Description
The types of users that can be added to a NetBackup appliance are Local (native users), LDAP, Active Directory, and Kerberos-NIS.For Active Directory, the NetBackup appliance versions 2.6.0.3 and higher, use Samba, Winbind, Kerberos and the built-in Pluggable Authentication Module (PAM) plug-in to support the authentication of Active Directory (AD) users.
Use LDAP when connecting to a server that uses LDAP, other than an AD server; like OpenLDAP.
Use Kerberos-NIS when authenticating NIS directory users.
Steps to Solution:
Basic Setup for AD:
Settings > Security > Authentication > ActiveDirectory > Configure <domain | AD_server | IP> <user>
Enter Password :
Notes:
Full domain administrative rights are required.
You can also create an OU for the NetBackup appliances, then add a computer object for the appliance (by hostname) in the OU and give that domain administrative rights.
Make sure the DNS servers on the appliance can forward to the AD server; it's best to use the AD server if it also is a DNS server.
WinBind and Kerberos are used.
AD Groups are currently set to synchronize automatically at 01:00 every day.
Troubleshooting AD config:
For NetBackup appliance versions 2.7.1 through 3.0, the /log/app_vxul/* log files, particularly 409-1 (NBAPP_COMMON), 409-99 (NBUAPP_TRACE), 409-20 (NBAPP_RUNCMD) and /var/log/messages are helpful.
For NetBackup appliance versions 2.6.0.3 through 2.6.1.2, the YaST log will include useful information:
/var/log/YaST2/y2log
....as well as the /log/app_vxul/* log files, particularly 409-1 (NBAPP_COMMON), 409-99 (NBUAPP_TRACE), 409-20 (NBAPP_RUNCMD) and /var/log/messages
Check the Kerberos config file before and after. It should be populated; not defaults. (See Default Kerberos config below).
/etc/krb5.conf
Use the WinBind info command to test connectivity:
wbinfo --user-info=<user>
wbinfo --group-info=<groupnamehere>
wbinfo --all-domains
wbinfo --trusted-domains
wbinfo --domain-groups
If possible use Microsoft tools on the Windows side, and use ldapsearch on the appliance side to compare the config.
Below are some examples:
Example dsquery for the username:
dsquery user -name Administrator
Use the above info for the command below:
Example dsquery to show the group membership of the Administrator account:
dsquery * CN=Administrator,CN=Users,DC=Bob.Smith,DC=veritas,DC=com -scope base -attr * | findstr memberOf
Default Kerberos config (If it looks like this, it's not configured for AD):
cat /etc/krb5.conf
[libdefaults]
# default_realm = EXAMPLE.COM
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
Basic Setup for LDAP (not AD):
Settings > Security > Authentication > LDAP
ConfigParam Set base ou=internal,dc=sub,dc=domain,dc=com
ConfigParam Set ssl No
ConfigParam Set binddn cn=Bob.Smith,ou=it,ou=internal,dc=sub,dc=domain,dc=com
ConfigParam Set bindpw ******** (blanked out password)
ConfigParam Set host <I.P./hostname>
Configure
Enable
Verify the settings were set:
ConfigParam show
Next issue the configure command:
Configure
This should show the connection was successful and connected in the WebGUI.
Troubleshooting LDAP config:
For NetBackup appliance versions 2.7.1 through 3.0, the /log/app_vxul/* log files, particularly 409-1 (NBAPP_COMMON), 409-99 (NBUAPP_TRACE), 409-20 (NBAPP_RUNCMD) and /var/log/messages are helpful.
For NetBackup appliance versions 2.6.0.3 through 2.6.1.2, the YaST log will include useful information:
/var/log/YaST2/y2log
....as well as the /log/app_vxul/* log files, particularly 409-1 (NBAPP_COMMON), 409-99 (NBUAPP_TRACE), 409-20 (NBAPP_RUNCMD) and /var/log/messages
Use Microsoft tools on the Windows side, and use ldapsearch on the appliance side to compare the config.
Here are some examples:
Example dsquery for the username:
dsquery user -name Administrator
Use the output above for the command below:
Example dsquery to show the group membership of the Administrator account:
dsquery * CN=Administrator,CN=Users,DC=Bob.Smith,DC=veritas,DC=com -scope base -attr * | findstr memberOf
Example ldapsearch command from the appliance (this next command should match dsquery/dsget results above along w/some add'l info)...note the IP in this command is the domain controller:
Example:
ldapsearch -H ldap:10.0.0.1:389 -x -D
ldapsearch -h 10.0.0.1:389 -x -D CN=Bob.Smith,OU=it,OU=internal,DC=vrts,DC=veritas,DC=com -b ou=internal,dc=sub,dc=domain,dc=com –W