05-21-2015 12:52 PM
Hi All,
I migrated Netbackup server Operational Systema from W2K3 to W2K8 R2 and performed successfully the catalog restore. All environment is working proporly but we have some users that manage some policies by java console.
I've created a local user named Producao, set this user as Administrator, Included the user in the Local Security Policies: Act as part of the operating system, Create a token object and Replace a process level token
I have also create the auth.conf file in C:\Program Files\VERITAS\Java with the content below.
localhost\producao ADMIN=ALL JBP=ALL
After all i'm still getting error 503 when trying to login in java console.
I've already restarted the server. Follow bpjava-msvc log:
14:50:57.338 [5244.5184] <2> logparams: -transient
14:51:02.330 [5244.5184] <16> EnablePrivilege: AdjustTokenPrivileges of SeAssignPrimaryTokenPrivilege failed, result = 1, errno = 1300 = Not all privileges or groups referenced are assigned to the caller.
14:51:02.330 [5244.5184] <16> command_LOGON_TO_MSERVER: authenticate failed for user producao (user not found)
14:51:02.533 [5244.5184] <16> poll_listen: can't find file descriptor 00000000000001EC in polling table
14:51:02.533 [5244.5184] <4> bpjava-msvc: NEW_LOG closing debugFD and seting NB_INVALID
05-21-2015 04:23 PM
Will it work if you change it to?
producao ADMIN=ALL JBP=ALL
05-26-2015 08:22 AM
Hi Watsons,
The problem continue. Same error 503.
05-26-2015 10:19 AM
Did you reboot the machine after you added the rights? You will need to add "Log on Locally" (https://support.symantec.com/en_US/article.TECH72342.html) rights as well. The value in java.auth needs to be <Local Machine name>\producao not localhost\producao especially if they are logging in remotely.
05-27-2015 07:52 AM
Confirmed that my user is setup in Local policy as you mentioned and changed the java.auth and even after reboot the problem continue.
05-27-2015 09:03 AM
Can you post the latest errors from the bpjava-msvc log?
05-27-2015 02:28 PM
Access tried using <Master Server hostname>\Producao
09:27:09.675 [5640.4988] <2> logparams: -transient
09:27:14.682 [5640.4988] <16> EnablePrivilege: AdjustTokenPrivileges of SeAssignPrimaryTokenPrivilege failed, result = 1, errno = 1300 = Not all privileges or groups referenced are assigned to the caller.
09:27:14.682 [5640.4988] <16> command_LOGON_TO_MSERVER: authenticate failed for user Producao (user not found)
09:27:15.072 [5640.4988] <16> poll_listen: can't find file descriptor 00000000000001EC in polling table
09:27:15.072 [5640.4988] <4> bpjava-msvc: NEW_LOG closing debugFD and seting NB_INVALID
05-27-2015 03:25 PM
According to the log that user does not exist:
09:27:14.682 [5640.4988] <16> command_LOGON_TO_MSERVER: authenticate failed for user Producao (user not found)
This is not a case of not enough privileges yet it is an issue with the user not being identified.
Are you logging in from a remote machine or from the Master Server itself?
What do the Windows event logs say? Look for a logon failure from around the time of the attempt in the Security event logs. If there are too many events then try to log in again and the failure should be at the top of the list.
05-27-2015 05:18 PM
Try this: in your master server host properties, add the <Local Machine name> into the SERVER list.
Refresh the setting "bprdreq -rereadconfig" and try login again. Make sure your master server can resolve the <Local Machine name>
05-28-2015 08:35 AM
Hi Andrew no event is generated in Windows.
Watsons. Setup the localhost in hosts of the server and ran the command that you mentioned but the error continue.
Tried to login the server and it login normally.
follow log
10:31:53.502 [1728.4892] <2> logparams: -transient
10:31:58.463 [1728.4892] <16> EnablePrivilege: AdjustTokenPrivileges of SeAssignPrimaryTokenPrivilege failed, result = 1, errno = 1300 = Not all privileges or groups referenced are assigned to the caller.
10:31:58.463 [1728.4892] <16> command_LOGON_TO_MSERVER: authenticate failed for user producao (user not found)
10:31:58.666 [1728.4892] <16> poll_listen: can't find file descriptor 00000000000001EC in polling table
10:31:58.666 [1728.4892] <4> bpjava-msvc: NEW_LOG closing debugFD and seting NB_INVALID
05-28-2015 09:21 AM
Try changing:
localhost\producao ADMIN=ALL JBP=ALL
...to:
producao ADMIN=ALL JBP=ALL
...i.e remove the leading: localhost\
05-28-2015 09:58 AM
Hi - is the user a member of the local administration account? It will have to be in order to work - BUT that doesn't explain the user not found error.
Is the user logging in to the master server from a remote system? If so - does the user exist on the master server too?
FYI from the Admin Guide Vol1 (7.6.1):
The NetBackup-Java application server authenticates the user name and password
by using standard Windows authentication capabilities for the specified computer.
If NetBackup Access Control is not configured for the users, by default the
NetBackup-Java application server provides authorization data. The authorization
data allows all users who are members of the local administrator group on the
NetBackup master server to use all of the NetBackup-Java applications. Other
users are allowed to access only Backup, Archive, and Restore.
05-28-2015 10:36 AM
Hi Deb,
The user Producao is a local user in the Master Server (Windows Server 2008 R2) and is member os Administrators group.
I've also tried to access with another user this time from my domain but that is administrator too but i got the same error.
05-28-2015 11:01 AM
Did you try removing the leading: localhost\ ?
05-28-2015 11:15 AM
The auth file is like producao ADMIN=ALL JBP=ALL
Already did this change but no effect to solve the problem.
05-29-2015 05:04 AM
1 important question we haven't asked is... your Netbackup version & patch level?
And I suppose you have tried disabling UAC & firewall on the Windows master server.
05-29-2015 05:13 AM
NBU Master 7.1.0.4
Windows Firewall disabled
UAC is set Never notify - i think is the same as disabled.
S.O - Windows Server 2008 R2
05-29-2015 05:43 AM
Will system locale plays a part here?
Is that user happen to be something with a "special a" such as producão (notice the a)
Just throwing out ideas.. :) because the logs simply indicate an invalid user.
05-29-2015 06:11 AM
normal Producao name.
Follow attachment.
05-29-2015 06:58 AM
OK Let's try these steps: