- What versions of AIX does the ANS support?
Only 4.1.4 (22.214.171.124 and 126.96.36.199)
and 4.1.5, and then only Apple-branded versions at that (so-called
"Harpoon" AIX, after the operating system software's codename). If
you have an IBM CD, it will not boot from it, and you
probably should not try to install smit packages off it either.
(If you don't know what smit is, read on.)
IBM support for Apple ANS AIX is non-existent, and many BOS patches
may kill! your installation. The only OS upgrade you can do
is the Apple-branded CD to 4.1.5. At that point, there are only
a few IBM-distributed
OS patches you can safely apply -- though some userland hotfixes may
still work, anything modifying the Base runtime is cruising for trouble.
You're better off patching the operating system manually, which we will
At least one site (and our MacUser Review)
makes reference to an AIX 4.1.2,
but this appears to have only been used with pre-release models.
I have also encountered an alleged copy of AIX 4.1.6 for the ANS, but
sadly it is actually just a mislabeled 4.1.5.
- What's the difference between regular AIX 4.1 and ANS AIX?
The differences are primarily at the low hardware-access level for
handling OpenFirmware and dealing with the hardware differences in the Shiner
architecture, along with some software emulation code for imitating
different CPUs. However, at the higher levels, like libraries, programming
and so on, ANS AIX is merely a highly compatible superset of standard IBM AIX,
virtually identical but with value-added support for Macintosh clients and
AppleTalk, and various ANS-specific utilities.
So, this leads to the next question ...
- What AIX systems is ANS AIX compatible with?
ANS AIX is binary-compatible with most 4.1.x RS/6000 AIX applications, and
most applications before that (including 3.2.5). In
fact, so far I've yet to find one that isn't.
The situations that will get you in trouble
are applications that use the POWER chipset or POWER2 architecture, which
are not fully supported by the ANS (some instructions are emulated in
software, but not all); and any IBM applications that depend on the presence
of MicroChannel bus architecture, since the ANS is 100% PCI. Frankly,
these situations are exceedingly uncommon. However, the thing that could
likely burn people is drivers that do not cooperate with
OpenFirmware -- this is something to watch out for when installing new
hardware. See the main ANS FAQ.
- Should I upgrade to 4.1.5?
Versions prior to 4.1.5 were affected by a nasty bug that caused a
memory leak in the TCP sockets library. On very busy systems (such as my
production ANS), this could cause you to insidiously run out of memory and
ultimately out of swap -- AIX would try to save itself by killing off idle
processes, but eventually would kernel panic. 4.1.5 does not have this
4.1.5 also has several security upgrades, including fixes for ping of death
and SYN flood DoS, which aren't in 4.1.4. There are still some important
security holes in 4.1.5 -- if you're in a hostile network environment, read
the pertinent questions to securing your AIX ANS before putting one outside
Remember, you can only install Apple-branded AIX 4.1.5. IBM-branded
4.1.5 won't work, and may ruin your installation! The update was
distributed as both a non-bootable upgrade CD and a bootable full system
install; the latter is strongly preferred.
You can read the complete 4.1.5 readme.
- Are there any other updates? (Related question: What
happened to ftp.fixdist.apple.com?)
There were (on ftp.fixdist.apple.com), but that server
doesn't exist anymore,
and IBM's support of 4.1.x is now very sparse also for the few APARs that
could work on the ANS. In short, you'll be rolling your own.
- Is ANS AIX Y2K compliant?
AIX 4.1 is technically not, but it only affects a few obscure utilities.
I have not personally experienced any difficulty with my unit, and it has
run flawlessly before and after. Despite any temptations you may have,
DO NOT attempt to install the IBM AIX Y2K patches; you will corrupt
your boot image and AIX will not start! (Don't ask me how I know this!)
Of course, since the date on AIX is a 32-bit integer, there is a
Y2038 problem. Such is life.
- Where can I get AIX software? (Related question: How do I
get a C compiler?)
You can thank IBM for their bone-headed licensing that gives you only
cpp out of the box.
