HPlogo HP-UX Reference Volume 2 of 5 > s

sam(1M)
» 

Technical documentation

Complete book in PDF

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

sam — system administration manager

SYNOPSIS

/usr/sbin/sam [-display display] [-f login] [-r]

DESCRIPTION

The sam command starts a menu-driven System Administration Manager program (SAM) that makes it easy to perform system administration tasks with only limited, specialized knowledge of the HP-UX operating system. SAM discovers most aspects of a system's configuration through automated inquiries and tests. Help menus describe how to use SAM and perform the various management tasks. Context-sensitive help on the currently highlighted field is always available by pressing the F1 function key. Status messages and a log file monitor keep the user informed of what SAM is doing.

Running SAM

SAM has been tuned to run in the Motif environment, but it can be run on text terminals as well. To run SAM in the Motif environment, be sure that Motif has been installed on your system, and that the DISPLAY environment variable is set to the system name on which the SAM screens should be displayed (or use the -display command line option).

Generally, SAM requires superuser (user root) privileges to execute successfully. However, SAM can be configured (through the use of "Restricted SAM"; see below) to allow subsets of its capabilities to be used by non-root users. When Restricted SAM is used, non-root users are promoted to root when necessary to enable them to execute successfully.

Options

sam recognizes the following options.

-display display

Set the DISPLAY value for the duration of the SAM session.

-f login

Execute SAM with the privileges associated with the specified login. When used in conjunction with -r, the Restricted SAM Builder is invoked and initialized with the privileges associated with the specified login. You must be a superuser to use this option. See "Restricted SAM" below for more information.

-r

Invoke the Restricted SAM Builder. This enables the system administrator to provide limited nonsuperuser access to SAM functionality. You must be a superuser to use this option. See "Restricted SAM" below for more information.

SAM Functional Areas

SAM performs system administration tasks in the following areas:

Auditing and Security (Trusted Systems)

  • Set global system security policies

    • Maximum account inactivity period

    • Password generation policies

    • Null password usage and use of password restriction rules

    • Password aging

    • Maximum unsuccessful login attempts

    • Single-user boot authorization

    • Terminal security policies

  • Turn the Auditing system on or off

  • Set the parameters for the Audit Logs and Size Monitor

  • View all or selected parts of the audit logs

  • Modify (or view) which users, events, and/or system calls get audited

  • Convert your system to a Trusted System

  • Convert your system to a non-Trusted System

Backup and Recovery

  • Interactively back up files to a valid backup device (cartridge tape, cartridge tape autochanger, magnetic tape, DAT, magneto-optical disk, or magneto-optical disk autochanger). The SAM interface is suspended so that you can read and/or respond to the interactive messages produced by fbackup (see fbackup(1M)).

  • Recover files online from a valid backup device. The SAM interface is suspended so that you can read/respond to the interactive messages produced by frecover (see frecover(1M)).

  • Add to, delete from, or view the automated backup schedule.

  • Obtain a list of files from a backup tape.

  • View various backup and recovery log files.

Disk and File Systems Management

  • Add, configure, or unconfigure disk devices. This includes hard drives, floppy drives, CD-ROMs, magneto-optical devices, and disk arrays.

  • Add, modify, or remove local file systems, or convert them to long file names.

  • Configure HFS or VxFS file systems.

  • Remote (NFS) file systems configuration, including:

    • Add, modify, or remove remote (NFS) file systems.

    • Allow or disallow access by remote systems to local file systems.

    • Modify RPC (Remote Procedure Call) services' security.

  • Add, remove, or modify device or file system swap.

  • Change the primary swap device.

  • Add, modify, or remove dump devices.

  • Examine, create, extend, or reduce a volume-group pool of disks.

  • Create, extend or change number of mirrored copies of a logical volume and associated file system.

  • Remove a logical volume or increase its size.

  • Split or merge mirrored copies of a logical volume.

  • Share or unshare volume groups (only on ServiceGuard clusters running MC/LockManager distributed lock-manager software).

Kernel and Device Configuration

  • Change the configuration for I/O device and pseudo drivers.

  • Modify operating system parameters.

  • Modify dump device configuration in the kernel.

  • Minimize kernel and system configuration to reduce memory usage (Series 700 only).

  • Add or remove optional subsystems such as NFS, LAN, NS, CD-ROM, etc.

  • Generate a new kernel.

Networks/Communications

  • Configure one or more LAN cards.

  • Configure ARPA services.

  • Configure the Network File System (NFS).

  • Configure X.25 card or cards and PAD (Packet Assembler/Disassembler) services (if X.25 has been purchased).

