Installing and configuring NetBackup Access Control (NBAC) on clients

Article:HOWTO46717  |  Created: 2011-03-24  |  Updated: 2011-03-25  |  Article URL
Article Type
How To



Installing and configuring NetBackup Access Control (NBAC) on clients

The following procedure describes how to install and configure NetBackup Access Control (NBAC) on clients in a NetBackup configuration. The target client should be running the NetBackup client software version 7.1 or higher.

Installing and configuring NetBackup Access Control (NBAC) on clients

  1. Make sure that no backups are currently running for the client computer.

  2. Log on to the master server computer as the UNIX root or the Windows administrator.

  3. Check that authentication daemon (nbatd) is running. If not, start the authentication daemon.

  4. Go to the NBU_INSTALL_PATH/bin directory.

  5. Log on as the NetBackup security administrator by using the following command:


    The UNIX root user and the Windows administrator on the master server are the default NetBackup security administrators.

    bpnbat -Login

    The following information is displayed.

    Authentication Broker [ is default]:
    Authentication port [0 is default]:
    Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd)
     [unixpwd is default]:
    Domain [ is default]: 
    Login Name [root is default]:
    Operation completed successfully.
  6. Run bpnbaz -SetupClient with the described options.

    Note that this command does not work without an extension for either the individual host, or the -all option.

    See NBAC configure commands summary.

    First do a dry run to see all of the clients that are visible to the master server. Use this process for the companies that have a large number of clients (greater than 250). The -dryrun option can be used with both the -all and single client configuration. By default, the discovered host list is written to the file SetupClient.nbac in the same directory. You can also provide your own output file name using -out <output file> option. If you use your own output file, then it should be passed for the subsequent runs with -file option. For example, you can use the following command:

    bpnbaz -SetupClient -all -dryrun [-out <outfile>] or

    bpnbaz -SetupClient <> -dryrun [-out <outfile>].

    After the dry run, check the client host names and run the same command without the -dryrun option. For example, use the following command:

    bpnbaz -SetupClient -all or

    bpnbaz -SetupClient -file SetupClient.nbac or bpnbaz -SetupClient <>.

    The -all option runs with the clients known to the master server. It can take time to address all the clients in a large environment( greater than 250).

    The -all client listing updates the credentials on all clients. It can take some time and resources; instead, use the -file option to update a subset of the clients. You can run the same command multiple times, until all the clients in the progress file are successfully configured. The status for each client is updated in the input file. The ones that succeeded in each run are commented out for the subsequent runs. A smaller subset is left for each successive run. Use this option if you have added a number of clients (greater than 250). Target the ones you want to update at that time.

    The -images option with -all looks for client host names in the image catalogs. It can return decommissioned hosts in larger environments. Run the -all -dryrun options with the -images option to determine which hosts should be updated

  7. Restart the client services on the specific clients once the installation is finished.

See About using NetBackup Access Control (NBAC)

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices