ASET), 343, 344
network authentication for remote logins, 172, nfsstat command, 540, 542
174, 177 -c option (clients), 539, 540
network printer -m option (per file system), 540, 542
adding, 48 -s option (servers), 540
defined, 48 overview, 533, 540
task map for setting up, 33 nice command, 494 to 496
network security, 256, 260 nice number, 482, 494, 495
authentication, 258, 260 NIS, 7
authorization, 258, 260 nis entry in [Link] file, 253
firewall systems, 257, 258 NIS+
described, 250, 257 advantages of, 7
need for, 250 ASET checks, 342
packet smashing, 258 authentication, 258
trusted hosts, 258 authorization, 258
issues, 249 cred database, 304, 311
overview, 247, 256 publickey database, 305
networks nisaddcred command, 305, 311
commands for monitoring nisplus entry in [Link] file, 253
performance, 533 nlsadmin command, 230
displaying performance information, 533, nobanner option, 69, 70
534, 536, 542 nobody user, 260
client statistics, 540, 542 non-PostScript printers, 27, 92, 93
collision rate, 537 npty parameter, 550
host response, 534 [Link] file, 173, 253
interface statistics, 536, 538 nstrpush parameter, 546
IP routing table, 538 nuucp login account, 253
server statistics, 540, 542
O
open command, 184
opening remote system connections, 184, 185
OpenWindows software, 35

Index-680 System Administration Guide, Volume II ♦ October 1998

operating system, 368, 369 dial-up passwords, 295, 298
optimizing disks, 381, 394 basic sequence, 296
other ACL entries disabling dial-up logins
default entries for directories, 282 temporarily, 300
described, 281 /etc/dialups file, 296
setting, 283, 285 /etc/d_passwd file, 296 to 298
ownership displaying users with no passwords, 293
why it changes, 594 eeprom security, 254
ownership of files login security, 248, 253, 254
ACLs and, 252, 280 secret-key decryption, 305
changing, 251, 269 system logins, 253, 254
changing group ownership, 270 PATH environment variable, 335
owtmp file, 460 path variable, 249, 250
pathnames
rcp command
P
absolute vs. abbreviated, 191, 192
pacctn file syntax options, 192
displaying, 454 tilde (~) in, 191, 192
monitoring size of, 446, 456 pcred command, 484
overview, 446, 456, 458 pending signals, 470, 484
packet transfers perf file, 528, 531
firewall security, 250 performance, 467, 498, 531
packet smashing, 258 activities that are tracked, 477
page daemons automatic collection of activity data, 528,
cycles used by, 513 529, 531
scheduling policies and, 553 books on, 468
paging buffer activity, 508, 509, 530
defined, 475 cache flushing, 502
displaying information on disk management, 498, 503, 511, 512
general paging activity, 498 file access, 507, 508, 530
page faults, 498, 518, 519 interprocess communications, 517, 530
page-ins, 498, 518, 519, 530 interrupts, 498, 502, 526, 527
page-outs, 498, 513, 514, 530 kernel parameters, 476, 477
unused pages, 521, 522 manual collection of activity data, 507,
priority of, 472 528, 529, 531
panic: messages, 570 memory management, 475, 476, 498, 513,
parallel printer, 23 516, 521, 522, 525, 526, 548,
parity bit, 601 550
passwd file paging, 498, 513, 514, 530
ASET checks, 334 process management, 468, 472, 481, 495
/etc/d_passwd file and, 297 queue, 505, 512, 520, 521, 530
passwords, 169 reports on, 507, 531
authentication for remote logins swap areas, 498, 521, 522
ftp, 183, 185 swapping, 501, 520, 522, 525, 526, 530
rlogin, 172, 177, 182 system activity monitoring, 477, 507, 528,
capturing encrypted passwords, 299 531
system calls, 498, 510, 530

Index-681
 system event monitoring, 500 pmadm command
system tables, 523, 524, 530 adding a ttymon service with, 235
terminal I/O, 503, 526, 528, 530 disabling a ttymon service with, 239
tools for monitoring, 478, 531 enabling a ttymon service with, 238
traps, 498 explained, 226
PERIODIC_SCHEDULE variable listing a ttymon service with, 236
described, 344 pmap command, 470, 484
scheduling ASET, 342, 346, 347, 351 port, 24
permissions, 245 defined, 202
ACLs and, 252, 280 disabling, 219
ASET handling of, 332, 333 initialization process of, 227
changing file permissions, 251 initializing, 218
absolute mode, 271, 274 removing service, 220
symbolic mode, 271, 272, 276, 277 states of (table), 243
copying requirements, 193 port monitor
defaults, 267 defined, 203
directory permissions, 264 states of (table), 242
file permissions ttymon and listen (defined), 203, 228
absolute mode, 271, 274 ports in /etc/dialups file, 296
changing, 271, 277 PostScript fonts, 115, 118
described, 264 installing, 118
special permissions, 266, 272, 278 PostScript printers, 92
symbolic mode, 271, 272, 276, 277 character sets for, 93
setgid permissions default print filters, 101, 102
absolute mode, 272, 276 file content type for, 26
described, 266 printer type for, 25
symbolic mode, 272 PostScript Reverse printer, , see Reverse
setuid permissions PostScript printer,
absolute mode, 272, 276 power cycling, 587
described, 265 power failure recoveries, 448
finding files with permissions set, 277, prdaily command
278 files used by, 459, 460