Peripheral Devices Management

  • Administer the LP spooler or Distributed Print Services and associated printers and plotters (see "Printer and Plotter Management" below).

  • Add, modify, or remove the configuration of disk devices.

  • Add or remove terminals and modems.

  • Configure terminal security policies (Trusted Systems only).

  • Lock and unlock terminals (Trusted Systems only).

  • Add or remove tape drives.

  • Add or remove hardware interface cards and HP-IB instruments.

  • View current configuration of peripherals and disk space information.

Printer and Plotter Management

SAM supports two methods for managing printers and plotters:

  • LP Spooler

    • Add and remove local, remote, and networked printers and plotters to/from the LP spooler.

    • Enable and disable printers and plotters from printing requests accepted by the LP spooler.

    • Accept and reject requests for printers, plotters, and print classes.

    • Modify the fence priority of printers and plotters.

    • Set the system default print destination.

    • Start and stop the LP scheduler.

  • HP Distributed Print Service (HPDPS)

    • Add and remove physical printers (parallel, serial, or network interface and remote printers), logical printers, print queues, spoolers, and supervisors.

    • Enable and disable logical printers, print queues, and physical printers to accept print jobs.

    • Pause and resume print queues, physical printers, and print jobs.

    • Start and stop spoolers and supervisors

    • Modify attributes of physical printers, logical printers, print queues, spoolers, and supervisors.

    • Remove a single print job or all print jobs assigned to a physical printer, logical printer, print queue, spooler or supervisor.

Process Management

  • Kill, stop or continue processes.

  • Change the nice priority of processes.

  • View the current status of processes.

  • Schedule periodic tasks via cron.

  • View current periodic (cron) tasks.

  • Run performance monitors.

  • Display system properties such as: machine model and ID; number of installed processors, their version and speed; operating-system release version; swap statistics, real, physical, and virtual memory statistics; network connection information.

Remote Administration

  • Configure remote systems for remote administration.

  • Execute SAM on systems configured for remote administration.

Routine Tasks

  • Shut down the system.

  • View and remove large files. Specify size and time-since-accessed of large files to display or remove.

  • View and remove unowned files. Specify size and time-since-accessed of unowned files to display or remove.

  • View and remove core files.

  • View and trim ASCII or non-ASCII log files. Add or remove files from the list of files to monitor. Set recommended size for trimming.

User and Group Account Management

  • Add, remove, view, and modify user accounts.

  • Remove or reassign ownership of files belonging to removed or modified user accounts.

  • Modify a user account's group membership.

  • Set up password aging for a user account.

  • Add, remove, view, and modify groups.

  • Customize adding and removing users by specifying steps to be performed before and/or after SAM does its processing for the task. The Task Customization action items in SAM Users and Groups leads you through this capability. See "Customizing SAM Tasks" below for more information.

  • Deactivate and reactivate user accounts.

  • Manage trusted system security policies on a per-user basis. The policies that can be managed include:

    • Account lifetime

    • Maximum account inactivity period

    • Password generation policies

    • Null password usage and use of password restriction rules

    • Maximum password length

    • Password aging

    • Maximum unsuccessful login attempts

    • Generation of admin numbers for new or reactivated accounts

    • Single-user boot authorization

    • Authorized login times

Adding New Functionality to SAM

You can easily add stand-alone commands, programs, and scripts to SAM. SAM is suspended while the executable program is running. When it finishes, the SAM interface is restored. You can also write your own help screen for each menu item you create. To add functionality to SAM, select the "Add Custom Menu Item" or "Add Custom Menu Group" action items from the SAM Areas menu. (Note that the new item is added to the hierarchy that is currently displayed, so you need to navigate to the desired hierarchy before adding the item.)

File System Protection When Removing Users

When removing users or files from a system, there is always the unfortunate possibility that the wrong user may be removed or that files belonging to a user who is removed are deleted inadvertently during the removal process. For example, user bin is the owner of (from the operating system's perspective) the majority of the executable commands on the system. Removing this user would obviously be disastrous. On the other hand, suppose user joe owns all of the files comprising the test suite for a project. It may be appropriate to remove joe, but the test suite should be left intact and assigned to a new owner. SAM provides two features to help protect against inadvertent removal of users or files when removing users:

  • When prompting for the name of a user to remove from the system, SAM checks the name given against a list of names specified in the file /etc/sam/rmuser.excl. If the name matches one within the file, SAM does not remove the user.

  • When SAM removes a user, all files (or a subset thereof) for that user are also removed, unless the ownership is given to another user. Before removing a file belonging to the user, SAM checks to see if the file resides in a path that has been excluded from removal. SAM uses the file /etc/sam/rmfiles.excl to determine which paths have been excluded from removal. So, for example, if the path /users/joe/test is named in the file, SAM will not remove any files residing beneath that directory. SAM logs a list of all files it removes in the file /var/tmp/sam_remove.log.

