Web server user/group setup steps for a NetBackup master server

Article: 100023872
Last Published: 2022-10-26
Ratings: 32 11
Product(s): NetBackup & Alta Data Protection

Problem

Beginning with NetBackup 8.0, the NetBackup master server includes a configured web server to support critical backup operations. This web server operates under user account elements with limited privileges. These user account elements must be available on each master server (or each node of a clustered master server).
 

Solution

Numerous procedures can be used to create users and groups in operating systems. Some specific approaches are listed below, but other methods may accomplish the same goal. The home directory path, user name, and group names are not hardcoded, and can be changed. The default local user name is nbwebsvc, and the default local group name is nbwebgrp. The user and group should at least have sufficient permissions to run daemons.

For more information about customizing the user and group names, please see the section Installation and upgrade requirements for UNIX and Linux in the NetBackup Installation Guide.

For security purposes, do not create web server users or groups with administrator or root privileges.
 

Note: If the password associated with the web server account expires after initial configuration, NetBackup provides no notification the password has expired. This behavior is normal and expected, as the operating system manages the account and the password.

As long as the web server remains active, the account and the web server continue to operate normally.

When the web server is restarted, or if you attempt to restart the nbwmc service, the service fails to start, due to the expired password. Navigate to the appropriate area in the operating system, supply the correct password, and restart the service.
 

UNIX

Linux and non-AIX UNIX:
  1. To create the local group, enter the following: # groupadd nbwebgrp
  2. To create the local user account, enter the following: # useradd -g nbwebgrp -c 'NetBackup Web Services account' -d /usr/openv/wmc nbwebsvc
AIX:
  1. Create local group:
    # mkgroup nbwebgrp
  2. Create local user account:
    # mkuser home='/usr/openv/wmc' groups='nbwebgrp' nbwebsvc

Note: In clustered environments, make sure local accounts are defined consistently on all cluster nodes. If you use a clustered environment on Linux or UNIX platforms, the NetBackup web service user can be a local user and the group can be a local group. The NetBackup web service user must have the same name and UID on all nodes of the cluster. Also, the group must have the same name and GID on all nodes of the cluster. It is recommended to use domain users (Example: NIS) for clustered environments.

LDAP accounts are supported and can be used on UNIX.

POSIX Shell requirements:  The Web Services account must use a POSIX compliant shell.

Windows

1. Create a local user account
 C:\>net user nbwebsvc <StrongPassword> /add
 
Note: If your master is clustered, then you must use a domain account. Domain account can be used in non-clustered environments. 
Note:  User names on Windows systems must be 20 characters or less. Make sure that the password for the web user is set to never expire.
 
This can be done by running:
 
WMIC USERACCOUNT WHERE Name='nbwebsvc' SET PasswordExpires=FALSE
 
then run this to confirm:
 
net user nbwebsvc | findstr /C:expires

2. Create a local group:
 C:\>net localgroup nbwebgrp /add
 
Note: If your master is clustered, then you must use a domain account. Domain account can be used in non-clustered environments.
 
3. Make the user a member of the group:
 C:\>net localgroup nbwebgrp nbwebsvc /add

4. Grant the Log on as a service right to the user:
  • Go to Control Panel > Administrative Tools > Local Security Policy
  • Under Security Settings, click Local Policies and then User Rights Assignment
  • Right-click on Log on as a service and select Properties
  • Add the local user. The default local user name is "nbwebsvc".
  • Save your changes and close the "Log on as a service" Properties dialog.
The installation of NetBackup Master Server will fail if any of these requirements are not met. On Windows, you will be asked to provide the password for the user account as part of the installation process.
 
Note: You must use domain accounts in clustered environments on Windows.
 

References

Etrack : 3938338

Was this content helpful?