Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Unable to log into NBU Master with NBU Java Console

Created: 08 Mar 2013 • Updated: 25 Jun 2013 | 15 comments
Shantharam Sahyadri's picture
This issue has been solved. See solution.

Hi All,

I am trying to login into NBU 7.5.0.4 master server (Windows 2008 R2) using NBU Java console. Login fails with error 503 (Invalid User).

looking into bpjava-msvc logs I can see the below error mesage.

 

16:23:15.081 [14920.2400] <2> supportFiles: bpjava-msvc compiled on Sep 16 2012 at 09:33:51, NetBackup 7.5, level = 750000
16:23:15.081 [14920.2400] <2> supportFiles: debug level is 1
16:23:15.081 [14920.2400] <2> logparams:  -transient 
16:23:15.081 [14920.2400] <2> bpjava-msvc: myhostame = MASTER, I am >netbackup<, real locale = C, messsage locale = C, my master is MASTER.domian.com
16:23:15.081 [14920.2400] <2> StartedByInetd: I was NOT started by the bpInetd process
16:23:15.081 [14920.2400] <2> bpjava-msvc: transient Master, I am not the daemon
16:23:15.081 [14920.2400] <2> bpjava-msvc:  currentObj.MyPort = 13722 , main_accept_init = 268, username = netbackup, real locale = C, auth.conf in D:\Program Files\Veritas\java
16:23:15.439 [14920.2400] <2> command_LOGON_TO_MSERVER: lines = 6, expectXML = 0
16:23:15.658 [14920.2400] <2> command_LOGON_TO_MSERVER: user = nbuadmin
16:23:15.658 [14920.2400] <2> command_LOGON_TO_MSERVER: this host = MASTER.domian.com
16:23:15.658 [14920.2400] <2> command_LOGON_TO_MSERVER: locale = en_US
16:23:15.658 [14920.2400] <2> command_LOGON_TO_MSERVER: currentObj.AuthConfPath = D:\Program Files\Veritas\java\auth.conf
16:23:15.658 [14920.2400] <2> command_LOGON_TO_MSERVER: client version = 750000 IPC , my version = 750000 [IPC]
16:23:15.658 [14920.2400] <2> command_LOGON_TO_MSERVER: converted to common locale = en_US
16:23:15.673 [14920.2400] <2> command_LOGON_TO_MSERVER: converted to real locale = american
16:23:15.673 [14920.2400] <2> command_LOGON_TO_MSERVER: Oracle locale NLS_LANG = AMERICAN_AMERICA.US7ASCII
16:23:15.673 [14920.2400] <2> peerconnect: peer hostname is a2md11873.domian.com, peer address is 172.22.9.20
16:23:15.673 [14920.2400] <2> newAuthenticate: domain\username = nbuadmin
16:23:15.673 [14920.2400] <16> EnablePrivilege: AdjustTokenPrivileges of SeAssignPrimaryTokenPrivilege failed, result = 1,  errno = 1300 = Not all privileges or groups referenced are assigned to the caller. 
16:23:15.673 [14920.2400] <16> command_LOGON_TO_MSERVER: authenticate failed for user nbuadmin (user not found)
16:23:15.876 [14920.2400] <2> readCharByChar: socket closed gracefully
16:23:15.876 [14920.2400] <16> poll_listen: can't find file descriptor 000000000000010C in polling table
16:23:15.876 [14920.2400] <2> KillSessionsJobs: getjobcount = 0
16:23:15.876 [14920.2400] <2> poll_exit: all done, code = 0 
16:23:15.876 [14920.2400] <4> bpjava-msvc: NEW_LOG closing debugFD and seting NB_INVALID
 
I have created a auth.conf with valid etries 
 
domainname\nbuadmin ADMIN=ALL JBP=ALL
domainname\netbackup ADMIN=ALL JBP=ALL
 
Any one with ideas why it fails to EnablePrivilege for assigning Token.
 
Is there any specfic permission to be set for netbackup user in AD???