Fortunately, for some period of time kind folks made AIX-installable binary
packages of popular open-source utilities, and many of these would run on
the Network Server. The biggest of these was AIXPDSLIB (r.i.p.), now
decommissioned, formerly at the University of California Los Angeles.
We host a limited mirror of some of these packages (see
the Software page), including gcc so you
can roll your own stuff. Note that the last version of gcc
they had available for 4.1.x is 2.95.2.
Most of the software I ran on this box was from AIXPDSLIB. You can use any
of the executables offered for 3.2.5 and 4.1.
Typically, to install one of these binary packages, you need to do the
Suggestions to install: lynx, gzip, tcsh, bash, bind, netcat, tcp_wrappers,
bzip2, lsof, zip/unzip, perl, gcc/egcs, bison, (g)make, python, patch, ...
- Download it. We offer our files over Gopher;
until you get something like lynx
installed, or you trust your network enough to run CDE and netscape,
just grab it on something else and then use regular shell ftp
to move it to your ANS (see the TCP/IP configuration question).
- su to root and move the file to the root directory /.
- uncompress the archive using uncompress(1). Both
tar and uncompress are standard parts of AIX.
- tar tvf the remaining tarchive to look at its contents. These
archives like to extract into ./usr/local (note the relative directory
specification, which is why you need to be in /). Make sure that
directory exists, including /usr/local/bin,
/usr/local/man/man1 and any other dependent directories. On my
systems, to make it easier for man to find manual pages,
/usr/local/man is just a symlink to /usr/share/man. You
can also use the MANPATH environment variable for a similar effect;
read man catman for info.
- tar xpf the tarchive to extract it (yes, you need to use
-p because of custom permissions some files require).
Examine and adjust ownership on
the executables and/or shared libraries it unpacks, if necessary.
- Run catman -w to update your whatis database, if you
- Exit your root shell.
- Help! I have to boot from the AIX CD!
Calm down; it's really easy. Make sure the AIX CD is in the CD-ROM drive,
shut down as gracefully as you can, turn the front key switch to the leftmost
position, and turn the server back on. The ANS will seek out the CD, and
start AIX from there. Follow the prompts.
- What are those three digit numbers that flash on the ANS LCD
while AIX loads? (Related question: Does the LCD screen do
Besides being the hardware bootstrap monitor, the LCD also acts as a
window onto the AIX bootloader, displaying mysterious three-digit
code numbers as the loader configures hardware and filesystems. These
numbers are codes representing the stage the bootloader is at, and can be
found in any AIX reference manual, or see Apple tech
note #24450 (a/k/a TA37399). You need
only panic about these numbers if one starts flashing or halting (although
some may hang around for some minutes, like 868, so have a little patience).
You can write your own
messages to the LCD; scroll down to the very end for how.
smit is the System Management Interface Tool, a very helpful
and effective way of doing system tasks. It works at both command line and
X11, and delivers easy-to-follow and friendly (well, as friendly as
system maintenance gets) methods of getting what you want done, done. Use it.
As we say in the biztm, "smit happens."
Most of this FAQ deals with talking to
smit in some form
or another. Modifying system files directly can be injurious to AIX's
health, since it keeps an object database on hand as well for some items.
smit keeps these in sync, better safe than sorry.
smit, simply type
smit. You will have
root for most, if not all, operations. If you're in
CDE, you get a nice GUI, but even at the TTY it's very user-friendly.
Getting around in smit:
- The arrow keys move you around from menu option to menu option.
- Don't press ENTER until you're done with a screen!
- If a '+' sign appears to the right, this represents a "drop down"
menu. Press F4 to see your choices, use the arrow keys to pick one, and
press ENTER to select it. (If your terminal program sends an F4 sequence
that AIX doesn't like, an equivalent is to
quickly press ESC and then 4. Don't hold down ESC;
they are separate keypresses.)
- If a response to a question is in braces "[" "]", this represents a
text field. It will stretch to accommodate your response (use spaces to
erase portions and they will be filtered out later).
- If a response has neither, it is a default response you can't change.
- When you're done selecting options, press ENTER to execute the action.