  • SAM does not remove or reassign any files if the user being removed has the same user ID as another user on the system.

Files /etc/sam/rmuser.excl and /etc/sam/rmfiles.excl can be edited to contain users and directories that you want to exclude from removal by SAM.

Customizing SAM Tasks

You can customize the following SAM tasks:

  • Add a New User Account to the System

  • Remove a User Account from the System

For each of these tasks, you can specify steps you want performed before and/or after SAM does its processing for the task. Before SAM performs one of the tasks, it checks to see if a pretask step (executable file) was defined. If so, SAM invokes the executable, passes it a set of parameters (see below), and waits for its completion. You can halt SAM's processing of a task by exiting from your executable with a nonzero value (for example if an error occurs during execution of your executable).

After SAM has finished processing, it checks for a posttask step, performing the same type of actions as for the pretask step.

The executable file must have these characteristics:

  • Must be owned by root.

  • Must be executable only by root, and if writable, only by root.

  • Must reside in a directory path where all the directories are writable only by owner.

  • The full path name of the executable file must be given in the SAM data entry form.

The same parameters are passed from SAM to your program for both the pretask and posttask steps. Here are the parameters passed for each task:

  • Add a New User Account to the System

    -l login_name -v user_id -h home_directory -g group -s shell -p password -R real_name -L office_location -H home_phone -O office_phone

    The file /usr/sam/lib/ct_adduser.ex contains an example of how to process these parameters.

  • Remove a User Account From the System

    There can be one of three possible parameters, depending on the option selected in the SAM data entry form. The parameter can be one of these three:

    -f user_name

    Option supplied when all of user_name's files are being removed.

    -h user_name

    Option supplied when user_name's home directory and files below it are being removed.

    -n new_owner user_name

    Option supplied when all of user_name's files are being assigned to new_owner.

    The file /usr/sam/lib/ct_rmuser.ex contains an example of how to process these parameters.

Restricted SAM

SAM can be configured to provide a subset of its functionality to certain users or groups of users. It can also be used to build a template file for assigning SAM access restrictions on multiple systems. This is done through the Restricted SAM Builder. System administrators access the Restricted SAM Builder by invoking SAM with the -r option (see "Options" above). In the Builder, system administrators may assign subsets of SAM functionality on a per-user or per-group basis. Once set up, the -f option (see "Options" above) can then be used by system administrators to verify that the appropriate SAM functional areas, and only those areas, are available to the specified user.

A nonroot user that has been given Restricted SAM privileges simply executes /usr/sbin/sam and sees only those areas the user is privileged to access. For security reasons, the "List" and "Shell Escape" choices are not provided. (Note that some SAM functional areas require the user to be promoted to root in order to execute successfully. SAM does this automatically as needed.)

SAM provides a default set of SAM functional areas that the system administrator can assign to other users. Of course, system administrators are able to assign custom lists of SAM functional areas to users as necessary.

SAM Logging

All actions taken by SAM are logged into the SAM log file /var/sam/log/samlog. The log entries in this file can be viewed via the SAM utility samlog_viewer (see samlog_viewer(1M)). samlog_viewer can filter the log file by user name, by time of log entry creation, and by level of detail.

The "Options" menu in the SAM Areas Menu enables you to start a log file viewer and to control certain logging options. These options include whether or not SAM should automatically start a log file viewer whenever SAM is executed, whether or not SAM should trim the log file automatically, and what maximum log file size should be enforced if automatic log file trimming is selected.

VT320 Terminal Support

Because the VT320 terminal has predefined local functions for keys labeled as F1, F2, F3 and F4, users should use following mapping when they desire to use function keys:

HP or Wyse60

VT320 or HP 700/60 in VT320 mode

F1

PF2 (1)

F2

PF1 (1)

F3

spacebar

F4

PF3 (1)

F5

F10, [EXIT], F5 (2)

F6

none

F7

F18, first unlabeled key to right of Pause/Break (2)

F8

F19, second unlabeled key to right of Pause/Break (2)

(1)

See the "Configuration: HP 700/60 in DEC mode, or DEC terminals with PC-AT-type keyboard" subsection below.

(2)

When using PC-AT keyboard with HP 700/60 in VT320 mode.

Since DEC terminals do not support the softkey menu, that menu is not displayed on those terminals.