security risks, 266 line usage reporting and, 461
symbolic mode, 272 overview, 456
special file permissions, 266, 272, 278 runacct command and, 456, 461
sticky bit, 266 print administration, centralized, 7
tune files (ASET), 339, 342 print client
umask settings, 267 checking configuration of, 608
user classes and, 264 defined, 18
pfiles command, 470, 484, 486 deleting access to printers, 60
pflags command, 470, 484 freeing jobs in, 627
physical security, 248 setting up, 42
pin configuration in cables, 604, 605 print client software, 7
ping command, 180, 533, 534 print configuration
pldd command, 470, 484 centralized, 17
plus sign (+) using SunOS 5.7 and 4.1 systems, 18
file permissions symbol, 272 print daemons, 152
/etc/[Link] file syntax, 174
Index-682 System Administration Guide, Volume II ♦ October 1998
print filters IDs, 80
adding, 101 canceling print requests by, 85
bypassing, 619, 620 components of, 85
changing, 100, 101 in banner page, 68
characteristics of, 140 in status of print request, 80
converting file content type, 100 moving print requests by, 88
creating, 100, 133, 142 log, 155
defined, 100, 162 managing, 78, 79
definitions, 136 moving to another printer, 87, 88
deleting, 103 moving to head of queue, 89
displaying definition of, 103 putting on hold, 89
download, 117 rejecting, 61, 81
fast, 117 scheduling, 162
handling special modes, 134 setting printer to accept or reject, 82
managing, 100, 101 print scheduler
not provided in SunOS 5.7, 102 if not running, 606
options keywords, 140, 145 managing, 60
PostScript, 101 restarting, 65
removing, 100, 101 starting, 66, 161
required for printer fault recovery, 74 stopping, 65, 161
requirements for, 135 updating LP system files, 160
restoring, 100, 101 print server
slow, 117 checking access to, 611
templates to define options, 139 checking configuration of, 608
to convert from troff to PostScript, 143 checking connections of, 607
TranScript, 101 defined, 18, 36
types of, 133 deleting printer from, 62
used to convert files, 133 hard disk requirements for, 21
used to put request on hold, 135 setting up, 36, 37
viewing information about, 103 spooling space required for, 20
print forms, , see forms, system resource requirements for, 20
print jobs, , see print requests, print service, , see LP print service,
print management, 3, 10 print spooler (SVR4), 53
print protocol adaptor, 5 print wheels, 93
print queue alerts for mounting, 94, 96
log of, 153 defining, 94
print requests mounting, 95
IDs naming, 93
canceling print requests by, 85, 86 tracking, 94
changing priority of print requests unmounting, 95
using, 90 printcap entry, 616
accepting, 81, 109 printer class, 70
canceling, 85 checking status for, 80
by disabling printer, 84 defining with lpadmin command, 71
for specific user, 86 not valid for enabling/disabling
changing priority of, 79, 89 printer, 84
checking status of, 79 setting, 22
cleaning out from log file, 163
Index-683
printer description faults
ability to set with Admintool, 22 detecting, 134
setting with lpadmin command, 66 messages, 131
printer destination restarting printing, 626
ability to set with Admintool, 22 file content types
setting with Admintool, 67 effect on filtering, 619
setting with lpadmin command, 67 incorrect output, 619
PRINTER environment variable, 68 font cartridges, 92
printer interface program, 163 interface program
printer name, 22 customizing, 128, 131
printer port exit codes, 130
ability to set with Admintool, 22 standard, 129, 132
adjusting characteristics of, 123 local, 18, 33, 164
characteristics, adjusting, 121 adding by using Admintool, 38
configuring, 24 network, 33, 48
enabling multiple ports, 24 non-PostScript, 92, 133
parallel, 23 parity bit, 601
serial, 23 PostScript
printer status, 63 character sets for, 93
printer type treatment of text, 92
ability to set with Admintool, 22 print wheels, 92
defined in terminfo database, 152 rejecting print requests, 82
not in terminfo database, 26 remote, 165
troubleshooting setting of, 618 setting definitions for, 66
printer(s) setting up, 29
accepting print requests, 82 with Admintool, 35, 42
access to settings
deleting, 60 baud, 600
access to forms, 108 parity, 601
administering, 59, 90 return, 601
allow list, 76 stty, 122, 125, 621 to 623, 626
allowing user access, 77 tab, 601
baud settings, 600 status
controlling availability of, 82 checking, 63, 79
default, 68 conflicting messages, 603
deleting, 60, 63 stty settings, 129, 621 to 623, 626
deleting client access to, 60 troubleshooting
deleting from print server, 60, 62 backup in printer queue, 602
deny list, 76 conflicting status messages, 627, 603
denying user access, 77 hung LP commands, 624
description, adding, 66 hung printers, 625, 602
disabling, 61, 81, 84 incorrect output, 618, 600
enabling, 81, 84 incorrect printer type, 618
fault alerts, 72 not accepting requests, 607
fault notification, 71 only banner page prints, 619
print service commands, 601
unsupported, 124

Index-684 System Administration Guide, Volume II ♦ October 1998

printer(s), see alerts global
alerts,, construction of, 556
