How to configure NetBackup Appliances to authenticate Active Directory or LDAP users

How to configure NetBackup Appliances to authenticate Active Directory or LDAP users

Article: 100038660
Last Published: 2017-05-19
Ratings: 2 1
Product(s): Appliances

Description

The types of users that can be added to a NetBackup appliance are Local (native users), LDAP, Active Directory, and Kerberos-NIS.

For Active Directory, the NetBackup appliance versions 2.6.0.3 and higher, use Samba, Winbind, Kerberos and the built-in Pluggable Authentication Module (PAM) plug-in to support the authentication of Active Directory (AD) users.

Use LDAP when connecting to a server that uses LDAP, other than an AD server; like OpenLDAP.

Use Kerberos-NIS when authenticating NIS directory users.

Steps to Solution:

Basic Setup for AD:
Settings > Security > Authentication > ActiveDirectory > Configure <domain | AD_server | IP> <user>
Enter Password :

Notes:
Full domain administrative rights are required.

You can also create an OU for the NetBackup appliances, then add a computer object for the appliance (by hostname) in the OU and give that domain administrative rights.

Make sure the DNS servers on the appliance can forward to the AD server; it's best to use the AD server if it also is a DNS server.

WinBind and Kerberos are used.
AD Groups are currently set to synchronize automatically at 01:00 every day.

Troubleshooting AD config:

For NetBackup appliance versions 2.7.1 through 3.0, the /log/app_vxul/* log files, particularly 409-1 (NBAPP_COMMON), 409-99 (NBUAPP_TRACE), 409-20 (NBAPP_RUNCMD) and /var/log/messages are helpful.


For NetBackup appliance versions 2.6.0.3 through 2.6.1.2, the YaST log will include useful information:
/var/log/YaST2/y2log

....as well as the /log/app_vxul/* log files, particularly 409-1 (NBAPP_COMMON), 409-99 (NBUAPP_TRACE), 409-20 (NBAPP_RUNCMD) and /var/log/messages


Check the Kerberos config file before and after. It should be populated; not defaults.  (See Default Kerberos config below).
/etc/krb5.conf

Use the WinBind info command to test connectivity:
wbinfo --user-info=<user>
wbinfo --group-info=<groupnamehere>
wbinfo --all-domains
wbinfo --trusted-domains
wbinfo --domain-groups

If possible use Microsoft tools on the Windows side, and use ldapsearch on the appliance side to compare the config.

Below are some examples:
Example dsquery for the username:
dsquery user -name Administrator

Use the above info for the command below:

Example dsquery to show the group membership of the Administrator account:
dsquery * CN=Administrator,CN=Users,DC=Bob.Smith,DC=veritas,DC=com -scope base -attr * | findstr memberOf

Default Kerberos config (If it looks like this, it's not configured for AD):
cat /etc/krb5.conf
[libdefaults]
#    default_realm = EXAMPLE.COM

[realms]
#    EXAMPLE.COM = {
#    kdc = kerberos.example.com
#    admin_server = kerberos.example.com
#    }

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

Basic Setup for LDAP (not AD):
Settings > Security > Authentication > LDAP

ConfigParam Set base ou=internal,dc=sub,dc=domain,dc=com
ConfigParam Set ssl No
ConfigParam Set binddn cn=Bob.Smith,ou=it,ou=internal,dc=sub,dc=domain,dc=com
ConfigParam Set bindpw ******** (blanked out password)
ConfigParam Set host <I.P./hostname>
Configure
Enable


Verify the settings were set:
ConfigParam show

Next issue the configure command:
Configure

This should show the connection was successful and connected in the WebGUI.

Troubleshooting LDAP config:

For NetBackup appliance versions 2.7.1 through 3.0, the /log/app_vxul/* log files, particularly 409-1 (NBAPP_COMMON), 409-99 (NBUAPP_TRACE), 409-20 (NBAPP_RUNCMD) and /var/log/messages are helpful.


For NetBackup appliance versions 2.6.0.3 through 2.6.1.2, the YaST log will include useful information:
/var/log/YaST2/y2log

....as well as the /log/app_vxul/* log files, particularly 409-1 (NBAPP_COMMON), 409-99 (NBUAPP_TRACE), 409-20 (NBAPP_RUNCMD) and /var/log/messages



Use Microsoft tools on the Windows side, and use ldapsearch on the appliance side to compare the config.

Here are some examples:
Example dsquery for the username:
dsquery user -name Administrator

Use the output above for the command below:

Example dsquery to show the group membership of the Administrator account:
dsquery * CN=Administrator,CN=Users,DC=Bob.Smith,DC=veritas,DC=com -scope base -attr * | findstr memberOf

Example ldapsearch command from the appliance (this next command should match dsquery/dsget results above along w/some add'l info)...note the IP in this command is the domain controller:

Example:
ldapsearch -H ldap:10.0.0.1:389 -x -D
ldapsearch -h 10.0.0.1:389 -x -D CN=Bob.Smith,OU=it,OU=internal,DC=vrts,DC=veritas,DC=com -b ou=internal,dc=sub,dc=domain,dc=com –W
 

Was this content helpful?