Comments 15 CommentsJump to latest comment

Nagalla's picture

hi

First check  are you  able to do login using the same user  to the server?

check by starting the java console as " run as admininstartor"

try  disabling the User accout control  in windows 2008 

 

Shantharam Sahyadri's picture

Hi,

UAC is disabled and netbackup user is a domain user with local admin privilages on master server. nbuadmin is a local user account on master server and is also part of local admin for Master Server.

The NBU services are running as user netbackup. All features and functions work fine, but for some reason it fails to auth the user.

Running JAVA console from Master server stills ends with same message.  

<16> EnablePrivilege: AdjustTokenPrivileges of SeAssignPrimaryTokenPrivilege failed, result = 1,  errno = 1300 = Not all privileges or groups referenced are assigned to the caller. 

Regards

Shantharam Sahyadri

 

 

Andrew Madsen's picture

How are you logging in? domain\username? localserver\nbuadmin? you will need to do it that way for this to work.

The above comments are not to be construed as an official stance of the company I work for; hell half the time they are not even an official stance for me.

Shantharam Sahyadri's picture

Yes logging with domainname\username or localserver\username too ends with the same message.

 

<2> newAuthenticate: domain\username = MASTER\nbuadmin
<16> EnablePrivilege: AdjustTokenPrivileges of SeAssignPrimaryTokenPrivilege failed, result = 1,  errno = 1300 = Not all privileges or groups referenced are assigned to the caller. 
<16> command_LOGON_TO_MSERVER: authenticate failed for user nbuadmin (user not found)
CRZ's picture

What's in D:\Program Files\Veritas\java\auth.conf ?  Is an entry for nbuadmin in there? Is it what you would expect, or does it need a quick edit?


bit.ly/76LBN | APPLBN | 75LBN

Shantharam Sahyadri's picture

D:\Program Files\Veritas\java\auth.conf contains 

 

domainname\nbuadmin ADMIN=ALL JBP=ALL
domainname\netbackup ADMIN=ALL JBP=ALL
 
What I don't understand is why this 1300 error is happening at OS level even when the account running netbackup has local admin privileges on master server.

 

Nagalla's picture

hi,

your Previous post is saying that nbuadmin is local accout but auth.conf has entry like

domainname\nbuadmin ADMIN=ALL JBP=ALL.

try either of the below entires and see how it works

nbuadmin ADMIN=ALL JBP=ALL

or 

* ADMIN=ALL JBP=ALL

 

Shantharam Sahyadri's picture

Hi,

Sorry my mistake.. the entry for nbuadmin is 

hostname\nbuadmin ADMIN=ALL JBP=ALL

domainname\netbackup ADMIN=ALL JBP=ALL.

I am sure its not issue with auth.conf because looking at log I can see it fails to even search for user on (see error User not found) local machine or in Active Directory. auth.conf would come later to provide authorization. Here authentication is failling.

Will open a tech case for this and see..

Andrew Madsen's picture

We have a 2008 server that we do not use a auth.conf for at all. We log in using domain\username. The user is a part of a AD group that has admin rights to the box. I might suggest renaming the auth.conf and trying again.

The above comments are not to be construed as an official stance of the company I work for; hell half the time they are not even an official stance for me.

Shantharam Sahyadri's picture

The default setup does not have auth.conf. I had to create it because it was not allowing me to login with domain account or local admin account

Andrew Madsen's picture

That is the point I was trying to make. We do not have an auth.conf and mulltiple people can log in using the domain\userid combination. They are members of the local administrators group by virtue of group membership. See the attached picture.

 

login.png

The above comments are not to be construed as an official stance of the company I work for; hell half the time they are not even an official stance for me.

Shantharam Sahyadri's picture

removing the auth file is of no help. still ending up with 

<16> EnablePrivilege: AdjustTokenPrivileges of SeAssignPrimaryTokenPrivilege failed, result = 1,  errno = 1300 = Not all privileges or groups referenced are assigned to the caller.

error.

Will Restore's picture

this is why we have unix Master  wink

Will Restore -- where there is a Will there is a way

Jacob_Ruben's picture

check wether the user name is locked/disabled in the domain.

Shantharam Sahyadri's picture

Resolved this issue after upgrade to latest version 7.5.6

SOLUTION