printer(s), see fonts defined, 490
fonts,, displaying, 491, 556
printer(s), see printer class initial, 556
class,, maximum, 557
printer(s), see printer type real-time processes, 555, 562
type,, scheduler and, 552, 555, 556
printer-resident fonts, 116 system processes, 555
Printers window, 37 timesharing processes, 555, 560
[Link] file, 6 maximums, 491, 557, 558
printing overview, 472, 490, 495
banner pages, 68 scheduling classes and, 472, 473, 491, 492,
local (diagram), 164 551
processing or stopping, 81 user-mode priority, 490
remote, 165 priority of print requests, 79, 89
special modes, 134 private interfaces, 151
spooling directory, 157 private key, 305
status messages, 627 /proc directory, 470
user fee calculation for, 437 /proc file system, 383
printing (remote), 437 proc structure, 469, 482
priocntl command /proc/bin directory, 484
overview, 490, 555 /proc/bin directory, 470
-c option (scheduling class process accounting, 444, 446, 449, 450
designation), 491, 493 process file system (PROCFS), 470
-e option (execute), 491 process table, 523, 524
-i option (ID type), 492, 493 processes, 471
-l option (scheduling class display), 490, accounting utilities for, 444, 446, 449, 450
491 address space map, 470, 484
-m option (max/min priority), 491, 492 application threads and, 468, 469
-p option (priority designation), 491, 492, controlling, 487
556 credentials, 484
-s option (priority upper limit/change current working directory for, 470, 484,
priority), 492, 493 486
priority (process) defined, 468
changing, 490 to 492, 495 displaying information on, 482, 487
real-time processes, 554, 556 acctcom command, 454
timesharing processes, 492, 494, 495 daily usage report, 449, 450
defaults, 472, 473 dead processes, 454
designating, 491, 492 listing processes being executed, 483
displaying information on, 482, 491, 556 LWPs, 470, 501, 520, 525
priocntl command, 490
ps command, 482, 483, 491
sar -q command, 520, 521
tool commands, 470, 484, 487
vmstat command, 498, 501

Index-685
 fstat and fcntl information for open system
files, 470, 484, 486 described, 472
init, 444, 552, 556 priority of, 472, 473, 552, 553, 555, 557
interactive, 473 real-time processes and, 552
killing, 472, 489 scheduling policies for, 553, 555
libraries linked into, 470, 484 timesharing processes and, 552
maximum size of, 476, 477 terminology, 468, 469
maximum user processes per user-id, 476, timing, 484
477 tool commands, 470, 484
nice number of, 482, 494 to 496 tracing flags, 470, 484
number per user, 371, 375, 376, 476, 477 trees, 470, 484, 486
priority, 472, 495 troubleshooting, 496
changing, 490 to 492, 495 UNIX, priority of, 472
changing real-time process waiting for, 487, 560
priority, 554, 556 processing printing, 81
changing timesharing process processors, allocating groups for
priority, 492, 494, 495 applications, 470
defaults, 472, 473 PROCFS (process file system), 470
designating, 491, 492 .profile file, 250
displaying information on, 482, 491 programs
global priorities, 490, 491, 552, 555 to disk-dependency of, 508
557, 560, 562 forcing to quit running, 587
maximums, 491, 557, 558 interrupting, 587
overview, 472, 490, 495 protection page faults, 518
scheduling classes and, 472, 473, 490 prtconf command, 367, 370
to 492, 551 prun command, 487
user-mode priority, 490 ps command, 482, 484
restarting, 470, 487 fields in reports from, 482, 495, 496
runaway, 496 overview, 482
scheduling classes, 472, 473, 490, 495 -c option (scheduling class), 482, 496
changing, 493, 494, 552 -ecl option (global priority), 491
changing priority of, 490 to 492, 495 -ef option (full information), 471, 483
defaults, 491 -elf option (page daemon cycles), 513
described, 472, 473 PS printer type, 25
designating, 491, 492 pseudo-ttys
displaying information on, 482, 490, changing number of, 371, 376
491 number configured, 550
priority levels and, 472, 473, 490 to psig command, 470, 484
492, 551 PSR printer type, 25
scheduling policies and, 472, 473, 552, psrset command, 470
553 pstack command, 470, 484
types of, 472, 473 pstop command, 487
signal actions, 470, 484 [Link] file, 458
sleeping, 553, 560, 563 ptime command, 484
stack trace, 470, 484 ptree command, 470, 484, 486
stopping temporarily, 470, 487 pt_cnt parameter, 376, 550
structures for, 469, 482 public directories, 266

Index-686 System Administration Guide, Volume II ♦ October 1998

public key, 305 configuring file systems for, 399
public-key cryptography consistency checking, 402
AUTH_DH client-server session, 305, 308 disabling for individual users, 409, 410
changing public and secret keys, 305 displaying information on, 397, 403, 404
common key initializing, 398, 402
calculation, 307 overview, 397
database of public keys, 305 prototype for multiple users, 401
generating keys removing, 406
conversation key, 306 requirements, 398
public and secret keys, 305 setting up, 397, 403
secret key soft limit time
changing, 305 changing, 407, 408
database, 305 exceeding, 407
decrypting, 305 turning off, 398, 410
generating, 305 turning on, 398, 402, 403
