Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Using auth.conf file with UNIX/ Windows active directory or local user groups

Created: 14 Jan 2013 • Updated: 14 Jan 2013 | 5 comments
This issue has been solved. See solution.

Hello all,

 

I’m running NBU 7.1.0.3 on a RedHat 2.6 Linux Server, using JAVA admin console

We aim to restrict access to some users only using the auth.conf file

Checking the admin guide and Symantec forums, it seems the only way to do that is to set access for indivual users, not UNIX / Windows active directory groups

I tried to add one group on the auth.conf file, but users members of this group cannot connect

Did anyone tried this ?

Our authfile.conf looks like this :

User1 ADMIN=ALL JBP=ALL

User2 ADMIN=ALL JBP=ALL

User3 ADMIN=ALL JBP=ALL

* ADMIN=JBP JBP=ENDUSER+BU+ARC

 

Adding a group this way seems not to work :

WindowsDomain\group ADMIN=ALL JBP=ALL

User2 ADMIN=ALL JBP=ALL

User3 ADMIN=ALL JBP=ALL

* ADMIN=JBP JBP=ENDUSER+BU+ARC

 

Thanks

 

David

Comments 5 CommentsJump to latest comment

RamNagalla's picture

it looks like netbackup does not allow to specify the group Names

see below from the Admin guide, it needs individual entry for each user, not group entries.

 

 

The first field of each entry is the user name that is granted access to the rights
that the entry specifies. In the released version, the first field lets root users use
all of the NetBackup-Java applications.
An asterisk in the first field indicates that any user name is accepted and the user
is allowed to use the applications as specified. If the auth.conf file exists, it must
have an entry for each user. Or, the auth.conf file must have an entry that
contains an asterisk (*) in the user name field; users without entries cannot access
any NetBackup-Java applications. Any entries that designate specific user names
must precede a line that contains an asterisk in the user name field.
 
Note: The asterisk specification cannot be used to authorize all users for any
administrator capabilities. Each user must be authorized by using individual
entries in the auth.conf file.
 
using Vi editor , it might not big deal to enter all user entries

 

SOLUTION
RLeon's picture

From this thread:
https://www.symantec.com/connect/forums/java-admin...

One of the limitation of using the auth.conf method as opposed to using NBAC is that any user you specify in the auth.conf file will have to be a local admin.
(For Linux, that means adding the user to the Master/Media Server's root group).

This kind of defeats the purpose of "limiting access to the Master/Media Server".
It works in a sense that individual features in the Nbu Console can be disabled for a user, but this is on the Application level.
On the OS level though, that user has to be a local admin group/root group member.

But I would still recommend auth.conf over NBAC(VxSS)... *PTSDing*

Edit: There is a part in the admin guide about authorizing nonroot users using auth.conf. I will give it a try on Linux some other time.

DavidE31's picture

auth.conf seems to be the easiest way to set users access, even if we have to type in users one by one

As members of UNIX or Windows groups don't often change, maitaining the file won't be very difficult

Thank you for your replies

Andrew Madsen's picture

The user need to only have access to the server for the auth.conf to take affect. So someone that can log in with /bin/null access can then have his rights to NetBackup set with the auth.conf and not have any rights to work in the OS shell.

The above comments are not to be construed as an official stance of the company I work for; hell half the time they are not even an official stance for me.

RLeon's picture

Any idea if this applies to Windows nbu servers and clients?

(Whoops hijack)