Software Distributor Administration Guide for HP-UX 11i

ManualsBrandsHP ManualsSoftwareHP-UX Software Distributor

461

462

463

464

465

466

467

468

469

470

Troubleshooting

Common Problems

Appendix B 469

Do Not Modify ACL Files Without swacl

Since SD-UX stores ACLs in the file system as plain text files, you may

try to edit them with a conventional editor. This can lead to unexpected

corruption of the ACL. Most cases of this corruption simply result in a

message indicating the corruption, but inserting additions to the ACL

file without updating the

num_entries

value can result in unreported

problems and cause SD-UX to deny access. A common failure could occur,

for instance, if a you inserted user entry in the ACL file. This could push

the

any_other

entry down beyond the

num_entries

limit. The ACL

manager would never read the

any_other

entry, and you would have

access problems. The best guard against this situation is to always use

the swacl command to manipulate ACLs.

Inter-host Secrets

The default /var/adm/sw/security/secrets file contains a single

entry:

default -sdu-

If you wish to explicitly name all hosts from which controllers can be run,

you must replace the

-sdu-

with a different default secret, or eliminate

the entire entry. See Chapter 9, “SD-UX Security,” on page 255 for a

thorough discussion of the secrets file.

The controller (for swinstall, swcopy, etc.) looks up the secret for the

system on which it runs and passes it in an encrypted form to its agent.

The agent receiving a request from the controller looks up the secret for

the host from which the call comes, encrypts it, and compares the

encryption to that provided by the controller. If the two secrets do not

match, access is denied. If you have problems with this mechanism,

make sure that all systems have matching entries. You can also revert to

the old secrets file (/etc/newconfig/sd/secrets on 9.x and

/usr/newconfig/var/adm/sw/security/secrets on 10.x) on all hosts,

or simply copy a single secrets file to all hosts.

Working With Depot Images

You may encounter a problem in using cp, tar, cpio, dd, and other

commands to copy images of depots for use on other systems. Depot and

product ACLs in the image have built-in knowledge of the host on which

the depot originated. In particular, an ACL default

realm

will be wrong

and local users will be confused with users on the originating host. For