You will see the output of the commands smit runs to implement
your selection and can scroll through it with the arrow keys.
- To cancel out of a screen at any time, or to back up when finished with
viewing the output of an action, press F3. To quit smit altogether,
press F10. (You can also quickly press ESC and then 3.)
- I'm missing some stuff I think should have been installed, and I want
to install some new stuff, too. How?
You will need the AIX CD for this. A very lucky few of you might already
have the images on the HD. I don't. Insert the CD; you don't have to have
smit as root and go to
Software Installation and Maintenance,
Install and Update Software,
Install/Update Selectable Software (Custom Install),
Install Software Products at Latest Level,
Install New Software Products at Latest Level. (Whew!)
- For the input device, press F4 for the list
/dev/cd0. Press ENTER.
- Under SOFTWARE to install, press F4 for the list of available
packages (there are more than you think!). A list of available packages
appears. You are not given access to packages you don't have a license for
(curse IBM), but fortunately there's plenty of free stuff on the CD to
play with. Scroll about and select the packages you want with F7. (Already
installed packages have an
@ (at) sign.) Press ENTER when done.
- Adjust all the other options to your liking by entering yes or no, or
pressing F4 to pick from the list.
- Press ENTER to begin the process. For a select few packages, a reboot
may be necessary.
- Press F10 to exit
smit or F3 to back up a level or two.
- I need to make /usr (etc.) bigger to install this hot
This is an AIX-general question, but here's a short answer for enlarging
a JFS logical volume (LV)
on the default ANS hard disk. One of JFS' cool tricks is
that it has soft partitions, allowing you to enlarge them without
repartitioning or losing data. (You can also use the Mac OS
Disk Administration utility, which may be easier.
I'm not going to demonstrate that here.) Please note, if you are an AIX
god, that later AIX versions
may streamline this process considerably over AIX 4.1.
There is no similar method for shrinking a filesystem, unfortunately,
so increase only as you need to up to the space you actually require.
- If you don't know what filesystem corresponds to which logical volume,
do a quick df before we start and save it somewhere. This will also
show you the number of 512-blocks already occupied and the percentage in use.
smit as root and go to
System Storage Management,
Logical Volume Manager.
- Get the partition size and number of physical partitions (PPs) available
from Physical Volumes,
List Contents of a Physical Volume. Select the physical
volume, indicating the disk (almost always hdisk0; press F4 for
a list if you're not sure), and
status. Press ENTER/RETURN. The result looks something like this:
PHYSICAL VOLUME: hdisk0 VOLUME GROUP: rootvg
PV IDENTIFIER: 003acfa285a5f96b VG IDENTIFIER 003acfa2a1176b86
PV STATE: active
STALE PARTITIONS: 0 ALLOCATABLE: yes
PP SIZE: 32 megabyte(s) LOGICAL VOLUMES: 9
TOTAL PPs: 544 (17408 megabytes) VG DESCRIPTORS: 2
FREE PPs: 74 (2368 megabytes)
USED PPs: 470 (15040 megabytes)
FREE DISTRIBUTION: 01..73..00..00..00
USED DISTRIBUTION: 108..36..108..109..109
This particular physical volume thus has a
32MB PP size and has 74 PPs free. The PP size varies based on the total
size of your physical SCSI disk. Write these numbers down!
- Back up to the Logical Volume Manager menu with F3 twice
and go to Logical Volues, Set Characteristic of a Logical
Volume, Increase the Size of a Logical Volume.
Select the logical volume, using F4 for a list if necessary,
and enter the number of additional logical
partitions (LPs) to add (do not enter more LPs than you have free!
what are you, the federal government?!).
For this purpose we will assume that PPs and LPs are
equivalent, which is usually true.
If we entered two, in this example, we would increase the selected logical
volume by 64MB. Press ENTER/RETURN
and wait for it to complete. Write down the new total!
- Now we need to enlarge the filesystem as well.
When complete, back up to System Storage Management and go to
File Systems, Add / Change / Show / Delete File Systems,
Journaled File Systems,
Change / Show Characteristics of a Journaled File System. Select
the filesystem this time and enter its new size in 512-blocks.
