12-10-2012 01:54 AM
Hi,
Currently, I have a setup of NBU 7.1.03 with NBAC on a Windows 2008 R2 server.
*Note: domain.com\nbuadministrator is a
When I login to the server as domain.com\nbuadministrator, I am unable to launch nbconsole.exe and was prompted with the following;
You did not authenticate via the Symantec Product Authentication subsystem. Please attempt to login as a different user.
I tried to Login using different user name as follows in the following but still unable to launch nbconsole.exe;
- Username: nbuadministrator
- Authentication Domain: "domain.com"
- Domain Type: Windows
- Authentication Broker: "master_hostname"
- Port: 0
How can I launch nbconsole.exe as domain.com\nbuadministrator?
Solved! Go to Solution.
12-13-2012 03:20 AM
hi Pandarazzi,
did you replace the servers name with the hostname... or you just copied the output as it is..
because i wonder..bpnbat -showmachines, is showing the hostname. (did you replace the server name while copying)
C:\Windows\system32>bpnbat -showmachines
hostname
hostname.domain.com
Operation completed successfully.
bpnbaz -ShowAuthorizers is also not showing the master and media servers names..
C:\Windows\system32>bpnbaz -ShowAuthorizers
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@hostname.domain.com
Name: hostname
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@hostname.domain.com
Name: hostname.domain.com
check this..
1)
To verify which computers are present in the authentication broker, log on as a member of the Administrators group and run the following command:
bpnbat -ShowMachines
This command shows the computers for which you have run bpnbat -AddMachine.
Note: |
If a host is not on the list, run bpnbat -AddMachine from the master. Then run bpnbat -loginMachine from the host in question. |
2)To verify which computers are permitted to perform authorization lookups, log on as a member of the Administrators group and run the following command:
bpnbaz -ShowAuthorizers
This command shows that win_master and win_media (master and media servers) are permitted to perform authorization lookups. Note that both servers are authenticated against the same Private Domain (domain type vx), NBU_Machines@win_master.company.com.
Note: |
Run this command by local administrator or by root. The local administrator must be a member of the NBU_Security Admin user group. |
bpnbaz -ShowAuthorizers ========== Type: User Domain Type: vx Domain:NBU_Machines@win_master.company.com Name: win_master.company.com ========== Type: User Domain Type: vx Domain:NBU_Machines@win_master.company.com Name: win_media.company.com Operation completed successfully.
If a master server or media server is not on the list of authorized computers, run bpnbaz -allowauthorization server_name to add the missing computer.
3)Use the Windows Task Manager to make sure that nbatd.exe and nbazd.exe are running on the designated host. If necessary, start them.
12-12-2012 02:08 AM
Anyone can shine some light?
12-12-2012 04:15 AM
hi ,
in my master server access control set to Prohibit. and i am able to login with window username and passwd.
In Administration Console, under Host Properties -> Master Servers -> Properties of "master_hostname" -> Access Control -> Netbackup Product Authentication & Authorization is set toProhibit.
could you try setting it as prohibit and check once.
12-12-2012 05:18 PM
Hi Nagalla,
Thank you for your reply.
It will work if I set it to Prohibited but it will defeat the purpose for us to implement NBAC.
12-12-2012 09:16 PM
hi Pandarazzi,
i just though that you considering about loging.. i understand that you are considering about NBAC login... lets do this..
did you look into the below T/N and verified that your configuration is fine.?,
i would be intrested to see the below outputs... about the commands info is in below tech note.
bpnbat -whoami -cf
bpnbat -loginmachine
bpnbat -ShowMachines
bpnbaz -ShowAuthorizers
bpnbaz -listgroups
http://www.symantec.com/business/support/index?page=content&id=HOWTO46911#v32156829
12-13-2012 02:53 AM
Hi Nagalle,
I ran the commands and these are the results. I presume that configuration wise is done correctly when all the queries seems fine? Is there anywhere where I can check for the logs on the "Symantec Product Authentication subsystem"?
C:\Windows\system32>bpnbat -whoami -cf
Name: hostname.domain.com
Domain: NBU_Machines@hostname.domain.com
Issued by: /CN=broker/OU=root@hostname.domain.com/O=vx
Expiry Date: Dec 13 10:25:38 2013 GMT
Authentication method: Symantec Private Domain
C:\Windows\system32>bpnbat -showmachines
hostname
hostname.domain.com
Operation completed successfully.
C:\Windows\system32>bpnbaz -ShowAuthorizers
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@hostname.domain.com
Name: hostname
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@hostname.domain.com
Name: hostname.domain.com
Operation completed successfully.
C:\Windows\system32>bpnbaz -listgroups
NBU_User
NBU_Operator
NBU_Admin
NBU_Security Admin
Vault_Operator
NBU_SAN Admin
NBU_KMS Admin
Operation completed successfully.
12-13-2012 03:20 AM
hi Pandarazzi,
did you replace the servers name with the hostname... or you just copied the output as it is..
because i wonder..bpnbat -showmachines, is showing the hostname. (did you replace the server name while copying)
C:\Windows\system32>bpnbat -showmachines
hostname
hostname.domain.com
Operation completed successfully.
bpnbaz -ShowAuthorizers is also not showing the master and media servers names..
C:\Windows\system32>bpnbaz -ShowAuthorizers
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@hostname.domain.com
Name: hostname
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@hostname.domain.com
Name: hostname.domain.com
check this..
1)
To verify which computers are present in the authentication broker, log on as a member of the Administrators group and run the following command:
bpnbat -ShowMachines
This command shows the computers for which you have run bpnbat -AddMachine.
Note: |
If a host is not on the list, run bpnbat -AddMachine from the master. Then run bpnbat -loginMachine from the host in question. |
2)To verify which computers are permitted to perform authorization lookups, log on as a member of the Administrators group and run the following command:
bpnbaz -ShowAuthorizers
This command shows that win_master and win_media (master and media servers) are permitted to perform authorization lookups. Note that both servers are authenticated against the same Private Domain (domain type vx), NBU_Machines@win_master.company.com.
Note: |
Run this command by local administrator or by root. The local administrator must be a member of the NBU_Security Admin user group. |
bpnbaz -ShowAuthorizers ========== Type: User Domain Type: vx Domain:NBU_Machines@win_master.company.com Name: win_master.company.com ========== Type: User Domain Type: vx Domain:NBU_Machines@win_master.company.com Name: win_media.company.com Operation completed successfully.
If a master server or media server is not on the list of authorized computers, run bpnbaz -allowauthorization server_name to add the missing computer.
3)Use the Windows Task Manager to make sure that nbatd.exe and nbazd.exe are running on the designated host. If necessary, start them.
12-14-2012 12:52 AM
Hi Nagalle,
Thank you for your patience. I did replace the hostname and domain.com into the results where hostname is referred to my master server's hostname and domain.com is referred to the domain name.
nbatd and nbazd are both running.
12-14-2012 01:53 AM
hi Pandarazzi,
i am just curious, if you could try to login with local admin ID, which is not having the relation with Domain ID.
becuse i just read below 3 statements in admin guide., and i belive we are good for first 2.. so just want to make sure 3rd one also..
12-17-2012 05:54 PM
Hi Nagalla,
I logged in as a local administrator and started NBU console. It prompted to establish trust to the broker and I clicked "Yes" to attempt to set up trust relationship with the broker. It only prompted "You did not authenticate via the Symantec Product Authentication subsystem. Please attempt to login as a different user"