Professional Documents
Culture Documents
I. Introduction
This document is intended as a detailed example of the steps necessary to set
up the NetBackup Access Control (NBAC) feature in an extremely simple
NetBackup environment. The NBAC feature allows non-root users to have
NetBackup administrative capabilities, using either the NetBackup administrative
graphical user interface (GUI), or the command line utilities. For a detailed
description of this feature, refer to Chapter 1 of the Veritas NetBackup (tm) 5.1
System Administrator's Guide, Volume II or the Veritas NetBackup (tm) 6.0
System Administrator's Guide, Volume II (found below, in the Related Documents
section).
This document will first explain how to install the VERITAS Security Services
(VxSS) components that are required for using NBAC. This document will then
explain how to enable and configure NBAC.
There are two non-root users that will be given NetBackup administrative access.
The user named vxssuser is defined in the Solaris /etc/passwd file. The
vxssuser will be the initial user being set up in this example. The NBAC
configuration will also be updated to include the user named rworman, who is
defined in the Network Information Name Services ("NIS") databases.
II. Installation
Page 1 of 49
NetBackup 6.0 MP2 releases, allowing the use of the short
hostname.
• The non-root user must have a valid home directory that is
writeable by that non-root user. (See Figure 2.)
Figure 2: Verifying that the non-root user vxssuser has a writeable home
directory.
Page 2 of 49
Insert the NetBackup 5.1 VxSS CD-ROM, use the cd command to change
to the appropriate platform directory on this CD-ROM, and then run the
installvss script. (See Figure 3 for example commands.)
Page 3 of 49
Figure 6: Specify AT install host.
Page 4 of 49
Figure 8: Summary of OS packages that are about to be installed (no
input necessary, just press Return).
Page 5 of 49
Figure 12: Confirm configuration of AT.
Figure 13: Explanation of user navigation (no input necessary, just press
Return).
Page 6 of 49
Figure 15: Deny cluster configuration.
Page 7 of 49
II.C. Installing the VXSS Authorization ("AZ") Server
If the VxSS CD-ROM is not already mounted from the previous step, insert
the NetBackup 5.1 VxSS CD-ROM; use the "cd" command to change to
the appropriate platform directory on this CD-ROM, and then run the
installvss script, as shown in Figure 3.
Page 8 of 49
Figure 19: Specify AZ Service.
Figure 21: Summary of initial system check results (no user input
necessary, just press Return).
Page 9 of 49
Figure 22: Summary of OS packages that are about to be installed (no
input necessary, just press Return).
Page 10 of 49
Figure 26: Confirm configuration of AZ.
Figure 27: Explanation of user navigation (no input necessary, just press
Return).
Page 11 of 49
Figure 29: Summary of AZ configuration results (no input necessary, just
press Return).
Page 12 of 49
II.D. Verifying basic VxSS functionality
At this point, you should be able to start the VxSS daemons and the
vssat command can be used to verify the AT domain name. See Figures
31 and 32 below, for examples of how to verify these items.
Figure 31: Start the AT and AZ daemons, verify they are running.
Figure 32: Run the vssat command to verify the AT domain name is
"root@FQDN", and run the vrtsaz command to verify that the AZ server
is in a "ready" state.
Page 13 of 49
III. NBAC Configuration
As mentioned in step II.D above, it is important that the VxSS daemons are
running (as shown in Figure 31) prior to proceeding to the next steps.
The following steps will seed the VxSS database with the data necessary for
using NBAC.
Page 14 of 49
Figure 34: Run bpnbat -loginmachine to login to the machine
account that was just created. Note: The password used with this
command should be the same password that was supplied to
bpnbat -addmachine in Figure 33. (For this example, the
password entered was "machinepass".)
Page 15 of 49
Figure 36: Run bpnbaz -allowauthorization to add the master
server as a host allowed to perform authorization checks.
Figure 37: Use the bpnbat -login command to authenticate this user
for command line access. Note: The username and password used
with this command should be the UNIX login and password for this
user. (For this example, the password entered was "vxssuser123".)
Next, run the bpnbaz -listgroups command as a simple
verification of the initial NBAC configuration.
Page 16 of 49
III.B. NetBackup GUI configuration (done as root)
The following steps are the last NetBackup GUI actions that must be done
while logged in as the root user.
Page 17 of 49
Figure 40: Select Host Properties --> Master Server, right-click and
select Properties.
Page 18 of 49
Figure 42: Select Automatic, and select the VxSS tab, and click the Add
button
Page 19 of 49
Figure 43: Select Host Name, specify the FQDN of the Master, and click
the Add button.
Page 20 of 49
Figure 44: Click the Close button.
Page 21 of 49
Figure 45: Select the Authentication Domains tab.
Page 22 of 49
Figure 46: Click the Add button.
