IBM DCE 3.2 Solaris 2.7/2.8/2.9/2.10 Patch 10 Copyright 2006 by IBM Corp. =========================================================================== INSTALLATION INSTRUCTIONS: The patches for the DCE 3.2 product on Solaris 2.7/2.8/2.9/2.10 are delivered via Solaris packages. The packages are contained in one compressed file and the associated scripts and documentation are contained in another compressed file that is downloaded. The README3210.tar.Z file when uncompressed and untared will conatin README -- This file which describes contents of patch and notes installpatch -- the script to use to install the patch packages installpatch.env -- environment that controls installpatch script The IDCE32-xx.client.tar.Z (or IDCE32-xx.server.tar.Z) file when uncompressed and untared will contain the directory IDCE32-xx, where xx identifies the patch with all the patches for client or server as the case may be. As an example when the IDCE32-04.client.tar file is un-tarred, the contents of the IDCE32-04 directory will be: IDCEGBKm -- patch package for IDCEGBKm IDCEenUSm -- patch package for IDCEenUSm IDCEjaJPm -- patch package for IDCEjaJPm IDCEsecs -- patch package for IDCEsecs IDCEzhm -- patch package for IDCEzhm IDCEcdss -- patch package for IDCEcdss IDCEesm -- patch package for IDCEesm IDCEjam -- patch package for IDCEjam IDCEsmgmt -- patch package for IDCEsmgmt IDCEclnt -- patch package for IDCEclnt IDCEitd -- patch package for IDCEitd IDCEkod -- patch package for IDCEkod IDCEtools -- patch package for IDCEtools IDCEenUSd -- patch package for IDCEenUSd IDCEitm -- patch package for IDCEitm IDCEkom -- patch package for IDCEkom IDCEzhd -- patch package for IDCEzhd Each patch will install the patch version of the packages that are already installed on the local machine. For example, if a machine is configured as a DCE client only, but the server packages are installed on the machine as well, the server packages will also be patched. If the server packages are not installed, their patch versions will not be installed, either. It is important to use the installation script, "installpatch", provided in the README tar file. The IDCE patching packages can be installed directly by using the Solaris pkgadd command, but this is discouraged. The installpatch script does additional system and space requirement checking, insures the correct IDCE packages are patched, constructs a backout patch and provides for more graceful error recovery. Direct use of pkgadd should be reserved for unusual situations where installpatch is not sufficient AND the installer has sufficient technical knowledge of Solaris packages. The installpatch script supports the use of both command line options and an environment file to control its behavior; these are described in more detail below. There are several ways to determine what patch or packages are installed on a machine. Executing "pkginfo" or "showrev -p" will list all products' packages; "pkginfo | grep IDCE" will limit the list to the DCE packages. After you execute installpatch, those commands should show the new patch level. A log file of the installpatch session is created for later reference. By default it is created in /var/sadm/patch/IDCE/log, and it is overwritten with each execution of installpatch. If you want to save a copy of it, the best way is to rename it afterwards, although it is also possible to change the pathname in an environment file. By default, installpatch constructs a backout patch which saves the previous versions of the files being patched in packages, so that the patch being installed may be backed out and the machine returned to its previous state. It also generates a "backoutpatch" script and a README file. For example, suppose a machine currently has Patch 1 installed on it, and Patch 4 is applied; if the patch is then backed out, the machine would again have Patch 1 on it. The script "backoutpatch" is generated each time with the details for this particular machine's installation; it is unique to that current installation. To back out a patch, that script should be executed from the directory both it and it's corresponding packages reside in. Note that a backout patch saves only those files that will be replaced by a patch and should not be considered a full backup of all IDCE package related files. The default location of the backout patch, script, and README file is /var/sadm/patch/IDCE/backout Each successive patch install overwrites the previous backout patch. To save a particular backout, either rename the entire backout directory, or use an alternate environment file as given in an example below. There are two ways to directly modify the behavior of the installpatch script. First, you can use one or more command line options to affect the general behavior of installpatch, listed below: Usage: installpatch [-e ENV_FILE] [-nolock] [-noback] [-force] [-help] -e