Yes, you will have to do the math yourself! Take the new total number of
LPs and multiply it by the PP size to get the size of the logical volume
in megabytes. Convert megabytes to bytes (multiply by 1,048,576) and
divide by 512 for the block size. Check your math!
Cross your fingers, press ENTER/RETURN and wait for it to complete.
- Assuming your machine didn't explode, press F10 to exit smit
and run df again to see that the total changed as you expected.
- How do I configure paging/swap space? (Related question:
How much swap do I need?)
Particularly if you are on AIX 4.1.4, you should have ample swap (at least
three times physical RAM)
because of the TCP memory leak, and you should always have
at least twice physical
RAM on any Network Server running any
version of AIX. You can see the space
available with lsps -a; there should be a single logical volume,
You can add additional paging spaces, but the easiest way is simply to
enlarge the existing paging LV (using the same steps above, but skipping
the step for enlarging the filesystem, since there isn't one).
- How do I configure TCP/IP?
This is an AIX-general question, but here's a short answer for a single
- Start smit as root and go to Communications Applications
and Services, TCP/IP, Minimum Configuration and Startup.
- Select your desired network interface, which is normally en0
(the AAUI port).
- Configure your hostname, address, netmask, name server, gateway and
media "CABLE" type (if applicable -- usually N/A is fine unless for some
reason you are not using Cat5 cable of some kind). Use the arrow
keys to move up and down from option to option, and simply type to change the
default or previous responses (if any) in place. Don't hit ENTER yet!
- In the START Now box, press F4 for the list, and select Yes by
- Press ENTER again to run configuration, and F10 to exit smit
- Does ANS AIX support IPv6?
No. AIX did not support IPv6 until AIX 5L.
- How do I configure AppleTalk? (Related question: Can I use
AppleTalk to mount my ANS on my desktop Mac?)
ANS AIX includes an AppleTalk stack, but it's not too useful out of the box
as it does not include AFP support for file sharing. (We'll get to "AFP over
TCP" in a moment.) The CD bundle that came with the ANS included a miniature
version of the uShare AFP server, but speaking from personal experience, it was
clunky and an absolute pain to administer. ANS AppleTalk can also be used for
printer sharing and AppleTalk routing, but these tasks are usually better
handled by any number of hardware routers, most of which can be found very
easily on the used market. Furthermore, in this age of OS 9 and now X,
old-style non-TCP EtherTalk is just about non-existent.
Nevertheless, if you want to explore its functions, you can access the
AppleTalk smit menu under Communications Applications and
The AppleTalk stack can also be used to remotely administer the ANS and
use its resources for applications; see
the Mac OS Services page for information.
However, there is no administrative task
it does that cannot be accomplished at the command line, and
in my estimation it merely represents one
more potential point of remote entry (albeit one requiring some skill to
successfully manipulate, but possible). Your risk declines if you bind it
to a trusted interface only, but weigh that risk carefully. In this day
and age it is best considered a curiosity.
ANS AIX 4.1.5 does include AFP over TCP support, but you must still run the
main stack for it to be active, and it has limited configuration ability as
far as ports it
will bind, or permissions any more granular than what AIX already offers.
Again, you should also be very careful that it does not bind an interface
connected to a WAN, since it could easily route into the hands of naughty
folks. Its configuration panel is located
under ... AppleTalk, AppleTalk Advanced Features, Configure AFP over
A better way to share files from your ANS might be to ditch AppleTalk
altogether, especially if you are running Mac OS X where there are plenty of
alternative file sharing methods, or (sigh) Windows. In particular,
samba should be compatible with both, and is well-known, fairly
well documented and still supported. AIXPDSLIB offers an older version for
download, but newer versions should still compile without much work. As with
AFP over TCP support, you would be well advised to make sure it doesn't bind a
WAN interface either.
- Can I run X11 or AIXwindows?
Although it only supports X11R4,
ANS AIX's AIXwindows implementation
comes with Common Desktop Enviroment, which IMHO is much more
congenial than GNOME or KDE. It's also trés slicko.