publickey map, 305 user
put command changing for individual users, 408,
copying to remote systems, 188 409
described, 184 checking for exceeded, 404
example, 189 disabling for individual users, 409,
pwait command, 484, 487 410
pwdx command, 470, 484, 486 setting up, 400, 401
soft limit time, 407, 408
verifying, 397, 403, 408
Q
quotas file, 362, 397, 399
question mark (?) wildcard character, 348
queue
displaying at queue, 427 R
displaying information about, 505, 512, rcp command, 191, 197
520, 521, 530 authentication, 258
quitting compared to ftp, 183
at command, 363 copying between local and remote
crontab command without saving systems, 193, 197
changes, 418 copying directories, 193
forcing programs to quit, 587 described, 191
quot command, 388, 389 examples, 194, 197
quota command, 397, 403, 404, 408 pathnames
quota structures, number of, 476 absolute vs. abbreviated, 191, 192
quotacheck command, 397, 398, 402 syntax options, 192
quotaon command, 397, 402, 403 security issues, 191
quotas, 395, 405 specifying source and target, 191, 192
administering, 405 rdate command, 371, 373
automatic turning on of, 362, 397 read permissions
changing, 406 symbolic mode, 272
changing for individual users, 408, 409 read system call
checking, 403 statistics on, 452, 454, 510
checking for exceeded user quotas, 404 reads, 505, 508, 512
checking on file systems, 405

Index-687
real-time parameter table, 561, 562 finding who is logged in, 181
default, 561 ftp commands, 184
fields, 562 interrupting, 172
overview, 554, 558 linking logins, 175
sample, 561 nuucp login account, 253
scheduler configuration changes and, 555 opening ftp connection, 185
real-time processes removing .rhosts files, 179
changing class of, 493, 494 using rlogin, 181, 182
described, 472 verifying remote system operation, 180
overview, 472, 473 remote printing
priority of diagram of process, 165
changing, 554, 556 user fee calculation for, 437
global, 555, 562 remote systems, 172
initial, 556 communication methods, 183
maximum, 558 defined, 172
overview, 472, 473, 552, 554 logging in, 172, 186
parameters controlling, 562 authentication, 258
specifying relative, 491 authorization, 258
scheduling policies for, 554, 555 nuucp login account, 253
system processes and, 552 logging out (exit), 183
timesharing processes and, 552, 554 remote copying
rebooting using ftp, 184
fails after crash, 585 using rcp, 191, 197
monitoring, 443 to 445, 448, 456 verifying operation, 180
reboots file, 456, 459 removing form paper, 109
receiver hardware interrupts, 526, 527 repetitive system events, 363, 413, 422, 424
recognizing network access problems, 595 replayed transactions, 307
reject command, 82 reporting
rejecting, 81 automatic, 528, 529
rejecting print requests, 61, 82 reports
remote copying, 169 ASET, 337 to 339
using ftp, 184 reports (ASET), 337, 338, 344
using rcp, 191, 197 reports directory, 337
remote ftp server, 184 repquota command, 403, 405
remote login and security, 307 requests log, 163
remote logins reset command, 184
authentication, 258 residentfonts file, 118
authentication (ftp), 183 restarting
authentication (rlogin), 172, 175 lpd daemon, 613
network authentication vs. remote print scheduler, 65
system authentication, 172, processes, 470, 487
174 runacct command, 440, 456, 458
/etc/[Link] file, 174 restore
.rhosts files, 175 interactive commands, 589
authorization, 258 using matching commands, 589
closing ftp connection, 186 restoring (ASET), 343
direct vs. indirect (rlogin), 176, 177 restoring file systems, 437, 450
domains, 172
Index-688 System Administration Guide, Volume II ♦ October 1998
restricted shell (rsh), 255 failure of, 439
return settings, 601 files used/produced by, 458, 459, 461
Reverse PostScript printer fixing corrupted files, 438, 456
file content type for, 27 last time executed, 459
method of printing, 26 monacct command and, 456
printer type for, 25 to 27 overview, 446, 456
.rhosts files prdaily command and, 456, 461
remote system authentication process, 173 progress file, 456
to 176, 179 restarting, 440, 456, 458
rlogin command running after midnight, 456
authentication, 172, 175, 258 scheduling running of, 433
network vs. remote system serial use of, 459
authentication, 172, 173 states of, 456
/etc/[Link] file, 174 user fee calculation and, 437, 450
.rhosts files, 175 [Link] command, 456
compared to ftp, 183 runaway processes, 496
described, 172 running, , see starting\x0d,
direct vs. indirect logins, 176, 177 rusers command, 181
interrupting logins, 172
process after logging in, 178, 179
S
using, 181, 182
rm command, 175, 391, 392 sa filename prefix, 529 to 531
root access sa1 command, 528, 529
displaying attempts on console, 301, 302 sa2 command, 528, 529
monitoring su command use, 256, 301 SAC, , see Service Access Controller,
restricting, 260, 300 sacadm command
root file, 414, 415, 435, 444 adding a ttymon port monitor with, 231
root login disabling a ttymon port monitor with, 233
account enabling a ttymon port monitor with, 234
access restrictions, 300 (explained), 225
