cancel
Showing results for 
Search instead for 
Did you mean: 

NBAC in VCS cluster using NBU 7.0.1

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

Hi All

I'm trying to configure nbac on a clustered master server.

Solaris 10 Clustered master server
SF/HA 5.1
NBU 7.0.1

I have downloaded ALL the documentation from http://www.symantec.com/docs/TECH76577

Trying to find out HOW TO cluster nbac is almost impossible - one would think that the HA and/or VCS Guides on this URL contains all necessary info.

Not so....

Expecting to find instructions under these topics:

Installing and configuring access control on an NBU 7.0 clustered or HA (High Availability) master server

You can install and configure access control on a clustered master server.

Use the following procedure to install and configure access control on a clustered master server.

1. Log on to the primary cluster node and bring online the NetBackup, Authentication, and Authorization resources group in this node. All the resources should be online in the same cluster node.
2. For cluster‘s that support dependency between resources, provide a hard dependency between the Authentication and NetBackup resource group. The NetBackup resource should come online only when the Authentication and Authorization services are online.

 

S-O-O   - according to this, there should be an existing nbac cluster service group.... HOW???

In one of these manuals, I find a reference to ICS_Installation_Guide that contains instructions how to cluster AT & AZ.

The hunt begins for ICS_Installation_Guide.... Long story short - it's on the 7.0 install media.

I went through all the requirements - Diskgroup, volume, virtual hostname and IP.

Then, p.74:
Making AT highly available in VCS on UNIX
You can make AT highly available in VCS on UNIX platform using the VxATclconf.pl script and VxATclinput.txt input file.
VxATclinput.txt needs to be edited before running the VxATclconf.pl script.

NOTE: Download the latest configuration script and input file from http://seer.entsupport.symantec.com/docs/336967. Replace the ones that already exist in the /opt/VRTSat/bin directory.

Trying to download these files: The above URL redirects you back here (where we started): http://www.symantec.com/docs/TECH76577

 NO UNIX scripts - only links to Windows scripts....

PLEASE - if there's anybody out there that has managed to install/cluster/configure NBAC on a clustered master server, I'd like to have a chat.....

1 ACCEPTED SOLUTION

Accepted Solutions

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

4 hours on the phone and webex with the BEST engineer in the UK...

We eventually had to completely uninstall, cleanup remaining files/folders, and reinstall AT and AZ.

Long story short - the mount points for nbat and nbaz MUST be as in the templates:
/var/VRTSat/mnt
/var/VRTSaz/shared

Anything other than this cause the databases to be copied to the folders above and not to the mount points.

These lines in the templates also had to be changed to 'y':
DiskGroupConfig=y
VolumeConfig=y

Other than this, rsh is required not only for the remote host, but also for the local host itself where the configuration is done. So, on v240-2, where I was doing the config, I had to add a 'v240-2' entry to .rhosts.

bpnbaz -setupsecurity was executed once and completed successfully (no need for FQDN!):

root@v240-2 # bpnbaz -setupsecurity nbuclus -server nbaz
There must be at least one Security Administrator other than
root/Administrator. Enter the userid and login information
for that Security Administrator. The specified userid will
be added to the Security Administrator Group (NBU_Security Admin)
 and to the Administrator Group (NBU_Admin).
Authentication Broker: nbat
Authentication port[ Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd): unixpwd
Domain: nbat
Login Name: root
Password: <OS passwd>
Processing - please be patient
Operation completed successfully.

View solution in original post

20 REPLIES 20

RiaanBadenhorst
Moderator
Moderator
Partner    VIP    Accredited Certified

6.5 instructions, they look sorta similar to the process for 7.0.1 (did it with MSCS the other day, even less documentation on that one........)

 

http://www.symantec.com/docs/HOWTO31149

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

Thanks Riaan! It helps to know that you've done it recently..

If I read the requirements correctly - it seems that AT and AZ each needs to be in its own Service Group?
i.e. own dg, volume, virtual name and IP?