Many applications use TAB for forward navigation (moving from one field to another) and shift-TAB for backward navigation. Users having DEC terminals or using terminals in DEC emulation modes such as VT100 or VT320 may note that these terminals/emulators may produce the same character for TAB and shift-TAB. As such, it is impossible for an application to distinguish between the two and both of them are treated as if the TAB key was pressed. This presents an inconvenience to users if they want to go backward. In most cases, they should complete rest of the input fields and get back to the desired field later.

VT100 Terminal Support

VT100 does not allow the F1-F8 function keys to be configured. Therefore, the following keyboard mappings apply to VT100 terminals:

HP or Wyse60

VT100 or HP 700/60 in VT100 mode

F1

PF2 (1)

F2

PF1 (1)

F3

spacebar

F4

PF3, spacebar or PF3, = (1)

F5

Return

F6

none

F7

none

F8

none

(1)

See the "Configuration: HP 700/60 in DEC mode, or DEC terminals with PC-AT-type keyboard" subsection below.

See the comments on softkeys and TAB keys in the "VT320 Terminal Support" subsection above.

Configuration: HP 700/60 Terminal in DEC Mode, or DEC Terminal with PC-AT-Type Keyboard

Customers using the following configuration may want to be aware of the following keyboard difference.

It may be possible for a user with the "HP 700/60 terminal in DEC mode, or DEC terminal with PC-AT-type keyboard" configuration to be told to press function key F1 through F4 to achieve some desired result. For an HP 700/60 terminal in DEC mode or DEC terminals, these functions keys may be mapped onto PF1-PF4 keys. However, the PC-AT-type keyboard does not provide PF1-PF4 keys, as does the DEC/ANSI keyboard.

Key

Maps to

Num Lock

PF1

/

PF2

*

PF3

-

PF4

The Num Lock, /, *, and - keys are located on the keyboard, in a row above the number pad on the right side of the keyboard. Please note that although this keyboard is called a PC-AT-type keyboard, it is supplied by HP. A PC-AT-type keyboard can be recognized by location of ESC key at the left-top of the keyboard.

Wyse60 Terminal Support

On Wyse60, use the DEL key (located next to Backspace) to backspace. On an HP 700/60 with a PC-AT-type keyboard in Wyse60 mode, the DEL key is located in the bottom row on the number pad.

Wyse60 terminals provide a single line to display softkey labels unlike HP terminals which provide two lines. Sometimes this may result in truncated softkey labels. For example, the Help on Context label for F1 may appear as Help on C. Some standard labels for screen-oriented applications, such as SAM and swinstall are as follows:

The SAM label:

May appear on the Wyse60 as:

Help On Context

Help On C

Select/Deselect

Select/D

Menubar on/off

Menubar

DEPENDENCIES

SAM runs in an X Window environment as well as on the following kinds of terminals or terminal emulators:

  • HP-compatible terminal with programmable function keys and on-screen display of function key labels.

  • VT-100 and VT-320

  • WY30 and WY60

Depending on what other applications are running concurrently with SAM, more swap space may be required. SAM requires the following amounts of internal memory:

8 MB

If using terminal based version of SAM.

16 MB

If using Motif X Window version of SAM.

For more detailed information about how to use SAM on a terminal, see the Managing Systems and Workgroups manual.

AUTHOR

sam was developed by HP.

FILES

/etc/sam/custom

Directory where SAM stores user privileges.

/etc/sam/rmfiles.excl

File containing a list of files and directories that are excluded from removal by SAM.

/etc/sam/rmuser.excl

File containing a list of users that are excluded from removal by SAM.

/usr/sam/bin

Directory containing executable files, which can be used outside of any SAM session.

/usr/sam/help/$LANG

Directory containing SAM language specific online help files.

/usr/sam/lbin

Directory containing SAM executables, which are intended only for use by SAM and are not supported in any other context.

/usr/sam/lib

Directory for internal configuration files.

/var/sam

Directory for working space, including lock files (if a SAM session dies, it may leave behind a spurious lock file), preferences, logging, and temporary files.

/var/sam/log/samlog

File containing unformatted SAM logging messages. This file should not be modified by users. Use samlog_viewer to view the contents of this file (see samlog_viewer(1M)).

/var/sam/log/samlog.old

Previous SAM log file. This file is created by SAM when /var/sam/log/samlog is larger than the user specified limit. Use samlog_viewer with its -f option to view the contents of this file (see samlog_viewer(1M)).

SEE ALSO

samlog_viewer(1M).

Managing Systems and Workgroups

Installing and Administering ARPA Services

Installing and Administering LAN/9000

Installing and Administering NFS Services

Installing and Administering Network Services

Installing and Administering X.25/9000



sa1
  		 


sar  
© Hewlett-Packard Development Company, L.P.