|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10|
The following task map describes tasks to debug your network.
Use this procedure if your system does not communicate with other hosts as expected.
You must be in the global zone in a role that can check network settings. The Security Administrator role and the System Administrator role can check these settings.
The following output shows that the system has two network interfaces, bgeo and bge0:3. Neither interface is up.
# ipadm show-addr ... ADDROBJ TYPE STATE ADDR bge0/static1 static disabled 192.168.0.11/24 bge0:0/static1 static disabled 192.168.0.12/24
The following output shows that both interfaces are up.
# ipadm enable-if bge0 # ipadm show-addr ... ADDROBJ TYPE STATE ADDR bge0/static1 static ok 192.168.0.11/24 bge0:0/static1 static ok 192.168.0.12/24
To debug two hosts that should be communicating but are not, you can use Trusted Extensions and Oracle Solaris debugging tools. For example, Oracle Solaris network debugging commands such as snoop and netstat are available. For details, see the snoop(1M) and netstat(1M) man pages. For commands that are specific to Trusted Extensions, see Appendix D, List of Trusted Extensions Man Pages.
For problems with contacting labeled zones, see Managing Zones (Task Map).
For debugging NFS mounts, see How to Troubleshoot Mount Failures in Trusted Extensions.
You must be in the global zone in a role that can check network settings. The Security Administrator role or the System Administrator role can check these settings.
Use the command line to check that the network information in the kernel is current. Check that the assignment in each host's kernel cache matches the assignment on the other hosts on the network.
$ tninfo -h hostname IP Address: IP-address Template: template-name
$ tninfo -t template-name template: template-name host_type: one of CIPSO or UNLABELED doi: 1 min_sl: minimum-label hex: minimum-hex-label max_sl: maximum-label hex: maximum-hex-label
$ tninfo -m zone-name private: ports-that-are-specific-to-this-zone-only shared: ports-that-the-zone-shares-with-other-zones
To change or check network security information, use the trusted network databases. To verify the syntax of the databases, use the tnchkdb command.
To update the kernel cache, restart the tnctl service on the host whose information is out of date. Allow some time for this process to complete.
Rebooting clears the kernel cache. At boot time, the cache is populated with database information. The nsswitch.conf file determines that local databases are used to populate the kernel.
Use the get subcommand to the route command.
$ route get [ip] -secattr sl=label,doi=integer
For details, see the route(1M) man page.
Use the snoop -v command.
The -v option displays the details of packet headers, including label information. This command provides a lot of detail, so you might want to restrict the packets that the command examines. For details, see the snoop(1M) man page.
Use the -R option with the netstat -a|-r command.
The -aR option displays extended security attributes for sockets. The -rR option displays routing table entries. For details, see the netstat(1M) man page.
Misconfiguration of the client entry on the LDAP server can prevent the client from communicating with the server. Similarly, misconfiguration of files on the client can prevent communication. Check the following entries and files when attempting to debug a client-server communication problem.
You must be in the Security Administrator role in the global zone on the LDAP client.
# tninfo -h LDAP-server # route get LDAP-server # tninfo -h gateway-to-LDAP-server
If a remote host template assignment is incorrect, assign the host to the correct template.
Your system, the interfaces for the labeled zones on your system, the gateway to the LDAP server, and the LDAP server must be listed in the file. You might have more entries.
Look for duplicate entries. Remove any entries that are labeled zones on other systems. For example, if Lserver is the name of your LDAP server, and LServer-zones is the shared interface for the labeled zones, remove LServer-zones from /etc/hosts.
# more resolv.conf search list of domains domain domain-name nameserver IP-address ... nameserver IP-address
# ldaplist -l tnrhdb client-IP-address
# ldaplist -l tnrhdb client-zone-IP-address
# ldapclient list ... NS_LDAP_SERVERS= LDAP-server-address # zlogin zone-name1 ping LDAP-server-address LDAP-server-address is alive # zlogin zone-name2 ping LDAP-server-address LDAP-server-address is alive ...
# zlogin zone-name1 # ldapclient init \ -a profileName=profileName \ -a domainName=domain \ -a proxyDN=proxyDN \ -a proxyPassword=password LDAP-Server-IP-Address # exit # zlogin zone-name2 ...
# zoneadm list # zoneadm -z zone-name halt # lockfs -fa # reboot