described, 253 killing a ttymon port monitor with, 233
restricting to console, 300 listing a ttymon port monitor with, 231
tracking, 256 removing a ttymon port monitor with, 234
RPC, 539, 540 starting a ttymon port monitor with, 233
[Link] file, 447, 460, 461 sadc command, 528, 529, 531
[Link] file, 456 sadcnt parameter, 546
RS-232-C, , see serial port, sadd file, 529 to 531
rsh program, 255 SAF, , see Service Access Facility,
RT_DPTBL loadable module, 554, 555, 558, 561 sar command, 507, 528, 529, 531
rt_dptbl parameter table, 554, 555, 558, 561, options listed, 530, 531
562 overview, 473, 507, 529
rt_maxpri parameter, 558 -a option (file access), 507, 508
runacct command, 456, 461 -A option (overall performance), 528, 530
caution, 458 -a option (file access), 530
crontab entry that runs, 456 -b option (buffers), 508, 509, 530
diagnostics file, 456 -c option (system calls), 510, 530
error messages, 439 -d option (block devices), 511, 512, 530
error protection, 456
Index-689
 -e option (ending time), 530 designating, 491, 492
-f option (file to extract data from), 530 displaying information on, 482, 490, 491
-g option (page-out/memory freeing), 513, priority levels and, 472, 473, 490 to 492,
514, 530 551, 552
-i option (interval), 530 scheduling policies and, 472, 473, 552, 553
-k option (kernel memory), 515, 516, 530 types of, 472, 473
-m option (interprocess scheduling one-time system events, 363, 413,
communication), 517, 530 425, 426, 430
-p option (page-in/page faults), 518, 519, scheduling repetitive system events, 363, 413,
530 422, 424
-q option (queue), 520, 521, 530 SCSI disk drives, 513
-r option (unused memory), 521, 522, 530 search path
-s option (starting time), 530 files for setting, 592
-u option (CPU usage), 522, 523, 530 searching
-v option (system tables), 523, 524, 530 files with setuid permissions, 277, 278
-w option (swapping/switching .rhosts files, 179
volume), 525, 526, 530 users logged in to remote system, 181
-y option (terminal activity), 530 secret key
saving changing, 305
crash dump information, 577 database, 305
failed login attempts, 294, 295 decrypting, 305
Schedule undefined for periodic invocation generating, 305
message, 354 secure access, 314
scheduler, 551, 563 secure NIS+, adding a user, 312
activation, 552 Secure RPC, 304
configuration of, 554, 563 implementation of, 305
global priorities and, 552, 555, 556 Secure RPC authentication, 258
overview, 551, 552 security, 169
scheduling classes and, 551 to 553 at command, 425
time slices used by, 553, 558, 560 copy operation issues, 191
tunable parameters, 556, 558 crontab command, 422
scheduler, , see print scheduler, DH authentication
scheduling ASET execution AUTH_DH client-server session, 305,
(PERIODIC_SCHEDULE), 332, 308
342, 346, 347, 351 /etc/[Link] file issues, 174
scheduling class tables, 558, 563 .rhosts file issues, 175, 179
maxclsyspri parameter and, 557 selectable character sets, 92, 93, 98, 99
overview, 558 seminfo_xxxxxx parameters, 377, 548
rt_dptbl parameter table, 554, 555, 558, serial port
561, 562 adapter board, 203
rt_maxpri parameter and, 558 defined, 202
ts_dptbl parameter table, 553, 555, 558, 560 Serial Port Manager, 204
ts_kmdpris table, 558, 563 Modify window field descriptions, 208
scheduling classes, 472, 473, 490, 495 prerequisites for running, 213
changing, 493, 494, 552 starting, 213
changing priority of, 490 to 492, 495 when to use, 204
defaults, 491, 553 serial printer, adding to system, 23
described, 472, 473
Index-690 System Administration Guide, Volume II ♦ October 1998
servers share command, 260
AUTH_DH client-server session, 305, 308 shared memory
displaying information about, 533, 540, increasing number of segments, 371, 377
542 interprocess communication
scheduling policies and, 553 parameters, 548
tracing client calls to, 533, 536 process virtual memory, 469
Service Access Controller, 225 shared memory record table, 523, 524
Service Access Facility sharing files (network security), 260
description, 204 shell, 452
files associated with (table), 239 shell programs, 245
overview of, 206, 223 ASET security level specification, 345
programs associated with (table), 224 ASET working directory specification, 345
services controlled by /etc/d_passwd file entries, 297, 298
states of (table), 242 shminfo_xxxxxx parameters, 377, 548
uses for, 206, 223 showing, , see displaying\x0d,
when to use, 204 shutacct command, 446, 447
service times, 505, 512 shutdown command, 447
set-group identification permissions, , see shutdowns, 446 to 448
setgid permissions\x0d, signal actions, 470, 484
set-user identification permissions, , see setuid simple file content type, 26
permissions\x0d, size
setenv command directory, 387, 389
ASET security level specification, 345 file, 384, 385, 387, 389
ASET working directory specification, 345 system table, 523, 524
setfacl command sleeping processes, 553, 560, 563
adding ACL entries, 286 slow print filters, 117
deleting ACL entries, 287 snoop command, 533, 536
described, 252 soft limit time
examples, 284, 287 changing, 407, 408
