What logs to collect when troubleshooting NBAC on Windows

Article:TECH202022  |  Created: 2013-01-24  |  Updated: 2014-07-29  |  Article URL http://www.symantec.com/docs/TECH202022
Article Type
Technical Solution


Environment

Issue



Troubleshooting NBAC issues can be a frustrating experience.  This technote is designed to assist customers and TSEs with collecting the necessary information to provide to Symantec Support when troubleshooting NBAC issues.


Solution



The list of evidence to collect can change depending on the nature of the issue with NBAC.  Below is a list of evidence to collect to assist with 90% of situations.

========================================================
Gather these things for all NBAC issues
========================================================

1. Draft a clear description of the problem
2. Collect NBSU from the Master Server and the problematic host.  If a cluster, collect from both/all nodes of the cluster.
3. Screen-shot / CMD text buffer capture of the problem

 

========================================================
If the problem is with the NetBackup Authentication or NetBackup Authorization services not starting
========================================================

Start the NetBackup Authorization Service while directing logging to the foreground (will log inside the CMD buffer - may need to increase the size of the CMD buffer to capture all messages):

4a. <install path>\NetBackup\sec\az\bin>nbazd.exe -eazs "C:\Program Files\Veritas\netbackup\sec\az\bin\eazs.loc" -fg 9

NOTE: Adjust path in quotes accordingly

Once the error is observed, copy the contents of the CMD buffer into a text file named nbazd_foreground.txt

 

Run the following 2 commands to collect information about the Services:
4b. reg query "HKLM\System\CurrentControlSet\services\nbatd" /s > nbatd_service_reg.txt
4c. reg query "HKLM\System\CurrentControlSet\services\nbazd" /s > nbazd_service_reg.txt

 

========================================================
How to increase logging verbosity for NBAC
========================================================

5. Set Global Logging Level to Verbose = 5
6. Set Unified Log 18 (Authentication broker or nbatd) to 6

Example:
vxlogcfg -l -p NB -o 18 (to print out current log levels)
vxlogcfg -a -p NB -o 18 -s "DebugLevel=6"   (to increase log levels)
NOTE: Don't forget to reduce when done
 

========================================================
NBAC log locations and other relevant evidence to collect
========================================================

7. <install path>\NetBackup\logs\admin    
8. <install path>\NetBackup\logs\nbazd   
NOTE: Collect the entire nbazd folder as it contains both files and folders
9. <install path>\NetBackup\sec\at\bin\nbatd (contains 51216-18 xxxxxxx .log logs)

 

Files To Collect:
10. System and Application Event Logs in .txt format (can collect with NBSU)
11. <install path>\NetBackupDB\data\vxdbms.conf
12. <install path>\NetBackupDB\CONF\server.conf
13. <install path>\NetBackup\sec (collect the entire 'sec' folder and all its contents) contains ...\az\bin\VRTSaz.conf and eazs.loc
14. <install path>\NetBackup\var\global\vxss\eab\data (collect the entire 'data' folder and all its contents)
15. <install path>\NetBackup\var\VxSS (collect the entire 'VxSS' folder and all its contents)
16. C:\users\<username>\AppData\Roaming\VxSS (collect the entire 'VxSS' folder and all its contents)
NOTE: Alternately, for point 16, you can get there by going to Start > Run and enter %AppData%

 

========================================================
Registry keys to collect and validate
========================================================

17. HKLM\Software\Veritas\Security\Authentication\Credential Manager\Profiles\SYSTEM
    ProfileDir 

NOTE: Can use this cmd line syntax to collect: 
reg query "HKLM\Software\Veritas\Security\Authentication\Credential Manager\Profiles\SYSTEM" /s > system_reg.txt

 

18. HKLM\SOFTWARE\Wow6432Node\VERITAS\Security\Authentication\Credential Manager\Profiles\SYSTEM
    ProfileDir

NOTE: Can use this cmd line syntax to collect: 
reg query "HKLM\SOFTWARE\Wow6432Node\VERITAS\Security\Authentication\Credential Manager\Profiles\SYSTEM" /s > system64_reg.txt

 

19. HKLM\Software\Veritas\NetBackup\CurrentVersion\Config
    Server
    USE_VXSS
    AUTHENTICATION_DOMAIN
    AUTHORIZATION_SERVICE
    VXSS_SERVICE_TYPE

NOTE: Can use this cmd line syntax to collect: 
reg query HKLM\Software\Veritas\NetBackup\CurrentVersion\Config /s > config_reg.txt

 

20. HKLM\SOFTWARE\ODBC\ODBC.INI\NBAZDB  
    EngineName

NOTE: Can use this cmd line syntax to collect: 
reg query HKLM\SOFTWARE\ODBC\ODBC.INI\NBAZDB /s > nbazdb_reg.txt

 

========================================================
If the problem is with NBAC functionality, collect the following
========================================================

From GUI:
21. Help > Current NBAC User (screen-shot)

 

From CMD Line:
22. <install path>\NetBackup\bin\bpnbat -whoami     * shows who the current user is
23. <install path>\NetBackup\bin\bpnbat -login     * logs in the current user

NOTE: Perform the following after successfully running 'bpnbat -login'

24. <install path>\NetBackup\bin\admincmd\bpnbaz -J -ListUsersWithGroups     * generates a list of users and their group membership
25. <install path>\NetBackup\bin\admincmd\bpnbaz -showauthorizers     * displays the authorizing host

Finishing Note: Save resulting text from the CMD buffer into a file named nbac_user_info.txt

 

26.  Enter / execute the following 4 lines in order to display/collect broker data directory certificates
NOTE: When entering the two set statements, adjust the full install path accordingly AND do not place quotes around the path

set eat_home_dir=C:\Program Files\Veritas\NetBackup\sec\at
set eat_data_dir=C:\Program Files\Veritas\NetBackup\var\global\vxss\eab\data
<install path>\NetBackup\sec\at\bin\vssat showcred
<install path>\NetBackup\sec\at\bin\vssat showalltrustedcreds

Finishing Note: Save resulting text from the CMD buffer into a file named broker_certs.txt

 

27.  Enter / execute the following 3 lines in order to display/collect client data directory certificates
NOTE: When entering the set statement, adjust the full install path accordingly AND do not place quotes around the path

set eat_data_dir=C:\Program Files\Veritas\NetBackup\var\VxSS\at
<install path>\NetBackup\sec\at\bin\vssat showcred
<install path>\NetBackup\sec\at\bin\vssat showalltrustedcreds

Finishing Note: Save resulting text from the CMD buffer into a file named client_certs.txt

 




Article URL http://www.symantec.com/docs/TECH202022


Terms of use for this information are found in Legal Notices