Forum Discussion

mich2w's avatar
mich2w
Level 3
15 years ago

Authentication failed errors after NBAC installed

Hello,

Since installing NBAC in our Netbackup environment (master server running Windows), I've noticed some of our Netbackup scripts are no longer working.  For example if I try to run a bpexpdate for a remote media server (run from our master server), we get an authentication failed.
VxSS authentication failed (116)

We have a script that checks the status of the tape drives, and attempts to bring them back up when they have gone to down status.  As part of the script the vmoprcmd command is used, again if we try to up a drive on remote media server we get authentication failed.
authentication failed (187)

Research of the authentication failed (187) error from the Netbackup Troubleshooting guide, shows that it could be due to expired certificate.  Running bpnbat -whoami we get 

Name: <admin account>
Domain: <domain>
Issued by: /CN=broker/OU=root@server.domain.local/O=vx
Expiry Date: May 11 05:49:34 2010 GMT
Authentication method: Microsoft Windows
Operation completed successfully.

So it looks like the certificate has expired.  Could this be the cause of the authentication failures, and if so how do we extend the certificate expiry?

TIA

Michael


  • -prplptype

    There's an extra, third "P" in there.  Take that out.  :)

    Also you need TWO dashes instead of one.

    So I think, even for Windows, it's "--prpltype user" you want. 

    As an example, 30 days (2592000 seconds) should be something like:

    .... vssat setexpiryintervals --pluginname WINDOWS --prpltype user --credexpiry 2592000
    setexpiryintervals

    Try that and let us know!

  • I think you need to successfully execute a new `bpnbat -login` to get a new credential.  (Rerun `bpnbat -whoami` afterwards to confirm

    If your expiry interval is too low, you can change it with ... oh dear, I don't know the syntax but it starts with `vssat setexpiryintervals ...`

    I tried finding a TechNote, but the only one I found is for UNIX and unixpwd authentication:

    DOCUMENTATION: How to extend a VERTIAS Security Services (VxSS) credential for "unixpwd" users greater then 24 hours
     
    http://support.veritas.com/docs/274786

    Obviously your domain won't be unixpwd but this should point you in the right direction.

    This should all be in the VxAT Guide - whatever we're calling it these days (SPAAS?)

    Here's the 6.5 guide:
    Symantec Product Authentication Service (VxAT) 4.3 Administrator's Guide
     
    http://support.veritas.com/docs/311441

    (I think you can do this through the vssatgui as well and let IT come up with the proper commands for you)

    Sorry that I'm not more of an expert and can't give you a more complete answer.  I'm hoping you can fill in the holes....or perhaps another person here on Connect?  :)

    Good luck!
  • Hi Chris,

    Thanks for your help on this.  I'd actually created a 'bpnbat -login -info' command in a script, but have now found it wasn't working.  Once I changed the path so that there were no spaces it has worked.

    The cert now expires 24 hours after this script runs which is multiple times per day.  The problem with this is that the text file is in clear text, specifying the password for our netbackup service account, which I'm a little uncomfortable about. Is there a way to user a local user account to perform this function?

    Thanks

    Michael

  • I'm having some trouble running 'vssat setexpiryintervals' command to extend the certificate expiry.  So far i haven't been able to get it to work, the option it seems to fall over on is -prpltype.  The VSSAT Admin guide states

    For OS domains or public domains only the default expiry policy will be used, since Symantec Product Authentication Service cannot differentiate between a user account and a service account. Therefore, setting user or service expiry policies for native domains may not have any effect on the actual credential expiry.

    So I've tried using the 'default' option and 'user' option (as specified in Unix article 274786) but both give the same error, eg.

    vssat setexpiryintervals --pluginname nt -prplptype default --credexpiry 2592000

    vssat populateCommandMap ERROR V-18-7002 Unrecognized tokens found
    -prplptype



    Does anyone have some more info on the -prplptype option, or know what the above error refers to? 

    TIA

    Michael



  • -prplptype

    There's an extra, third "P" in there.  Take that out.  :)

    Also you need TWO dashes instead of one.

    So I think, even for Windows, it's "--prpltype user" you want. 

    As an example, 30 days (2592000 seconds) should be something like:

    .... vssat setexpiryintervals --pluginname WINDOWS --prpltype user --credexpiry 2592000
    setexpiryintervals

    Try that and let us know!
  • Yes you were right!

    Once I fixed the typos I was able to extend the certificate expiry interval to 30 days.  

    After running 'bpnbat -login -info vs.txt' the expiry has now moved to July 21 (30 days). 

    The last issue I have is with the service account password in clear text within vs.txt.  One way it could be done would be using a vbscript encoder, which is available from MS scripting website.  I've never used it before, but it can encode vb or java script.  By doing this I should be able to put the password directly in the vbscript, and then not have to worry about security issues.

    Unless there is an easier way?  Thanks for your help Chris.

    Cheers

    Michael

  • If you want to use the password once and then remove the file containing it, I suggest extending out the expiry interval to whatever maximum we let you use (xx years?), set it and forget it.  (Maybe keep sticking zeroes on the end of the number of seconds until the command throws an error, then see where you're at.)

    Assuming you set the expiration date far off enough (like, what, 2038) you should never need to undertake that process again, so you can zap the file with the password in it.

    The downside is, if it ever SHOULD expire far off in the future, it will take you FOREVER to remember that this might be the thing that broke everything else.  But by then, you should have hit the lottery and retired, so it'll be someone else's problem.

    Other than that idea, you've more than exhausted my expertise in this arena :) but I'm glad it looks like we've solved your problem.  (This is where I beg for the solution mark so I can show it to my boss later ;-) )
  • Sorry I haven't been on the forums for a few days.  But all of your advice has worked perfectly, and I'd give you the solution but someone beat me to it!  

    When I run bpnbat -whoami it now returns expiry date of May 2018.  For some reason from the article I thought 30 days was the max..

    7 years should be enough buffer until I win lotto  :P