Video Screencast Help

Netbackup 7.1.03 NBAC - Launching nbconsole as Domain User

Created: 10 Dec 2012 | 9 comments

Hi,

Currently, I have a setup of NBU 7.1.03 with NBAC on a Windows 2008 R2 server.

  1. In Administration Console, under Host Properties -> Master Servers -> Properties of "master_hostname" -> Access Control -> Netbackup Product Authentication & Authorization is set to Automatic
  2. Selected Authentication Domains is "domain.com":windows:"master_hostname"
  3. In Administration Console, under Access Management -> NBU User Groups, domain.com\nbuadministrator* is added into NBU_Admin.

*Note: domain.com\nbuadministrator is a

  1. Domain user
  2. User on the local machine.

When I login to the server as domain.com\nbuadministrator, I am unable to launch nbconsole.exe and was prompted with the following;

You did not authenticate via the Symantec Product Authentication subsystem. Please attempt to login as a different user.

I tried to Login using different user name as follows in the following but still unable to launch nbconsole.exe;

  1. Username: nbuadministrator
  2. Authentication Domain: "domain.com"
  3. Domain Type: Windows
  4. Authentication Broker: "master_hostname"
  5. Port: 0

How can I launch nbconsole.exe as domain.com\nbuadministrator?

 

Comments 9 CommentsJump to latest comment

Nagalla's picture

hi ,

in my master server access control set to Prohibit. and i am able to login with window username and passwd.

In Administration Console, under Host Properties -> Master Servers -> Properties of "master_hostname" -> Access Control -> Netbackup Product Authentication & Authorization is set toProhibit.

 

could you try setting it as prohibit and check once.

 

pandarazzi's picture

Hi Nagalla,

Thank you for your reply.

It will work if I set it to Prohibited but it will defeat the purpose for us to implement NBAC.

Nagalla's picture

hi Pandarazzi,

i just though that you considering about loging.. i understand that you are considering about NBAC login... lets do this..

did you look into the below T/N and verified that your configuration is fine.?, 

i would be intrested to see the below outputs...  about the commands info is in below tech note.

 

bpnbat -whoami -cf

 

bpnbat -loginmachine

 

bpnbat -ShowMachines

 

bpnbaz -ShowAuthorizers

 

 bpnbaz -listgroups

http://www.symantec.com/business/support/index?pag...

 

 

pandarazzi's picture

Hi Nagalle,

I ran the commands and these are the results. I presume that configuration wise is done correctly when all the queries seems fine? Is there anywhere where I can check for the logs on the "Symantec Product Authentication subsystem"?

C:\Windows\system32>bpnbat -whoami -cf
Name: hostname.domain.com
Domain: NBU_Machines@hostname.domain.com
Issued by: /CN=broker/OU=root@hostname.domain.com/O=vx
Expiry Date: Dec 13 10:25:38 2013 GMT
Authentication method: Symantec Private Domain

C:\Windows\system32>bpnbat -showmachines
hostname
hostname.domain.com
Operation completed successfully.

C:\Windows\system32>bpnbaz -ShowAuthorizers
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@hostname.domain.com
Name: hostname

==========
Type: User
Domain Type: vx
Domain:NBU_Machines@hostname.domain.com
Name: hostname.domain.com

Operation completed successfully.

C:\Windows\system32>bpnbaz -listgroups
NBU_User
NBU_Operator
NBU_Admin
NBU_Security Admin
Vault_Operator
NBU_SAN Admin
NBU_KMS Admin
Operation completed successfully.

 

Nagalla's picture

hi Pandarazzi,

 

did you replace the servers name with the hostname... or you just copied the output as it is..

because i wonder..bpnbat -showmachines, is showing the hostname. (did you replace the server name while copying) 

C:\Windows\system32>bpnbat -showmachines

hostname
hostname.domain.com
Operation completed successfully.

 

bpnbaz -ShowAuthorizers is also not showing the master and media servers names..

C:\Windows\system32>bpnbaz -ShowAuthorizers

==========
Type: User
Domain Type: vx
Domain:NBU_Machines@hostname.domain.com
Name: hostname

==========
Type: User
Domain Type: vx
Domain:NBU_Machines@hostname.domain.com
Name: hostname.domain.com

 

check this..

1)

 

To verify which computers are present in the authentication broker, log on as a member of the Administrators group and run the following command:

bpnbat -ShowMachines

This command shows the computers for which you have run bpnbat -AddMachine.

Note:

If a host is not on the list, run bpnbat -AddMachine from the master. Then run bpnbat -loginMachine from the host in question.

 

2)To verify which computers are permitted to perform authorization lookups, log on as a member of the Administrators group and run the following command:

bpnbaz -ShowAuthorizers

This command shows that win_master and win_media (master and media servers) are permitted to perform authorization lookups. Note that both servers are authenticated against the same Private Domain (domain type vx), NBU_Machines@win_master.company.com.

Note:

Run this command by local administrator or by root. The local administrator must be a member of the NBU_Security Admin user group.

    bpnbaz -ShowAuthorizers
    ==========
    Type: User
    Domain Type: vx
    Domain:NBU_Machines@win_master.company.com
    Name: win_master.company.com
    ==========
    Type: User
    Domain Type: vx
    Domain:NBU_Machines@win_master.company.com
    Name: win_media.company.com
    Operation completed successfully.

If a master server or media server is not on the list of authorized computers, run bpnbaz -allowauthorization server_name to add the missing computer.

 

 

3)Use the Windows Task Manager to make sure that nbatd.exe and nbazd.exe are running on the designated host. If necessary, start them.

 

 

pandarazzi's picture

Hi Nagalle,

Thank you for your patience. I did replace the hostname and domain.com into the results where hostname is referred to my master server's hostname and domain.com is referred to the domain name.

nbatd and nbazd are both running.

Nagalla's picture

hi Pandarazzi,

i am just curious, if you could try to login with local admin ID, which is not having the  relation with Domain ID.

becuse i just read below 3 statements in admin guide., and i belive we are good for first 2.. so just want to make sure 3rd one also..

  • Make sure the service is running
  • Make sure that you have set up trust with the authentication broker.
  •  Make sure that you are logging in as the local administrator.
pandarazzi's picture

Hi Nagalla,

I logged in as a local administrator and started NBU console. It prompted to establish trust to the broker and I clicked "Yes" to attempt to set up trust relationship with the broker. It only prompted "You did not authenticate via the Symantec Product Authentication subsystem. Please attempt to login as a different user"