modifying ACL entries, 286 exceeding, 407
setting ACL entries, 283, 285 software administration
syntax, 283 adding packages
setgid permissions troubleshooting, 661
absolute mode, 272, 276 removing packages
described, 266 troubleshooting, 661
symbolic mode, 272 troubleshooting, 661
setting software locks, 518
alerts to mount font cartridges, 96 Solaris environment, 18
alerts to mount print wheels, 96 Solstice AdminSuite software, 258
alias for selectable character set, 98, 99 Solstice DiskSuite, 473
setuid permissions Solstice Printer Manager, 7
absolute mode, 272, 276 [Link] file, 456, 458
described, 265 space (disk)
finding files with permissions set, 278 amount of free, 381, 506
security risks, 266 optimizing usage, 381, 394
symbolic mode, 272 spooling directory
setuid programs, 250 creating for a printer, 616
sh program, 297, 298
Index-691
 print service, 157 su file
spooling space required for print server, 20 displaying su command use on
spray command, 533 to 535 console, 301, 302
stack trace, 470, 484 monitoring su command, 301
standard printer interface program, 132 sulog file, 256, 301
starting SunOS 5.7, 18
Admintool, 35 SunOS operating systems, 18
ASET SVR4 LP print spooler, 53
initiating sessions from shell, 332 swap areas
running interactively, 350 adding, 475
lpd daemon, 612 defined, 475
print scheduler, 66 displaying information on, 498, 521, 522
startup command, 445 unused disk blocks, 521, 522
statefile file, 440, 456, 459 swapping
states, (runacct command), 456 defined, 475
status displaying information on, 501, 520, 522,
of print requests, 79 525, 526, 530
of printer, 63, 79 LWPs, 475, 520, 525
statvfs structure, 381 minimum memory to avoid deadlock, 549
sticky bit permissions priority of, 472
absolute mode, 272, 276 reducing, 473
described, 266 switching
symbolic mode, 272 displaying information on, 525, 526, 530
stopping symbolic links
dial-up logins temporarily, 300 file permissions, 264
ftp command interpreter, 184 latest directory (ASET), 337
print scheduler, 65 symbolic mode
printer, 81 changing file permissions, 272, 276, 277
processes temporarily, 470, 487 described, 271
strctlsz parameter, 546 synchronizing command-reply sequencing
STREAMS with remote ftp server, 184
KMA resources and, 515 synchronizing date and time with another
parameters, 546 system, 373
strmsgsz parameter, 546 syntax (crontab files), 416
strthresh parameter, 546 sys file, 415, 529, 531
structures sys login account, 253
process, 469, 482 sysadmin group, 35
quota, 476, 477 [Link] file, 334, 337, 338
statvfs, 381 sysdef command, 543
stty option, 123 [Link] file, 572
stty settings syslogd daemon, 571
customizing, 129 system activities
defaults, 122, 125, 621, 622 automatic collection of data on, 528, 531
suggestions for, 623, 626 list of activities tracked, 477
troubleshooting, 600 manual collection of data on, 507, 528,
su command 529, 531
displaying use on console, 301, 302
monitoring use, 256, 301
Index-692 System Administration Guide, Volume II ♦ October 1998
system authentication for remote logins, 172, special logins, 253, 254
173, 177 su command monitoring, 256, 301
system calls system tables
displaying information on, 498, 510, 530 checking status, 524, 530
system events space allocation for, 476
displaying information on, 500 sys_name parameter, 557
scheduling
one-time events, 363, 413, 425, 426,
T
430
repetitive events, 363, 413, 422, 424 tab settings, 601
system exit status, 454 tacct file, 439, 456, 460, 461
system logging (customizing), 572 [Link] file, 439, 456, 460
system messages [Link] file, 439
specifying storage location for, 571 tacctn file, 461
system mode (CPU), 500, 503, 522 tacctprev file, 460
system processes TASKS variable
described, 472 configuring ASET, 341, 347
priority of, 472, 473, 552, 553, 555, 557 described, 344
real-time processes and, 552 error messages, 354
scheduling policies for, 553, 555 taskstat utility (ASET), 333, 336
timesharing processes and, 552 TCP protocol, 537
system resources TCP/IP traffic, 533, 536, 537
allocating for print server, 20 technical support, 568, 578
critical, 563 templates (print filters), 139
monitoring, 362, 426 temporary directories, 389, 392
accounting, 433, 440, 443 terminal
accounting system for, 461 alphanumeric, 202
automatic, 363, 426 defined, 202
crashes, 572, 587 distinctions between types of, 202
quotas, 395, 405 terminal characteristics, 129
overview, 467, 476 terminals
system security, 252, 291, 301 displaying I/O information for, 503, 526,
dial-up passwords, 295, 298 528, 530
basic sequence, 296 line usage monitoring, 443, 444, 448, 449,
disabling dial-up logins 456, 459, 461
temporarily, 300 menu items in Serial Port Manager, 210
/etc/dialups file, 296 overview of Serial Port Manager, 207
/etc/d_passwd file, 296 to 298 process controlling, 482
displaying setting up, 214
user’s login status, 291, 292 tools for managing, 204
users with no passwords, 293 troubleshooting bad lines, 449, 461
login access restrictions, 253 terminfo database
overview, 247, 252 character set names, 92
