Veritas NetBackup™ Commands Reference Guide
- Introduction
- Appendix A. NetBackup Commands
Name
bpnbaz — perform Authorization administration tasks from within NetBackup
SYNOPSIS
-[AddGroup | DelGroup] Group_Name [-M server] [-Server server1.domain.com] [-CredFile Credential]
-[AddPerms | DelPerms] Permission_1[,Permission_2,...] -Group Group_Name -Object Object [-M server] [-Server server1.domain.com] [-CredFileCredential]
-[AddPolicy | DelPolicy] Policy_Name [-M server] [-Server server1.domain.com] [-CredFile Credential]
-[AddUser | DelUser] Group_Name Domain_Type:Domain_Name:User_Name [-OSGroup] [-M server] [-Server server1.domain.com] [-CredFile Credential]
-[AddUser | DelUser] Domain_Type:Domain_Name:User_Name [-reason "reason"] [-CredFile Credential]
-[AllowAuthorization | DisallowAuthorization] Machine_Name [-M server] [-Server server1.domain.com]
-CheckUpgrade [-Server server1.domain.com]
-Configureauth
-GetConfiguredHosts [target.server.com] [-out file] | -all [-out file] | [-file progress_file]
-GetDomainInfosFromAuthBroker [target.server.com [-out file] | [-file progress_file]
-ListGroupMembers Group_Name [-M server] [-Server server1.domain.com][-CredFile Credential]
-[ListPerms | ListMainObjects | ListGroups | ListPolicyObjects | ShowAuthorizers] [-M server] [-Server server1.domain.com] [-CredFile Credential]
-LookupUser Domain_Type:Domain_Name:User_Name [-CredFile credential]
-ListUsers [-CredFile credential]
-ListLockedUsers [-U | -l] [-User Domain_Type:Domain_Name:User_Name]
-ProvisionCert NetBackup_host_name[-out file] | -AllMediaservers -AllClients [-images] [-out file] [-dryrun] | -file progress.file
-SetupAT [-fsa [Domain_Type:Domain_Name:User_Name]
-SetupAuthBroker [target.server.com [-out file] | -file progress_file]
-SetupClient [client.server.com] [-out file] | -all [-images] [-out file] | [-file progress_file] [-dryrun] [-disable]
-SetupMaster [-fsa [Domain_Type:Domain_Name:User_Name]
-SetupMedia [media.server.com [-out file] | -all [-out file] | -file progress_file] [-dryrun] [-disable]
-SetupSecurity NBU.Master.Server.com [-M server] [-Server server1.domain.com]
-SetupExAudit -DisableExAudit
-UnconfigureAuthBroker [target.server.com [-out file] | -file progress_file]
-UnlockUser -User [Domain_Type:Domain_Name:User_Name]
-UnhookSharedSecSvcsWithPBX [target.server.com [-out file] | -file progress_file]
-Upgrade [-Silent] [-Server server1.domain.com]
On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/admincmd/
On Windows systems, the directory path to this command is <install_path>\NetBackup\bin\admincmd\
DESCRIPTION
NetBackup uses the bpnbaz command to access the authorization portion of NetBackup Product Authentication and Authorization Service. Authorization checks the rights on an object. This command enables you to do the following:
-AddGroup creates Az groups and -DelGroup deletes Az groups. -DelGroup deletes all the members of the group when you delete an Az group from the authorization engine. This operation is not reversible; if you remove a group, you revoke the rights that are granted to members of the group.
Note:
An authorization (Az) group is a collection within the Authorization engine into which OS groups and OS users can be placed. When you add a user to an Az group, you grant them the rights and privileges that are associated with that group.
-AddPerms and -DelPerms add and delete the specified permissions for the given role on individual policies from the main NetBackup resource objects.
For more about permissions, see the NetBackup Administrator's Guide, Volume I.
-AddPolicy and -DelPolicy add and delete policies from the main NetBackup resource objects.
-AddUser and -DelUser add and delete permissions on individual policies from the main NetBackup resource objects.
When used with the enhanced auditing feature, -AddUser and -DelUser grant and revoke NetBackup administrator privileges for enhanced auditing. For enhanced auditing, you do not have to include the OSGroup, Server or CredFile options.
-AllowAuthorization and -DisallowAuthorization specify which computers are allowed or not allowed to perform authorization checks. The security administrator must specify which servers (master or media) can examine the Authorization database to perform authorization checks.
-AllClients deploys the security certificate to all the available clients.
-AllMediaservers deploys the security certificate to all the available media servers.
-CheckUpgrade determines if an upgrade of existing authorization information is needed for the specified server. If so, this option returns 61. Only NetBackup installers use this option.
-Configureauth configures the Authentication Broker.
