Important Update: Cohesity Products Knowledge Base Articles
All Cohesity Knowledge Base Articles are now managed via the Cohesity Support Portal: https://support.cohesity.com/. The Knowledge Base articles available here will not reflect the latest information or may no longer be accessible.
Description
The types of users that can be added to a NetBackup appliance are Local (native users), LDAP, Active Directory, and Kerberos-NIS.For Active Directory, the NetBackup appliance versions 2.6.0.3 and higher, use Samba, Winbind, Kerberos and the built-in Pluggable Authentication Module (PAM) plug-in to support the authentication of Active Directory (AD) users.
Use LDAP when connecting to a server that uses LDAP, other than an AD server; like OpenLDAP.
Use Kerberos-NIS when authenticating NIS directory users.
Steps to Solution:
Basic Setup for AD:
Settings > Security > Authentication > ActiveDirectory > Configure <domain | AD_server | IP> <user>
Enter Password :
Notes:
Full domain administrative rights are required.
You can also create an OU for the NetBackup appliances, then add a computer object for the appliance (by hostname) in the OU and give that domain administrative rights.
Make sure the DNS servers on the appliance can forward to the AD server; it's best to use the AD server if it also is a DNS server.
WinBind and Kerberos are used.
AD Groups are currently set to synchronize automatically at 01:00 every day.
Troubleshooting AD config:
For NetBackup appliance versions 2.7.1 through 3.0, the /log/app_vxul/* log files, particularly 409-1 (NBAPP_COMMON), 409-99 (NBUAPP_TRACE), 409-20 (NBAPP_RUNCMD) and /var/log/messages are helpful.
For NetBackup appliance versions 2.6.0.3 through 2.6.1.2, the YaST log will include useful information:
/var/log/YaST2/y2log
....as well as the /log/app_vxul/* log files, particularly 409-1 (NBAPP_COMMON), 409-99 (NBUAPP_TRACE), 409-20 (NBAPP_RUNCMD) and /var/log/messages
Check the Kerberos config file before and after. It should be populated; not defaults. (See Default Kerberos config below).
/etc/krb5.conf
Use the WinBind info command to test connectivity:
wbinfo --user-info=<user>
wbinfo --group-info=<groupnamehere>
wbinfo --all-domains
wbinfo --trusted-domains
wbinfo --domain-groups
If possible use Microsoft tools on the Windows side, and use ldapsearch on the appliance side to compare the config.
Below are some examples:
Example dsquery for the username:
dsquery user -name Administrator
Use the above info for the command below:
Example dsquery to show the group membership of the Administrator account:
dsquery * CN=Administrator,CN=Users,DC=Bob.Smith,DC=veritas,DC=com -scope base -attr * | findstr memberOf
Default Kerberos config (If it looks like this, it's not configured for AD):
cat /etc/krb5.conf
[libdefaults]
# default_realm = EXAMPLE.COM
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
Basic Setup for LDAP (not AD):
Settings > Security > Authentication > LDAP
ConfigParam Set base ou=internal,dc=sub,dc=domain,dc=com
ConfigParam Set ssl No
ConfigParam Set binddn cn=Bob.Smith,ou=it,ou=internal,dc=sub,dc=domain,dc=com
ConfigParam Set bindpw ******** (blanked out password)
ConfigParam Set host <I.P./hostname>
Configure
Enable
Verify the settings were set:
ConfigParam show
Next issue the configure command:
Configure
This should show the connection was successful and connected in the WebGUI.
Troubleshooting LDAP config:
For NetBackup appliance versions 2.7.1 through 3.0, the /log/app_vxul/* log files, particularly 409-1 (NBAPP_COMMON), 409-99 (NBUAPP_TRACE), 409-20 (NBAPP_RUNCMD) and /var/log/messages are helpful.
For NetBackup appliance versions 2.6.0.3 through 2.6.1.2, the YaST log will include useful information:
/var/log/YaST2/y2log
....as well as the /log/app_vxul/* log files, particularly 409-1 (NBAPP_COMMON), 409-99 (NBUAPP_TRACE), 409-20 (NBAPP_RUNCMD) and /var/log/messages
Use Microsoft tools on the Windows side, and use ldapsearch on the appliance side to compare the config.
Here are some examples:
Example dsquery for the username:
dsquery user -name Administrator
Use the output above for the command below:
Example dsquery to show the group membership of the Administrator account:
dsquery * CN=Administrator,CN=Users,DC=Bob.Smith,DC=veritas,DC=com -scope base -attr * | findstr memberOf
Example ldapsearch command from the appliance (this next command should match dsquery/dsget results above along w/some add'l info)...note the IP in this command is the domain controller:
Example:
ldapsearch -H ldap:10.0.0.1:389 -x -D
ldapsearch -h 10.0.0.1:389 -x -D CN=Bob.Smith,OU=it,OU=internal,DC=vrts,DC=veritas,DC=com -b ou=internal,dc=sub,dc=domain,dc=com –W
Related Knowledge Base Articles
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.