It's also trés insecure and has several known exploits. Run only
in a test network or a 100% trusted and completely secured environment.
- First make sure that
everything that needs to be installed for it, is. In general, a default
install of ANS AIX should have the required libraries and executables
already there, but make sure that everything under X11.motif,
X11.Dt, X11.apps, and X11.base, and at least some fonts
under X11.fnt, are installed. If not, install them now. You can,
of course, install the entire X11.* set if you like -- setting up InfoExplorer
would probably be a good idea, for example.
smit, go to System Environments, Select
System User Interface. Press F4 for the list and select AIXwindows
- You could reboot now, but odds are the resolution is not the way you
want it. Back on up to the first
smit menu with F3, and
select Devices, Graphic Displays, Select the Display
Resolution and Refresh Rate. Select
gda0 from the list.
- Press F4 to select your new screen resolution. All options are
8-bit colour depth only. Press ENTER to select it, and then
press ENTER again to make the change.
smit with F10 and reboot the system with
reboot. On startup, you will receive a CDE login screen
- Wait, CDE expects three buttons but my ADB mouse has just one!
Use the left and right arrow keys while simultaneously clicking the mouse
- Can I upgrade X11 to X11R5 (R6, etc.)?
It's certainly possible to compile new X11 libraries, but there's no easy
install that I know of. I never bothered to do this since my machine does
not usually run CDE.
- How do I secure my box from attackers? (Related question:
Is there a rootkit for my ANS running AIX?)
No system is secure, and old code doubly so. Nevertheless, with a little
work, you can get your AIX ANS system to production security standards.
Based on my experiences since 1998 with my stable of Network Servers,
I've compiled a fairly rigourous pathway for doing just that -- note
most of these apply to securing any system, of course.
Please note that even with this insurance, your system may still have
theoretical vulnerabilities or vulnerabilities that are lurking but not
yet apparent. While PPC AIX is not a big target, there are exploits in the
wild for it, and I've had (alarmingly good) success with rootkits before.
This seals most of the exploits I'm aware of and have personally managed
to crack open, but any system you put out on an open network has the
possibility of being 0wn3d, and if you choose to follow my guidelines,
you do so at your own risk.
- If you're trying to secure a system that's already been tainted or in
an environment where it could have been tainted, don't take chances. Unplug
the LAN, boot off the CD, and wipe the hard drive for a full reinstall.
- Install 4.1.5 if you can get it -- a number of holes will disappear the
minute you do this, and some can't be closed any other way.
- Purge the number of usernames valid for login down to a bare minimum.
AIX adds a lot of chaff to /etc/passwd and
/etc/security/passwd that can be edited and thrown away. This is
particularly important as
a number of attacks on AIX 4 can be accomplished by a local user, and not
all of these attacks can be prevented (particularly on 4.1.4).
No, I will not give out rootkits and don't E-mail me to request a rootkit.
If you want one, I'm sure you can find one if you truly have a white hat.
- DO NOT RUN CDE or X. Unless you're in a very friendly network
environment, you're absolutely asking for trouble, as there are numerous
well-known remotely exploitable vulnerabilities in this version.
- Disable AppleTalk in smit (under Communications Applications
and Services, AppleTalk, Stop AppleTalk and choose "now")
unless you absolutely must
have it on, as some administration features can be accessed over AppleTalk
and thereby cause it to be another method of remote attack (in particular
if you have only a single interface).
If you must run AFP over TCP, be sure it binds a trusted
interface and not a WAN.
- Go through /etc/inetd.conf and comment out everything. Then,
go back and uncomment what you need to run, and run as little as possible.
Very few people, for example,
need to be running things like rexecd or uucpd. But, as
you're doing that and enabling the services you *do* need to run,
remember this next point: ...
- Out of the box, a large number of the network services AIX provides
are vulnerable to some sort of remote exploit or denial of service attack.
If you must run them, you will need to replace the AIX 4.1.x default
talkd (4.1.5 fixes the original bug but it may still have other
sendmail, named, telnetd and ftpd with
new versions or with equivalent applications.