passwords, 254 terminfo entry
restricted shell, 255 adding, 124
restricting root login to console, 300 for unsupported printer, 127
root access restrictions, 260, 300 list of required items, 124, 125
saving failed login attempts, 294, 295
Index-693
 selectable character sets in, 92 total command summary, 447, 453, 460, 461
testing packet reliability, 533 TOTAL REAL-MIN column (daily command
tilde (~) summary), 452
abbreviated pathnames, 191, 192 tracing flags, 470, 484
rcp command syntax, 194, 197 TranScript filters, 101
time translation page faults, 518
changing, 371, 373 transmitter hardware interrupts, 526, 527
CPU usage, 450, 482, 496, 498, 503, 522, traps, 498
523, 530 trees, 470, 484, 486
disk slowdowns, 473, 523 troff filter to convert to PostScript, 143
displaying, 367, 370 Trojan horse, 249, 250
process timing, 484 troubleshooting, 601
processes accumulating large amounts of networks, 539, 542
CPU time, 496 printing problems, 597, 628
service, 505, 512 processes, 450, 496, 497
soft limit, 407, 408 software package
synchronizing with another system, 371, installation/removal, 661
373 tty lines, 449, 461
time slices, 553, 558, 560 trusted hosts, 258
timesharing parameter table, 558, 560 trusting network environment
default, 559 remote login
fields, 560 authentication process, 173
overview, 553, 558, 559 process after logging in, 178, 179
sample, 559 TS_DPTBL loadable module, 553, 555, 557,
scheduler configuration changes and, 555 558, 563
timesharing processes ts_dptbl parameter table, 553, 555, 558, 560
changing scheduling parameters, 492 ts_kmdpris parameter table, 558, 563
described, 472 ts_maxupri parameter, 557
overview, 473 tty lines
priority of displaying I/O information for, 503, 526,
changing, 492, 494, 495 528, 530
global, 555, 560 troubleshooting bad lines, 449, 461
overview, 472, 473, 490, 552 usage monitoring, 443, 444, 448, 449, 456,
parameters controlling, 560 459, 461
range of, 490, 557 ttyadm command, 230
real-time processes and, 552, 554 ttymon command, 228, 444
scheduling policies for, 472, 473, 552, 553, ttymon port monitor
555 adding, 231
sleeping, 560, 563 bidirectional modem service and, 228
system processes and, 552 disabling, 233
/tmp directory, clearing out, 389, 392 enabling, 234
/tmp file system, 383 (figure), 227
/tmp/[Link] file, 456 killing, 233
tmpfs file system, 266 listing, 231
tmpwtmp file, 456, 459, 461 overview of function of, 226
tools removing, 234
process, 470, 484 starting, 233
system performance monitoring, 478, 531
Index-694 System Administration Guide, Volume II ♦ October 1998
ttymon service UNIX systems (crash information), 577
adding, 235 unmounting
disabling, 239 font cartridges, 95
enabling, 238 forms, 108
listing, 236 print wheels, 95
ttys (pseudo) unsupported printers, 28, 124
changing number of, 371, 376 Usage: aset message, 354
number configured, 550 user
tune files (ASET) access to printer
described, 339, 342 ability to limit with Admintool, 22
example files, 348 limiting with Admintool, 75
format, 348 limiting with lpadmin command, 75
modifying, 342 canceling print requests for, 87
rules, 348 user accounts
[Link] file, 333, 337, 338 ASET check, 334
tune_t_flckrec parameter, 549 displaying login status, 291, 292
tune_t_fsflushr parameter, 549 user ACL entries
tune_t_gpgslo parameter, 549 default entries for directories, 282
tune_t_minarmem parameter, 549 described, 281
tune_t_minasmem parameter, 549 setting, 283, 285
tuning user allocation, 388, 389
daily command summary and, 451 user classes of files, 264
kernel parameters, 548, 550, 556, 558 user facility, 573
turnacct switch command, 446, 456 user fees, 437, 446, 450
turning off user logins
quotas, 398, 410 last login monitoring, 453, 456, 461
turning on number of logins, 450
quotas, 398, 402, 403 time monitoring, 443, 444, 450, 456
user mode (CPU), 499, 503, 522
user names
U
current user, 192
UDP protocol, 537 direct vs. indirect logins (rlogin), 176, 177
UFS file systems finding users logged in to remote
displaying information about system, 181
space usage, 383 user processes
user allocation, 388, 389 changing priority, 494, 495
UFS parameters, 476, 477, 545 CPU usage by, 450
ufs_ninode parameter, 476, 477, 545 in kernel mode, 553
uid_aliases file maximum per user-id, 476, 477
described, 339 number per user, 371, 375, 376
specifying, 342 priority of, 472, 473, 490
UID_ALIASES variable user quotas
aliases file specification, 342, 347 changing for individual users, 408, 409
described, 339, 344 checking for exceeded, 404
umask, 267 disabling for individual users, 409, 410
UMASK environment variable, 335 setting up, 400, 401
uname command, 368, 369 soft limit time, 407
UNIX processes (priority), 472

Index-695
user structure, 469 /var/adm/acct directory, 459
user-mode daemon for kerberos, 309 /var/adm/acct/fiscal directory, 461
user-mode priority, 490 /var/adm/acct/fiscal directory, 459
users (maximum number), 476 /var/adm/acct/nite directory, 459
usr cache name, 502 /var/adm/acct/nite/active file, 439, 456, 459
/usr/adm directory, 568, 571 /var/adm/acct/nite/[Link] file, 456,
