topic Re: Win2k3 SP1 + SIM4.2 SP1 + active directory = ugh in Server Management - Systems Insight Manager

Win2k3 SP1 + SIM4.2 SP1 + active directory = ugh

Tom Pepper — Wed, 06 Apr 2005 06:04:58 GMT

Some pointers on installing SIM4.2 on top of a Windows 2003 environment with active directory running:

1) you *have* to install SIM server while logged in as a *local* administrator. installing as a anything else (domain admin/user/whatever) will screw up HP's OpenSSH.

2) if your home folder for said local administrator is anything other than c:\documents and settings\Administrator, you have to shut down the openssh service and edit the /home/Administrator chunk in \Program Files\OpenSSH\etc\passwd to match the directory name.

3) if you installed SIM under a domain login, do yourself a favor and uninstall all of it now including the openssh server via add/remove programs, delete any directory on any managed host or the local host matching c:\documents and settings\*\.ssh, delete all of c:\program files\openssh, log out of windows and back in as that machine's local administrator, and re-install. Verify that SSH is working after the install by opening a command prompt, cd to c:\program files\openssh\bin, and run ssh localhost. If you can't fully log in as Administrator using the local admin password, to the point where you see a shell prompt, something went wrong. Check the event log to see why.

4) If you are deploying agents, I highly recommend you use a local administrator account on each end host, especially if you want to use OpenSSH on a windows 2003 server.

5) You have to have forward and reverse DNS lookups working for the SIM server and all managed objects, period. If you can't do an nslookup from a command prompt at the SIM server on both the full hostname and the IP you intend to manage from, SIM will freak out.

6) If you can't authenticate to remote machines already running SSH, they are likely running the OpenSSH daemon as a domain user. De-install OpenSSH on those managed hosts, nuke any .ssh directories on them as above, and remove the cached host key from the SIM server by using from a command prompt:

mxagentconfig -r -n hostname.or.ip.here

you can get an idea of what to use after -n by checking inside c:\program files\hp\systems insight manager\config\ssltools\known_hosts. If you get lazy you can just stop the SIM service, delete that file, and restart without much incident instead.

7) You can't use any service that requires SSH to install (including installing SSH itself) if your account username or password has any special shell characters in it, i.e. & < > or |. HP passes the password directly on a command line (how silly) and the shell interprets the characters directly. I'm not sure if the situation is improved by enclosing the password/userid in quotes from the GUI. FYI.

That's all for now, folks. Hope my 8 hours of hell helps someone else out there. Honestly it would be nice if HP would at least present a dialog on 2k3 systems warning of the domain admin problem w/ ssh during install and remote deployment. The resulting headscratching has wasted many more individuals' time than mine I'm certain.

cheers and good luck,
-tom

Re: Win2k3 SP1 + SIM4.2 SP1 + active directory = ugh

Scott Shaffer — Wed, 06 Apr 2005 11:15:29 GMT

Tom, first let me apologize for all the trouble you had here. Certainly this isn't what we would like!

However, know that we are aware there are issues and we're working hard on fixing them. We did put out a white paper on getting SSH setup on Windows 2003, but we now know there are more scenarios than we first thought that make this less than perfect.

So, we're doing a few things here to resolve the situation. First, we're going to update our white paper to include all the information we have to date. Second, we're going to release a set of scripts that help folks make sure any precondition and postconditions are set.

But most importantly, we're going to release HPSIM 4.2 SP2 that addresses these issues in many ways. We're going straight to the OS for local tool launches. This will mean that SSH isn't required locally to run tools like Repair Agent Settings, Initial PSP Deployment, and Deploy SSH. We're also improving the SSH component so that it handles lots of Win2K3 install issues.

All these things will help - but nothing will get you back your 8 hours though, so again let me apologize. I promise we're working hard to make sure this sort of thing doesn't happen again.

Re: Win2k3 SP1 + SIM4.2 SP1 + active directory = ugh

Tom Pepper — Wed, 06 Apr 2005 12:47:19 GMT

omg you guys read this? *hug*

all *excellent* ideas. don't get me wrong i'm excessively happy with HP (save a lack of IMA for Freebsd 5 and Fedora...), especially when we consider the state of the union over at the other bladeserver camps.

thanks for the pep talk and glimpse of goodness to come!

Re: Win2k3 SP1 + SIM4.2 SP1 + active directory = ugh

David Claypool — Wed, 06 Apr 2005 15:27:30 GMT

Tom:

Good news. For non-supported OS versions, you can build the pack for installation. Go to http://www.hp.com/go/proliantlinux --> 'Managing ProLiant Servers with Linux' and check the custom builds instructions starting on page 27.

Re: Win2k3 SP1 + SIM4.2 SP1 + active directory = ugh

Tom Pepper — Wed, 06 Apr 2005 17:21:13 GMT

Well, shoot. I got nothin'. :)

Perhaps it's up to me to port these puppies over to fbsd and make a port out of the shebang.

Great job, guys. Keep it up!