RiaanBadenhorst
Moderator
Moderator
Partner    VIP    Accredited Certified

Hi Marianne,

 

Yes, you read correctly. I'm not sure why you need seperate virtual names//ips/disks when running it on VCS. Really strange.....

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

Thanks... Had to trash my Dedupe filesystem to free up disks for AT & AZ... Will let you know how it goes...

Mouse
Moderator
Moderator
Partner    VIP    Accredited Certified

I'd wait for NBU 7.1. NBU has integrated AT and AZ there, you won't have separate disks for AT, AZ and IP resources for that nonsence.

Do have a look a training on the PartnetNet site, it has a lot of details how these things organized in 7.1

And yes, installation in 7.1 looks like a normal NBU master installation in the cluster, so no need to bother about AT/AZ clustering at all.

Mouse
Moderator
Moderator
Partner    VIP    Accredited Certified

7.1 FA is just a one week away BTW

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

Think I'll sign up for FA....

The current documentation is such a mess that it confuses me more than helping me....

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

I have signed up for 7.1 FA, but had to configure in the meantime on 7.0.1... (customer was promised feedback by tomorrow...)

I am following TN that Riaan posted.

All works great up to :
bpnbaz -SetupSecurity virtualnbu.mycompany.com –server vxssvirtual.mycompany.com

My commands and output:

 

root@v240-2 # bpnbaz -SetupSecurity nbuclus.lab.co.za -server nbaz.lab.co.za
There must be at least one Security Administrator other than root/Administrator. Enter the userid and login information for that Security Administrator. The specified userid will be added to the Security Administrator Group (NBU_Security Admin)  and to the Administrator Group (NBU_Admin).
Authentication Broker: nbat.lab.co.za
Authentication port[ Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd): unixpwd
Domain: v240-2
Login Name: root
Password: <OS password for root>
Processing - please be patient
You do not have permission to perform the requested operation.

NEXT ATTEMPT:

root@v240-2 # bpnbaz -SetupSecurity nbuclus.lab.co.za -server nbaz.lab.co.za
There must be at least one Security Administrator other than root/Administrator. Enter the userid and login information for that Security Administrator. The specified userid will be added to the Security Administrator Group (NBU_Security Admin)  and to the Administrator Group (NBU_Admin).
Authentication Broker: nbat.lab.co.za
Authentication port[ Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd): unixpwd
Domain: v240-2
Login Name: root
Password: <AT password>
Processing - please be patient
One or more of Name, Password and domain are incorrect.

 

Pretty much stuck at this point..........................

Any ideas??

Alex_Korovin
Level 4

Just read what is written above:

There must be at least one Security Administrator other than root/Administrator. Enter the userid and login information for that Security Administrator. The specified userid will be added to the Security Administrator Group (NBU_Security Admin)  and to the Administrator Group (NBU_Admin).

Alex_Korovin
Level 4

This user must be some other user, not root!

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

Thanks Alex. I will try again tomorrow (was at a customer all day). I have tested with a normal OS user as well that I've added - called it nbuadmin. I have tested logon with the user name and password. Got the same " You do not have permission ". I then thought it's maybe because I haven't added root first...

Hopefully tomorrow will bring success... Just wish I had an extra pair of eyes next to me...

Andy_Welburn
Level 6

Well, if you want to pay for the flight!

I dont eat much & am house-trained! wink

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

STILL no luck.......crying

This is what I've tried so far:

root@v240-2 # bpnbat -login
Authentication Broker [nbat.lab.co.za is default]:
Authentication port [0 is default]:
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd) [unixpwd is default]: unixpwd
Domain [nbat.lab.co.za is default]:  nbat.lab.co.za
Login Name [root is default]: root
Password:
Operation completed successfully.

root@v240-2 #  bpnbaz -SetupSecurity nbuclus.lab.co.za -server nbaz.lab.co.za
There must be at least one Security Administrator other than
root/Administrator. Enter the userid and login information
for that Security Administrator. The specified userid will
be added to the Security Administrator Group (NBU_Security Admin)
 and to the Administrator Group (NBU_Admin).
Authentication Broker: nbat.lab.co.za
Authentication port[ Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd): unixpwd
Domain: v240-2
Login Name: nbuman
Password: <nbuman OS password>
Processing - please be patient
You do not have permission to perform the requested operation.

