02-17-2017 09:36 AM
Well, it was not the most sophisticated thing when I messed up the User Authentication an a NetBackup Appliance 3.0. Here is what I did:
I joined the appliance into the AD. I added single users to the appliance and granted the rights. Everything worked very well so far.
However, I thought it would be wiser to add an AD group to authenticate the users. So I created this group in the AD and configured the same users asabove as members. And granted this group to have admin rights.
The result was that the users appeared as users of in the group tree as well as single users on the top of the list. So tried to delete the users on the top just to maintain the users in the group. But it did not work. The users were marked as Auth:denied but they were not deleted. So I deleted the group as well and the users were gone. So far so good. I added the group again and granted the rights, but was not able as a member of this group to login.
Back and forth for some time nothing worked. So I decided to restore to the snapshot created after the upgrade. This also messed up the AD-Integration. The state now is I do have is now I have an appliance which is unable to join the AD because of some leftovers, I am unable to leave the AD via the CLI because it says there are AD-Users and I am not able to remove this users.
Any Ideas? I was looking vor a database file like /etc/passwd or so were the accounts were savet but without any avail.
Local login maintenance shell and elevate do work as local administrator.
Thanks
Markus
02-22-2017 04:51 AM
Dont you love security!
I'm not sure but you should be able to follow the same procedure as you would to rollback/unconfigure NBAC on Linux/Unix.
Or reimage it :p
04-13-2017 06:54 AM
I had a very similar problem. AD was broken, I could not unconfiure and reconfigure it becuase I had defined users. And I could not delete the users because AD was down.
They keep some of the user configuration information in some XML files.
Basically I had to remove the xml file, cleanup everything for AD via the clish and reconfigure.
The xml file I had to move aside was /usr/openv/runtime_data/sec_prpls.xml
That said, I would work with support on this. This really is not something they want customers doing without guidance.
04-18-2017 12:50 AM
Seems that @MarkusKuttke has not been back since February.
Hopefully he can tell us what happened since then?