/usr/adm/messages file, 568, 572 459
/usr/adm/messages.n file, 571 /var/adm/acct/nite/cms file, 456, 459
/usr/adm/sa directory, 528 /var/adm/acct/nite/[Link] file, 456,
/usr/aset directory, 332 459
/usr/aset/asetenv file /var/adm/acct/nite/ctmp file, 459
described, 340, 351, 354 /var/adm/acct/nite/daycms file, 456, 459,
/usr/aset/masters/tune files 461
described, 339, 342, 348 /var/adm/acct/nite/daytacct file, 450, 456,
/usr/aset/masters/uid_aliases file, 339 459, 461
/usr/aset/reports directory /var/adm/acct/nite/disktacct file, 445, 446,
structure, 336, 337 456, 459
/usr/aset/reports/latest directory, 337 /var/adm/acct/nite/[Link]
/usr/lib/acct/[Link] command, 456 file, 456
/usr/lib/acct/startup command, 445 /var/adm/acct/nite/fd2log file, 439, 456, 459
/usr/lib/lp directory, 101 /var/adm/acct/nite/lastdate file, 456, 459
/usr/lib/lp/model directory, 163 /var/adm/acct/nite/lineuse file, 456, 459, 461
/usr/lib/lp/model/netstandard file, 6 /var/adm/acct/nite/lock file, 439, 456, 459
/usr/lib/lp/postscript directory, 100, 162 /var/adm/acct/nite/lock1 file, 456
/usr/lib/sa/sa1 command, 528, 529 /var/adm/acct/nite/log file, 459
/usr/lib/sa/sa2 command, 528, 529 /var/adm/acct/nite/[Link] file, 459
/usr/lib/sa/sadc command, 528, 529, 531, 533 /var/adm/acct/nite/owtmp file, 460
/usr/proc/bin directory, 470, 484 /var/adm/acct/nite/reboots file, 456, 459
/usr/sbin/crash utility, 570, 581, 582 /var/adm/acct/nite/statefile file, 440, 456,
/usr/spool/cron/atjobs directory, 364 459
[Link] file /var/adm/acct/nite/tmpwtmp file, 456, 459,
described, 334, 337 461
example, 338 /var/adm/acct/nite/[Link] file, 438,
format, 338 456, 460
/usr/sbin/kerbd daemon, 309 /var/adm/acct/nite/wtmperror file, 459
utmp2wtmp command, 456 /var/adm/acct/nite/[Link]
uucico program, 297, 298 file, 459
uucp login account, 253 /var/adm/acct/nite/xwtmp file, 438
UUCP program, 253 /var/adm/acct/sum directory, 446, 459, 460
/var/adm/acct/sum/cms file, 456, 460, 461
/var/adm/acct/sum/cmsprev file, 460
V
/var/adm/acct/sum/daycms file, 456, 460,
validity faults, 518 461
/var partition, 20 /var/adm/acct/sum/loginlog file, 456, 460,
/var/adm directory 461
controlling size of, 391, 458 /var/adm/acct/sum/[Link] file, 446,
controlling size of, 568, 571 461
raw accounting data in, 445

Index-696 System Administration Guide, Volume II ♦ October 1998

/var/adm/acct/sum/[Link] file, 456 described, 306
/var/adm/acct/sum/tacct file, 439, 456, 460, returned to client, 307
461 window, 306
/var/adm/acct/sum/[Link] file, 439, verifying
456, 460 at jobs, 427
/var/adm/acct/sum/[Link] file, 439 crontab file existence, 418
/var/adm/acct/sum/tacctprev file, 460 quotas, 397, 403, 408
/var/adm/acct/sum/xtacct file, 439 remote system operation, 180
/var/adm/dtmp file, 458 vfstab file, quotas and, 399, 402
/var/adm/fee file, 437, 446, 456, 458 viewing, , see displaying\x0d,
/var/adm/loginlog file virtual caches, 502
overview, 294, 295 virtual memory
/var/adm/messages file, 568, 572 displaying information on, 367, 370, 498
/var/adm/messages.n file, 571 process, 469
/var/adm/sa/sadd file, 530, 531 viruses, 245
/var/adm/sa/sadd file, 529 Trojan horse, 249, 250
/var/adm/[Link] file, 456, 458 vmstat command, 498
/var/adm/sulog file, 256, 301 fields in reports from, 498, 500, 501
/var/crash directory, 393 overview, 498
/var/lp/logs directory, 163 -c option (cache flushing), 502
/var/lp/logs/lpsched file, 163, 599 -i option (interrupts), 502
/var/spool directory, 389, 392 -s option (system events), 500
/var/spool/cron/atjobs directory, 364, 413, -S option (swapping), 501
415
/var/spool/cron/crontab directory, 415
W
/var/spool/cron/crontabs/adm file, 415
/var/spool/cron/crontabs/lp file, 163 wait mode (CPU), 503, 522
/var/spool/cron/crontabs/root file, 414, 415, waiting
444 for disk transfer requests, 512
/var/spool/cron/crontabs/lp file, 415, 529, for processes, 487, 560
531 Warning! Duplicate ASET execution scheduled
/var/spool/lp directory, 20, 157 message, 354
/var/spool/lp/requests directory, 153 “WARNING: ” message, 662
/var/spool/lp/tmp directory, 153 Watchdog reset ! message, 570
/var/tmp directory, 389, 392 weekly tasks, scheduling with crontab, 363
/var/tmp/deadfiles file, 391 wildcard characters, 348
variables window verifier, 306
ASET environment variables, 344, 348 working directory
ASETDIR, 345 defined, 192
ASETSECLEVEL, 345 ftp commands, 184
CKLISTPATH_level, 339, 341, 347 write permissions
PERIODIC_SCHEDULE, 342, 346, 347, symbolic mode, 272
351 write system call
summary table, 344 statistics on, 452, 454, 510
TASKS, 341, 347 writes, 505, 508, 512
UID_ALIASES, 339, 342, 347 wtmp file
YPCHECK, 342, 347 daily report and, 448
verifiers
Index-697
 fixing corrupted, 438, 456 xwtmp file, 438
overview, 438, 444, 445, 456
shutdowns and, 447
Y
[Link] file, 438, 456, 460
wtmperror file, 459 YPCHECK variable
[Link] file, 459 described, 344
wtmpfix command, 438, 456, 459 specifying system configuration file
tables, 342, 347

X
xtacct file, 439

Index-698 System Administration Guide, Volume II ♦ October 1998