 |
» |
|
|
|
NAMEsam — system administration manager SYNOPSIS/usr/sbin/sam
[-display
display]
[-f
login]
[-r] DESCRIPTIONThe
sam
command starts a menu-driven System Administration Manager program (SAM)
that makes it easy to perform system administration tasks
with only limited, specialized knowledge of the HP-UX operating system.
SAM discovers most aspects of a system's configuration
through automated inquiries and tests.
Help menus describe how to use SAM
and perform the various management tasks.
Context-sensitive help on the currently highlighted field
is always available by pressing the
F1
function key.
Status messages and a log file monitor keep the user informed of what
SAM is doing. Running SAMSAM has been tuned to run in the Motif environment,
but it can be run on text terminals as well.
To run SAM in the Motif environment,
be sure that Motif has been installed on your system,
and that the
DISPLAY
environment variable
is set to the system name on which the SAM screens should be displayed
(or use the
-display
command line option). Generally, SAM requires superuser (user
root)
privileges to execute successfully.
However, SAM can be configured
(through the use of "Restricted SAM"; see below)
to allow subsets of its capabilities to be used by
non-root
users.
When Restricted SAM is used,
non-root
users are promoted to
root
when necessary to enable them to execute successfully. Optionssam
recognizes the following options.
- -display display
Set the
DISPLAY
value for the duration of the SAM session. - -f login
Execute SAM with the privileges associated with the specified
login.
When used in conjunction with
-r,
the Restricted SAM Builder is invoked
and initialized with the privileges associated with the specified
login.
You must be a superuser to use this option.
See "Restricted SAM" below for more information. - -r
Invoke the Restricted SAM Builder.
This enables the system administrator
to provide limited nonsuperuser access to SAM functionality.
You must be a superuser to use this option.
See "Restricted SAM" below for more information.
SAM Functional AreasSAM performs system administration tasks in the following areas: Auditing and Security (Trusted Systems)Set global system security policies
Maximum account inactivity period Password generation policies Null password usage and use of password restriction rules Maximum unsuccessful login attempts Single-user boot authorization Terminal security policies
Turn the Auditing system on or off Set the parameters for the Audit Logs and Size Monitor View all or selected parts of the audit logs Modify (or view) which users, events, and/or system calls get audited Convert your system to a Trusted System Convert your system to a non-Trusted System
Backup and RecoveryInteractively back up files to a valid backup device
(cartridge tape, cartridge tape autochanger, magnetic tape,
DAT, magneto-optical disk, or magneto-optical disk autochanger).
The
SAM interface is suspended so that you can read and/or respond
to the interactive messages produced by
fbackup
(see
fbackup(1M)). Recover files online from a valid backup device.
The SAM
interface is suspended so that you can read/respond
to the interactive messages produced by
frecover
(see
frecover(1M)). Add to, delete from, or view the automated backup schedule. Obtain a list of files from a backup tape. View various backup and recovery log files.
Disk and File Systems ManagementAdd, configure, or unconfigure disk devices.
This includes hard drives, floppy drives,
CD-ROMs, magneto-optical devices, and disk arrays. Add, modify, or remove local file systems, or convert them to long file names. Configure HFS or VxFS file systems. Remote (NFS) file systems configuration, including:
Add, modify, or remove remote (NFS)
file systems. Allow or disallow access by remote systems to local file systems. Modify RPC (Remote Procedure Call) services' security.
Add, remove, or modify device or file system swap. Change the primary swap device. Add, modify, or remove dump devices. Examine, create, extend, or reduce a volume-group pool of disks. Create, extend or change number of mirrored copies
of a logical volume and associated file system. Remove a logical volume or increase its size. Split or merge mirrored copies of a logical volume. Share or unshare volume groups
(only on ServiceGuard clusters running MC/LockManager
distributed lock-manager software).
Kernel and Device ConfigurationChange the configuration for I/O
device and pseudo drivers. Modify operating system parameters. Modify dump device configuration in the kernel. Minimize kernel and system configuration to reduce memory usage
(Series 700 only). Add or remove optional subsystems such as NFS, LAN, NS, CD-ROM, etc.
Networks/CommunicationsConfigure one or more LAN cards. Configure the Network File System (NFS). Configure X.25 card or cards and PAD
(Packet Assembler/Disassembler) services (if X.25 has been purchased).
Peripheral Devices ManagementAdminister the
LP spooler or Distributed Print Services
and associated printers and plotters
(see "Printer and Plotter Management" below). Add, modify, or remove the configuration of disk devices. Add or remove terminals and modems. Configure terminal security policies (Trusted Systems only). Lock and unlock terminals (Trusted Systems only). Add or remove tape drives. Add or remove hardware interface cards and HP-IB instruments. View current configuration of peripherals and disk space information.