specify an alternative environment file -nolock do not use or check for lock files -noback do not generate a backout patch -force install patch without regard for what patches are currently on the system -help verbose usage message Several of the default actions of installpatch can be overridden by the above command line options. A command line option ALWAYS overrides any definitions found in an environment file. The -force option should only be used in RARE situations. One such situation may be if the Solaris packages database becomes corrupted in some way. Even then, you should consider other alternatives, such as reinstalling the IDCE packages in question. DO NOT use -force without investigating the current state of your machine. The second method for modifying the behavior of installpatch is to create your own installpatch environment file. This environment file contains a fair number of documented parameters that determine if, where and how each step of the installpatch script is performed. Rather than modify the default environment file, installpatch.env, it is preferable to copy that file to some other filename; update the copy and use it with the "installpatch -e " command line option. This will preserve the record of the default settings. Modifying the environment file gives the installer more fine grained control over the behavior of installpatch than can be accomplished at the command line. For example, by default backout patches are always created in /var/sadm/patch/IDCE/backout and each successive patch install overwrites the previous backout patch. By modifying where the backout patch is constructed, the installer can store as many backout patches as he or she wishes and has room for. STEPS FOR INSTALLATION: The patched binaries can be put into place by following these steps once the tar file has been obtained: 1. Log in as root, preferably in single-user mode 2. Stop all DCE and DFS processes on the machine 3. % cd where patch_directory is where you would like to keep the patch packages. 4. % tar xvf where tar_file is the full pathname of the file containing the patch packages 5. copy installp and installp.env file that came in README.tar.Z to IDCE32-xx directory. where xx is the patch identifier 6. % cd IDCE32-xx where xx is the patch identifier 7. % ./installpatch this will install the patch packages for the DCE packages that are currently installed on the machine. The Solaris package utility may prompt about conflicting packages or running as root; respond "yes" to these. One example is * - overwriting a file which is also setuid/setgid. Do you want to install these as setuid/setgid files [y,n,?,q] y When the patch installation completes, a backout patch and log file will be available if needed. 8. % pkginfo | grep IDCE, and % showrev -p to check that patches were installed properly 9. If DFS is in use on this machine, either as a client or a server, you must reboot it to use the new binaries. If DFS is not in use, you may simply restart all the DCE processes. Steps for backing out a patch: 1. Log in as root, preferably in single-user mode 2. Stop all DCE and DFS processes on the machine 3. % cd where backout_directory contains: the backoutpatch script and a tar file with patch backout packages (may be compressed) 4. % ./backoutpatch Similarly to running installpatch, the Solaris package utility may prompt about installing conflicting packages or running scripts executed with super-user permission. Respond "yes" to these prompts. 5. % pkginfo | grep IDCE to check that packages were installed properly 6. If DFS is in use on this machine, either as a client or a server, you must reboot it to use the new binaries. If DFS is not in use, you may simply restart all the DCE processes. NOTE : In Solaris machines if there is not enough shared memory segments, DTS will NOT be able to configure. Typically it will fail with the following error : 2000-05-24-09:20:39.784+02:00I----- dtsd ERROR dts dtserror dtss_service_main.c 1340 0xffbef60c msgID=0x115CA0BF Failed to read hardware clock info In this case to configure DTS successfully, the following values are recommended in the /etc/system file for the shared and semaphore values. The system has to be rebooted after changing the values. set shmsys:shminfo_shmseg=1024 set shmsys:shminfo_shmmax=10000000 set shmsys:shminfo_shmmin=1 set shmsys:shminfo_shmmni=4096 set semsys:seminfo_semmns=10000 set semsys:seminfo_semmsl=100 DEFECTS FIXED IN THIS PATCH: APAR # Abstract ------ -------- IY85474 MIT Kerberos vulnerability no # MITKRB5-SA-2005-002 IY73345 DCED memory leak in siteupdate handler IY85232 Facility to tune private sockets in RPC runtime IY73683 Enhancement to add msg in syslog on account lock IY85044 Problem with dce_pthread_cond_init() API Note : Patch 119689-06 is a prerequisite for DCE320 patchset10 on Solaris 10.