 

I have no idea if the the problem is with 'Domain' and what I am supposed to add.

Riaan's TN contains a Windows example;  http://entsupport.symantec.com/docs/340674 says on p. 8: 'The domain is the localhost name.'

So, I've tried : localhost, v240-2, v240-2.lab.co.za, nbuclus (nbu virtual name), nbuclus.lab.co.za, lab.co.za, the nbat and nbaz virtual names - name it and I've tried it....
NO LUCK....

It is almost as if the root user does not have permission to run bpnbaz commands.

Have I missed something somewhere? Such as adding root to az?

root@v240-2 # bpnbaz -ShowAuthorizers -Server nbaz.lab.co.za
You do not have permission to perform the requested operation.

As usual - any input is highly appreciated...

Mouse
Moderator
Moderator
Partner    VIP    Accredited Certified

Are there any groups in the output of bpnbaz -listgroups ?

Mouse
Moderator
Moderator
Partner    VIP    Accredited Certified

Stupid question, have you added all possible hosts at this step:

 

Run bpnbat –Addmachine
The above command should be run multiple times with different fully qualified machine names, one each for the following:-
a. NetBackup master server virtual hostname
b. The physical host name for each of the cluster node
For example, if it’s a three node cluster, then the above command would be run 4 times.Choose a password and use the same password for all machines for simplicity. The same password should be given later in a ‘LoginMachine’ step.

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

NO Stupid questions at this point - I'm sure I've missed something somewhere.... I appreciate every bit of input.

Correct - I ran bpnbat –Addmachine 3 times - twice on the node where NBU is online for the virtual and physical node name and once on the offline node.

It seems to me as if the AT section is running fine. Just AZ that's not working. All bpnbaz commands fail with "You do not have permission..."

NBU, at & az are currently all online on v240-2.

root@v240-2 # bpnbaz -listgroups
You do not have permission to perform the requested operation.

AbdulRasheed
Level 6
Employee Accredited Certified

At the point, it is better to set VERBOSE to 5 on the active node (I am assuming that NetBackup is clustered as well in these nodes), create /usr/openv/netbackup/logs/admin and rerun bpnbaz. This will give you clues for the failure. 

 

Warm regards,

Rasheed

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

Thanks Rasheed, will hopefully pinpoint the problem today... I have logged a support call on Friday, requesting contact this morning.

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

4 hours on the phone and webex with the BEST engineer in the UK...

We eventually had to completely uninstall, cleanup remaining files/folders, and reinstall AT and AZ.

Long story short - the mount points for nbat and nbaz MUST be as in the templates:
/var/VRTSat/mnt
/var/VRTSaz/shared

Anything other than this cause the databases to be copied to the folders above and not to the mount points.

These lines in the templates also had to be changed to 'y':
DiskGroupConfig=y
VolumeConfig=y

Other than this, rsh is required not only for the remote host, but also for the local host itself where the configuration is done. So, on v240-2, where I was doing the config, I had to add a 'v240-2' entry to .rhosts.

bpnbaz -setupsecurity was executed once and completed successfully (no need for FQDN!):

root@v240-2 # bpnbaz -setupsecurity nbuclus -server nbaz
There must be at least one Security Administrator other than
root/Administrator. Enter the userid and login information
for that Security Administrator. The specified userid will
be added to the Security Administrator Group (NBU_Security Admin)
 and to the Administrator Group (NBU_Admin).
Authentication Broker: nbat
Authentication port[ Enter = default]:
Authentication type (NIS, NIS+, WINDOWS, vx, unixpwd): unixpwd
Domain: nbat
Login Name: root
Password: <OS passwd>
Processing - please be patient
Operation completed successfully.