Printer and Plotter ManagementSAM supports two methods for managing printers and plotters:
LP Spooler
Add and remove local, remote,
and networked printers and plotters to/from the LP spooler. Enable and disable printers and plotters from printing requests
accepted by the LP spooler. Accept and reject requests for printers, plotters, and print classes. Modify the fence priority of printers and plotters. Set the system default print destination. Start and stop the LP scheduler.
HP Distributed Print Service (HPDPS)
Add and remove physical printers
(parallel, serial, or network interface and remote printers),
logical printers, print queues, spoolers, and supervisors. Enable and disable logical printers, print queues,
and physical printers to accept print jobs. Pause and resume print queues, physical printers,
and print jobs. Start and stop spoolers and supervisors Modify attributes of physical printers, logical printers,
print queues, spoolers, and supervisors. Remove a single print job or all print jobs
assigned to a physical printer, logical printer,
print queue, spooler or supervisor.
Process ManagementKill, stop or continue processes. Change the nice priority of processes. View the current status of processes. Schedule periodic tasks via cron. View current periodic (cron) tasks. Run performance monitors. Display system properties such as: machine model and ID;
number of installed processors, their version and speed;
operating-system release version;
swap statistics,
real, physical, and virtual memory statistics;
network connection information.
Remote AdministrationConfigure remote systems for remote administration. Execute SAM on systems configured for remote administration.
Routine TasksView and remove large files.
Specify size and time-since-accessed of large files to display or remove. View and remove unowned files.
Specify size and time-since-accessed of unowned files to display or remove. View and remove core files. View and trim ASCII or non-ASCII log files.
Add or remove files from the list of files to monitor.
Set recommended size for trimming.
User and Group Account ManagementAdd, remove, view, and modify user accounts. Remove or reassign ownership of files belonging to removed or modified
user accounts. Modify a user account's group membership. Set up password aging for a user account. Add, remove, view, and modify groups. Customize adding and removing users by specifying steps
to be performed before and/or after
SAM does its processing for the task.
The
Task Customization
action items in
SAM Users and Groups leads you through this capability.
See "Customizing SAM Tasks" below for more information. Deactivate and reactivate user accounts. Manage trusted system security policies on a per-user basis.
The policies that can be managed include:
Maximum account inactivity period Password generation policies Null password usage and use of password restriction rules Maximum unsuccessful login attempts Generation of admin numbers for new or reactivated accounts Single-user boot authorization
Adding New Functionality to SAMYou can easily add stand-alone commands, programs, and scripts to SAM.
SAM is suspended while the executable program is running.
When it finishes, the SAM interface is restored.
You can also write your own help screen for each menu item you create.
To add functionality to SAM,
select the "Add Custom Menu Item" or "Add Custom Menu Group" action items
from the SAM Areas menu.
(Note that the new item is added to the hierarchy that is currently
displayed, so you need to navigate to the desired hierarchy
before adding the item.) File System Protection When Removing UsersWhen removing users or files from a system, there is always
the unfortunate possibility that the wrong user may be removed
or that files belonging to a user who is removed are deleted
inadvertently during the removal process.
For example, user
bin
is the owner of (from the operating system's perspective)
the majority of the executable commands on the system.
Removing this user would obviously be disastrous.
On the other hand, suppose user
joe
owns all of the files comprising the test suite for a project.
It may be appropriate to remove
joe,
but the test suite should be left intact and assigned to a new owner.
SAM provides two features to help protect against inadvertent removal
of users or files when removing users:
When prompting for the name of a user to remove from the
system,
SAM checks the name given against a list of names
specified in the file
/etc/sam/rmuser.excl.
If the name matches one within the file,
SAM does not remove the user. When SAM removes a user, all files (or a subset thereof)
for that user are also removed, unless the ownership is
given to another user.
Before removing a file belonging to the user,
SAM checks to see if the file resides in a path that
has been excluded from removal.
SAM uses the file
/etc/sam/rmfiles.excl
to determine which paths have been excluded from removal.
So, for example, if the path
/users/joe/test
is named in the file,
SAM will not remove any files residing beneath that directory.
SAM logs a list of all files it removes in the file
/var/tmp/sam_remove.log. SAM does not remove or reassign any files
if the user being removed has the same user ID as another user on the system.
