Description
For Flex NetBackup Instances older than NetBackup version 10.5, individuals must use the following tool to adjust (enable / disable) Multifactor Authentication (MFA)
/usr/openv/netbackup/bin/goodies/nbmfacfg
Starting with Flex NetBackup 10.5 Instances, Multifactor Authentication can be enabled/disabled on a per-user basis within the WebUI.
Documentation around this tool can be found here:
https://www.veritas.com/support/es_ES/doc/160799157-164196584-0/v161736888-164196584
If the NetBackup administrator has enabled Global Enforcement of MFA, a user will be unable to disable MFA for their own account. They must comply by using MFA.
However, if the NetBackup administrator has not enabled Global Enforcement of MFA, users can enable/disable MFA for their own account.
Enabling MFA is done with the following steps:
- Start an ssh session to the Flex NetBackup Primary Server using the account you wish to enable MFA for
- Execute: /usr/openv/netbackup/bin/goodies/nbmfacfg -enroll
- Use your preferred MFA application (Microsoft Authenticator, Google Authenticator, etc...) to scan the QR code and enter the 6-digit key
If at some later point, the user wishes to disable MFA, follow these steps:
- Start an ssh session to the Flex NetBackup Primary Server using the account you wish to disable MFA for
- Execute: /usr/openv/netbackup/bin/goodies/nbmfacfg -reset
Note: to successfully connect via ssh, the user will need to supply the proper MFA 6-digit token. If the user can not supply the 6-digit MFA token, they must request the NetBackup administrator reset the MFA Credential for their user account. This must be done in an ssh session using the appadmin account:
- Login to the NetBackup Primary server as the appadmin user, execute: /usr/openv/netbackup/bin/goodies/nbmfacfg -reset -user <user name>
- Once the NetBackup administrator has reset the user account, then the user can ssh into the Flex NetBackukp Primary server at which point they will be prompted to pair an MFA provider via a new QR code.
- Once the user is logged in, the user can then choose to disable MFA entirely for their account by executing:
/usr/openv/netbackup/bin/goodies/nbmfacfg -reset
The next time the user logs in - either to the WebUI or ssh session, they will not be prompted for an MFA 6-digit token
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.