Page 23 of 49
Figure 47: Specify the Domain (FQDN of the Master), choose PASSWD
for the Authentication Mechanism, specify the Broker (FQDN again),
click the Add button.
Page 24 of 49
Figure 48: Click the Close button.
Page 25 of 49
Figure 50: Specify the Host (FQDN of the Master) and click the OK
button.
Page 26 of 49
Figure 51: A notification to restart daemons will appear. Dismiss the
notification by clicking the OK button.
Page 27 of 49
Figure 53: Note that four new entries have been added to the end of the
bp.conf file.
Page 28 of 49
III.C. Verifying non-root capabilities (done as vxssuser)
At this point in our example, the non-root vxssuser account is the only
user with NetBackup administrative capabilities, via either the GUI or the
command line. Given that the UNIX root user has historically been an all-
powerful NetBackup administrator, some NetBackup administrators may
want to allow root to be another NetBackup administrator under NBAC.
This is easily done, and is described in section III.D.1 of this document.
("Adding the root user (defined in the /etc/passwd file) as a NetBackup
Administrator.")
Page 29 of 49
Figure 56: Log in to jnbSA as vxssuser.
Page 30 of 49
Figure 57: Observe that the full administrative GUI is presented (as
opposed to only the Backup, Archive and Restore GUI that would
normally be presented to a non-root user).
Figure 58: Select Help --> Current NBAC User to see the details
of the vxssuser GUI credentials.
Page 31 of 49
Figure 59: vxssuser GUI credentials (Note that credential expiry is
24 hours from the time that vxssuser logged into jnbSA - See
TechNote 274786 for how to extend this expiry date.)
Page 32 of 49
III.C.2. Verifying non-root command line access
Page 33 of 49
Figure 63: Run the bpnbat -whoami command to see
command line credential details. (Note that credential expiry is 24
hours from the time that vxssuser ran the bpnbat -login
command - See TechNote 274786 for how to extend this expiry
date.)
Page 34 of 49
some NetBackup administrators may prefer to provide root with
NBAC administrative access.
Figure 65: Select the Access Management --> User Groups node
and right-click on the NBU_Admin User Group and select Change.
Page 35 of 49
Figure 66: Select the Users tab and click the New User button
Page 36 of 49
Figure 67: Specify the new user name to be added, specify the
domain (FQDN of the master server), choose UNIX PWD for the
Domain Type, choose Individual User for the User Type, and click
the OK button.
Page 37 of 49
Figure 68: Observe that the user root has been added to the list of
Assigned Users for this group. Click the OK button to complete the
modification of this group.
Page 38 of 49
Figure 69: Exit the jnbSA application.
Page 39 of 49
The root user now has full NetBackup administrative access.
Verifying this is left as an exercise for the reader, based on the
steps provided in section III.C, of this document.
Figure 70: Identify the NIS domain name using the Solaris
domainname command (our example NIS domain is
xxx.example.com)
Page 40 of 49
Figure 71: Log in to a jnbSA session as a username that is a
member of the NBAC Security Administrator group. In our
example, this is vxssuser, but root would also work, because of the
actions taken in section III.D.1.
Page 41 of 49
Figure 73: Select Access Control node, select the
Authentication Domains tab, and click the Add button.
Page 42 of 49
Figure 74: Specify the Domain that you identified in Figure 70
(xxx.example.com), choose NIS for the Authentication
Mechanism, specify the Broker (FQDN of the master server), and
click the Add button.
Page 43 of 49
Figure 75: Click the Close button
Page 44 of 49
Figure 76: Observe that the second Domain has been added to the
list. Click the OK button to apply these changes.
Page 45 of 49
III.D.3. Adding the rworman NIS user to the NBAC NetBackup
Administrators Group
Much like the steps outlined in III.D.1 above, the following series of
screenshots walks through the exact sequence of GUI operations
necessary to add rworman to the NBAC configuration. All user
input is highlighted in red.
Figure 79: Select the Users tab and click the New User button.
Page 46 of 49
Figure 80: Specify the new username to be added, specify the NIS
domain (from Figure 64), choose NIS for the Domain Type, choose
Individual User for the User Type, and click the OK button
Page 47 of 49
Figure 81: Observe that the user rworman has been added to the
list of Assigned Users for this group. Click the OK button to
complete the modification of this group.
Page 48 of 49
The NIS user rworman now has full NetBackup administrative
access. Verifying this is left as an exercise for the reader, based on
the steps already given in section III.C, of this document.
IV. Conclusion
This document is provided as a detailed explanation of how to configure the
simplest possible UNIX NBAC configuration. It demonstrates how to grant full
NetBackup administrative capabilities to three users on a single NetBackup
Master+Media server. Most real world configurations would require a more
complex NBAC configuration than this, including one or more of the following:
• Using NBAC on clients and media servers
• Using NBAC on a mixture of Windows and UNIX platforms
• Granting different levels of NetBackup administrative access to different
users
Page 49 of 49