Files
/etc/sam/rmuser.excl
and
/etc/sam/rmfiles.excl
can be edited to contain users and directories
that you want to exclude from removal by SAM. Customizing SAM TasksYou can customize the following
SAM tasks:
Add a New User Account to the System Remove a User Account from the System
For each of these tasks,
you can specify steps you want performed before and/or after
SAM does its processing for the task.
Before
SAM performs one of the tasks, it checks to see if a pretask step
(executable file) was defined.
If so,
SAM invokes the executable, passes it a set of parameters (see below),
and waits for its completion.
You can halt SAM's
processing of a task by exiting from your executable with a nonzero value
(for example if an error occurs during execution of your executable). After SAM
has finished processing, it checks for a posttask step,
performing the same type of actions as for the pretask step. The executable file must have these characteristics:
Must be executable only by root, and if writable, only by root. Must reside in a directory path where all the directories
are writable only by owner. The full path name of the executable file must be given in the
SAM data entry form.
The same parameters are passed from
SAM to your program for both the pretask and posttask steps.
Here are the parameters passed for each task:
Add a New User Account to the System
-l login_name
-v user_id
-h home_directory
-g group
-s shell
-p password
-R real_name
-L office_location
-H home_phone
-O office_phone The file
/usr/sam/lib/ct_adduser.ex
contains an example of how to process these parameters. Remove a User Account From the System There can be one of three possible parameters,
depending on the option selected in the
SAM data entry form.
The parameter can be
one
of these three:
- -f user_name
Option supplied when all of
user_name's
files are being removed. - -h user_name
Option supplied when
user_name's
home directory and files below it are being removed. - -n new_owner user_name
Option supplied when all of
user_name's
files are being assigned to
new_owner.
The file
/usr/sam/lib/ct_rmuser.ex
contains an example of how to process these parameters.
Restricted SAMSAM can be configured to provide a subset of its functionality
to certain users or groups of users.
It can also be used to build a template file
for assigning SAM access restrictions on multiple systems.
This is done through the Restricted SAM Builder.
System administrators access the Restricted SAM Builder
by invoking SAM with the
-r
option (see "Options" above).
In the Builder, system administrators may assign
subsets of SAM functionality on a per-user or per-group basis.
Once set up, the
-f
option (see "Options" above) can then be used by system administrators
to verify that the appropriate SAM functional areas,
and only those areas, are available to the specified user. A nonroot user that has been given Restricted
SAM privileges simply executes
/usr/sbin/sam
and sees only those areas the user is privileged to access.
For security reasons,
the "List" and "Shell Escape" choices are not provided.
(Note that some SAM functional areas require the user
to be promoted to root in order to execute successfully.
SAM does this automatically as needed.) SAM provides a default set of SAM functional areas
that the system administrator can assign to other users.
Of course, system administrators are able to assign custom lists
of SAM functional areas to users as necessary. SAM LoggingAll actions taken by SAM are logged into the SAM log file
/var/sam/log/samlog.
The log entries in this file can be viewed via the SAM utility
samlog_viewer
(see
samlog_viewer(1M)).
samlog_viewer
can filter the log file by user name,
by time of log entry creation, and by level of detail. The "Options" menu in the SAM Areas Menu
enables you to start a log file viewer
and to control certain logging options.
These options include whether or not SAM
should automatically start a log file viewer whenever SAM is executed,
whether or not SAM should trim the log file automatically,
and what maximum log file size should be enforced
if automatic log file trimming is selected. VT320 Terminal SupportBecause the VT320 terminal has predefined local functions for keys
labeled as
F1,
F2,
F3
and
F4,
users should use following mapping
when they desire to use function keys: - HP or Wyse60
VT320 or HP 700/60 in VT320 mode - F1
PF2
(1) - F2
PF1
(1) - F3
spacebar - F4
PF3
(1) - F5
F10, [EXIT], F5
(2) - F6
none - F7
F18,
first unlabeled key to right of
Pause/Break
(2) - F8
F19,
second unlabeled key to right of
Pause/Break
(2)
- (1)
See the "Configuration: HP 700/60 in DEC mode,
or DEC terminals with PC-AT-type keyboard" subsection below. - (2)
When using PC-AT keyboard with HP 700/60 in VT320 mode.
Since DEC terminals do not support the softkey menu,
that menu is not displayed on those terminals. Many applications use
TAB
for forward navigation
(moving from one field to another)
and
shift-TAB
for backward navigation.
Users having DEC terminals or using terminals in DEC emulation modes
such as VT100 or VT320 may note that these terminals/emulators
may produce the same character for
TAB
and
shift-TAB.
