cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Java Admin Console on Windows, authenticate using auth.conf not NBAC (VxSS)

Go to solution
RLeon
Moderator
Moderator
   VIP   

‎09-25-2012 01:43 AM

Hi all, we have the following environment:

host1:
  Win2008R2
  Not a domain member
  Nbu Master 7.5.0.3
  Veritas\java\auth.conf (Contains one line: "nbu_user1 ADMIN=ALL JBP=ALL")
  NOT using NBAC (VxSS)
  nbu_user1 is a member of host1's local Administrators group.
  (In other words, nbu_user1 is a local administrator of host1)

host2:
  WindowsXP SP3
  Not a domain member
  Running the desktop as xp_admin, who is a local administrator of host2.
  Nbu Java Admin Console 7.5.0.3
  Not using the "Windows Remote Admin Console" because only the Java one works with auth.conf.

With the above config, everything works fine.
On host2 as xp_admin, on the Java admin console login screen, input:
  Host name: host1
  User name: nbu_user1
  password: xxxxxxxx
The Java Admin Console would successfully find nbu_user1's Netbackup-rights from auth.conf and grant them accordingly.
The whole Netbackup admin interface would appear; everything would be accessible (Because I granted "ADMIN=ALL JBP=ALL")

Problem:
Having gotten the above working successfully, we would now like to remove nbu_user1 from the local Administrators group on host1.
Essentially, we would like to give nbu_user1 full Netbackup access rights (application level rights), while at the same time, restrict its rights as a user on host1 (OS level rights).
On host1, we tried moving nbu_user1 away from the Administrators group and into the Backup Operators group;
we also tried moving it to the Users group.

What we discovered is that for as long as nbu_user1 is not a member of the Administrators group on host1, problems will be encountered on host2 while running the Java admin console that tries to login to host1 as nbu_user1.
It won't out right refuse the Java admin console from login; the full Netbackup GUI interface would still load up.
But then nearly everything you do, like checking policies, devices or trying to do a tape inventory, error messages would pop up that would say something along the lines of "You must be a Superuser to run this command", and the interface would stop working, until you shutdown the Java admin console.

The point is, of course I know nbu_user1 is not a "Superuser" on host1; it was deliberately removed from the Administrator's group.
When we put nbu_user1 back as a member of the Administrator's group on host1, everything works fine again on the Java console on host2.

Is there a way to set it up so that nbu_user1 doesn't have to be a member of the Administrator's group on host1, and still have full Netbackup access rights when running from a Java admin console on host2, without all the errors?
(Before you answer, remember that auth.conf already grants full Netbackup (application level) access rights to nbu_user1. So it is not that.
And no, we are not using NBAC/VxSS and probably won't.)

Thanks all,

RLeon

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Marianne
Level 6
Partner    VIP    Accredited Certified

‎09-26-2012 09:03 PM

Local Admin rights has been a requirement for as long as I've known NBU. 

auth.conf gives NBU rights, not OS-level.
most NBU commands need OS-level admin rights.


Handy NetBackup Links

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
RLeon
Moderator
Moderator
   VIP   

‎09-25-2012 09:28 PM

Just upgraded both host1 and host2 to 7.5.0.4.
Same issue.

Hm

0 Kudos

Go to solution
RLeon
Moderator
Moderator
   VIP   

‎09-26-2012 08:38 PM

To test auth.conf, I tried changing
  nbu_user1 ADMIN=ALL JBP=ALL

to
  nbu_user1 ADMIN=AM

As expected, the Java admin console would then only show the Activity Monitor (and nothing else) to nbu_user1.
So auth.conf is definitely in effect and working.

... but still no solution to the problem.

Day 3: Still no sign of the local habitants. I decided to name nbu_user1 Wilson. But he is indifferent.

0 Kudos

Go to solution
Marianne
Level 6
Partner    VIP    Accredited Certified

‎09-26-2012 09:03 PM

Local Admin rights has been a requirement for as long as I've known NBU. 

auth.conf gives NBU rights, not OS-level.
most NBU commands need OS-level admin rights.


Handy NetBackup Links
0 Kudos

Go to solution
RLeon
Moderator
Moderator
   VIP   

‎09-26-2012 09:36 PM

Thanks for replying Marianne,

So then, there is no way to restict nbu_user1 to below-local-admin rights on the master server, while at the same time, giving him/her full NBU rights when accessing from a remote Java admin console?

If the auth.conf "route" can't do it, I was under the impression that the NBAC route can.
But now, I'm not so sure anymore about whether NBAC could even do exactly this. (...but could it?)

0 Kudos

Go to solution
RLeon
Moderator
Moderator
   VIP   

‎09-27-2012 08:06 PM

From the follow thread, it would seem that NBAC could do exactly what I'm looking for:
(I.e., non-admin on OS-level, but full-admin on NBU-level)
https://www-secure.symantec.com/connect/forums/login-java-windows-administration-console-using-nbac

However, having had some bad encounters with NBAC and its "documentations" myself, I'd rather make some compromises with good ol' auth.conf.

I also came across your thread. It doesn't really do much to encourage me to give NBAC another chance, to say the least. :)
https://www-secure.symantec.com/connect/forums/nbac-vcs-cluster-using-nbu-701

But then again, I only get to decide which one to use in a perfect world.
Sometimes you'll just have to hypnotise yourself in to thinking that NBAC is irresistibly attractive.
 

0 Kudos