If this is not possible, either
disable them or filter access to their ports to allow only trusted hosts to
connect to them. A crude sort of TCP wrapper might also be an option, or you
can get tcp_wrappers from AIXPDSLIB. You could also install
xinetd in place of inetd and only bind the vulnerable
services to an internal interface, if you have multiple NICs.
- Edit /etc/rc.tcpip next. Comment out any daemons you don't need.
Usually, this means commenting out any of the lines beginning with the word
start except for those referencing inetd and (maybe)
sendmail, unless you're desperate for the other services started
in that file. However, just about all of them are expendable, and in
particular make sure to disable syslogd -- not only is this version
fairly useless, but it's also painfully easy to spoof.
- Reboot your server. Now, install lsof (AIXPDSLIB has it) and
look at what programs are left and which ones are listening to what sockets.
You should not disturb these processes (they're innocuous and/or
critical for function):
Other daemons, such as /usr/sbin/cron, may be expendable
at your option.
If you see sockets open that you're concerned about, or processes you would
rather not be running, track down those
applications and (blunt instrument method) chmod -x those files, or
(surgical strike method) find the /etc/* file that kicked them off.
Once you've cleaned up, consider rebooting again just to make sure things
- Install some sort of ssh2 daemon and use that for all your logins.
Unfortunately, AIXPDSLIB does not carry OpenSSH or F-Secure SSH, but you
should be able to compile one or the other (I've heard more success from
those trying to build F-Secure, if you're not sure which you like better).
Stick it on a weird port number if you're *really* paranoid. To get it to
autostart, either write it into /etc/rc.tcpip, or run it in
inetd mode from /etc/inetd.conf.
- Some AIX programs have very promiscuous setuid bits by default (and IMHO
have no business being run by anyone other than root
if privileges are needed
anyway) and have been popular targets of local exploits. An easy workaround
is to run chmod -s on the following:
/usr/bin/host (may be symlinked or identical)
and the following X11 apps, if you have X11 installed against my
- Certain userland applications should just be totally disabled due to
otherwise unpatchable vulnerabilities. chmod
600 the following:
(If you really need vacation, install something like procmail
and make an equivalent, or use the vacation that comes with most
new versions of sendmail.)
- Disable smurfing attacks by turning off responses to broadcast pings.
It should be disabled by default; check with /etc/no -o bcastping.
If for some horrible reason it is
on, run /etc/no -o bcastping=0 as root.
Also, while we're on the subject,
consider /etc/no -o clean_partial_conns=1 to help further protect
against SYN attacks.
- Ensure that all third-party applications and executables are at their
maximal patch level.
- Now that your system is clamped down as much as possible, keep it that
way. Install some sort of monitoring utility to watch critical system files
to ensure they are not being modified in secret (in particular the password
files, major filesystem and file utilities, and network daemons). I wrote
up my own custom job, but AIXPDSLIB offers the popular watcher tool,
and there is also Tripwire if you
want to compile and use that. It's normal for /etc/inittab to be
modified during bootup, but nothing else should be changing unless someone
(you?) is actively changing it. A cron job to spit out df -k
and lsof will keep you abreast of strange use of disk space or
processes suddenly listening on odd ports.
- Be careful out there.
- What tips and tricks do you have?
Why, quite a few!
- Write a message to the LCD screen: /usr/sbin/lcdstring "your
message" (you must be root). A useful cron job I have running
simply passes uptime to lcdstring every minute so that I
have a continuous uptime display on the LCD (i.e.,
- Improve your availability (if not your uptime): Have a cron
job to reboot your ANS every two to four weeks. While 4.1.5 has much less
memory leakage than 4.1.4, it is still subject to cruft accrual eventually
(typically after hundreds of days of uptime, but still!). Your uptime
will suffer from the occasional reboots, but the system will have better
availability as it will be much less likely to unexpectedly freak out from a
low memory situation progressing into a low swap panic.
- Eject a floppy disk from the drive: It's a Mac, after all, so it
has software eject control. /usr/sbin/fdeject (run as root)