As such, it is
impossible for an application to distinguish between the two
and both of them are treated as if the
TAB
key was pressed.
This presents an inconvenience to users if they want to go backward.
In most cases,
they should complete rest of the input fields
and get back to the desired field later. VT100 Terminal SupportVT100 does not allow the
F1-F8
function keys to be configured.
Therefore, the following keyboard mappings apply to VT100 terminals:
- HP or Wyse60
VT100 or HP 700/60 in VT100 mode - F1
PF2
(1) - F2
PF1
(1) - F3
spacebar - F4
PF3, spacebar
or
PF3, =
(1) - F5
Return - F6
none - F7
none - F8
none
- (1)
See the "Configuration: HP 700/60 in DEC mode,
or DEC terminals with PC-AT-type keyboard" subsection below.
See the comments on softkeys and
TAB
keys in the "VT320 Terminal Support" subsection above. Configuration: HP 700/60 Terminal in DEC Mode, or DEC Terminal with PC-AT-Type KeyboardCustomers using the following configuration may want to be aware of the
following keyboard difference. It may be possible for a user with the
"HP 700/60 terminal in DEC mode, or DEC terminal with PC-AT-type keyboard"
configuration to be told to press function key
F1
through
F4
to achieve some desired result.
For an HP 700/60 terminal in DEC mode or DEC terminals,
these functions keys may be mapped onto
PF1-PF4
keys.
However, the PC-AT-type keyboard does not provide
PF1-PF4
keys, as does the DEC/ANSI keyboard. - Key
Maps to - Num Lock
PF1 - /
PF2 - *
PF3 - -
PF4
The
Num Lock,
/,
*,
and
-
keys are located on the keyboard,
in a row above the number pad on the right side of the keyboard.
Please note that although this keyboard is called a PC-AT-type keyboard,
it is supplied by HP.
A PC-AT-type keyboard can be recognized by location of ESC key
at the left-top of the keyboard. Wyse60 Terminal SupportOn Wyse60, use the
DEL
key (located next to
Backspace)
to backspace.
On an HP 700/60 with a PC-AT-type keyboard in Wyse60 mode,
the
DEL
key is located in the bottom row on the number pad. Wyse60 terminals provide a single line to display softkey labels
unlike HP terminals which provide two lines.
Sometimes this may result in truncated softkey labels.
For example,
the
Help on Context
label for
F1
may appear as
Help on C.
Some standard labels for screen-oriented applications,
such as SAM and
swinstall
are as follows:
- The SAM label:
May appear on the Wyse60 as: - Help On Context
Help On C - Select/Deselect
Select/D - Menubar on/off
Menubar
DEPENDENCIESSAM runs in an X Window environment
as well as on the following kinds of terminals or terminal emulators:
HP-compatible terminal with programmable function keys and
on-screen display of function key labels.
Depending on what other applications are running concurrently with SAM,
more swap space may be required.
SAM requires the following amounts of internal memory:
- 8 MB
If using terminal based version of SAM. - 16 MB
If using Motif X Window version of SAM.
For more detailed information about how to use SAM on a terminal,
see the
Managing Systems and Workgroups
manual. AUTHORsam
was developed by HP. FILES- /etc/sam/custom
Directory where SAM stores user privileges. - /etc/sam/rmfiles.excl
File containing a list of files and directories
that are excluded from removal by SAM. - /etc/sam/rmuser.excl
File containing a list of users that are excluded from removal by SAM. - /usr/sam/bin
Directory containing executable files,
which can be used outside of any SAM session. - /usr/sam/help/$LANG
Directory containing SAM language specific online help files. - /usr/sam/lbin
Directory containing SAM executables,
which are intended only for use by SAM
and are not supported in any other context. - /usr/sam/lib
Directory for internal configuration files. - /var/sam
Directory for working space,
including lock files (if a SAM session dies,
it may leave behind a spurious lock file),
preferences, logging, and temporary files. - /var/sam/log/samlog
File containing unformatted SAM logging messages.
This file should not be modified by users.
Use
samlog_viewer
to view the contents of this file (see
samlog_viewer(1M)). - /var/sam/log/samlog.old
Previous SAM log file.
This file is created by SAM when
/var/sam/log/samlog
is larger than the user specified limit.
Use
samlog_viewer
with its
-f
option to view the contents of this file (see
samlog_viewer(1M)).
SEE ALSOsamlog_viewer(1M). - Managing Systems and Workgroups
- Installing and Administering ARPA Services
- Installing and Administering LAN/9000
- Installing and Administering NFS Services
- Installing and Administering Network Services
- Installing and Administering X.25/9000
|