Incorrect information for the domain name results in failures during the configuration of Authentication Broker and NetBackup Access Controls. To correct this problem, use this command to configure Authentication Broker.
-GetConfiguredHosts obtains NBAC status on the host. Either the -all or target.server.com option is required for this command.
-GetDomainInfosFromAuthBroker requests broker domain maps from the authorization broker.
-ListGroupMembers lists the group member that is associated with a particular group defined by Group_Name.
-ListGroups lists the defined groups
-ListMainObjects lists the current permissions for each group on each of the main NetBackup objects. This list is an informative view that you can use to verify changes to permissions on an object. This option shows the permissions each group has within the authorization system.
-ListPerms lists the current permissions on NetBackup resource and policies. It shows all applicable permissions for a given object or object type within the database. This option helps the user to create meaningful customizations to their authorization.
-ListPolicyObjects displays all objects or object collections that are associated with the specified policy.
-ListUser lists all users who have administrator privileges. This parameter is only used in enhanced auditing mode.
-ListLockedUsers lists all user accounts that are locked.
- LookupUser searches for users to determine if the user has administrative privileges. This parameter is only used in enhanced auditing mode.
- ProvisionCertgenerates an authentication certificate for the specified host and is unique to that host. The certificate must be generated for each host and cannot be pushed from one host to another. An authentication certificate is required on the media servers that host the NetBackup CloudStore Service Container (nbcssc). For more information, see the NetBackup Cloud Administrator's Guide. The security certificate is also required on master servers, media servers, and clients to establish a secure communication with the NetBackup-Java Administration Console.
For more information, see the NetBackup Cloud Administrator's Guide.
-SetupAT generates credentials for all nodes in a clustered master environment. Run this command after NetBackup installation or upgrade.
-SetupAuthBroker sets up the authentication broker to use NBAC.
-SetupClient sets up NBAC on the client. Run it after bpnbaz -SetupMaster has been completed successfully. It can be run from the master server. It expects connectivity between the master server and target client systems.
By default, NBAC messages are logged to a file in the local directory that is called
SetupClient.nbac
. The following is an example of the format of this file:client1.server.com #client2.server.com #SUCCESS (0) @(07/16/10 12:09:29) client3.server.com #INTERNAL_ERROR(68) @(07/16/10 12:09:39)
The first line indicates that client1.server.com has not yet been contacted at all.
The second line indicates that client2.server.com has been successfully contacted. Each success is commented out (with a leading #) and not contacted multiple times.
The third line indicates that client3.server.com has been contacted but an error has occurred. Errors are printed out on the command line with a recommendation of what to do. The error number that is indicated in the logs may indicate the problem.
-SetupMaster sets up the master server to use NBAC. The bpnbaz -SetupMaster command contains no user arguments. You are prompted for the password for your current operating system user identity. The authorization server and authentication broker must be installed and running on the master server.
-SetupMaster adds root/administrator by default to the NBU_Security Admin group. The first time that you use -SetupMaster with the -fsa option adds the first security administrator member to the NBU_Security Admin group. If you have configured NBAC already using -SetupMaster without the -fsa option, use the -AddUser option to add any more members.
-SetupMedia sets up the media server to use NBAC. An NetBackup administrator group member can run the bpnbaz -SetupMedia command after bpnbaz -SetupMaster has been completed successfully. It can be run from the master server and expects connectivity between the master server and target media server systems.
By default, NBAC messages are logged to a file in the local directory that is called
SetupClient.nbac
. Refer to the SetupClient description of an example of the file format.-SetupSecurity sets up the initial security information. It must be run as root on the Az server.
-ShowAuthorizers lists the computers that are allowed to perform authorization checks.
-U list type is user.
-UnlockUser unlocks the specified user account.
-User is optional for the -ListLockedUsers parameter. It lists information about the specified user account. Data is returned only if the user account is locked. This option is required when using the -UnlockUser parameter.
-UnconfigureAuthBroker removes the configuration from the Authorization Broker.
-UnhookSharedSecSvcsWithPBX unhooks the shared Authentication and Authorization services from PBX in Windows Server Failover Clustering (WSFC) environments.
-Upgrade modifies the NetBackup operation schema by adding authorization objects. In addition, this option upgrades default user accounts with default permissions for these new objects. You must have NBU_Security Admin privileges.
For more about NBAC and the use of the bpnbaz command, see the NetBackup Security and Encryption Guide.
To use this command and its associated options, you must be a member of the NetBackup Security Administrators group (NBU_Security Administration). The only exception is with the SetupSecurity command.
You must have local administrator privileges on the authorization server to run this command.
When you use bpnbaz, assume that the master server and the Az server are the same computer.
Note:
The use of NetBackup Access Control requires the user's home directories to work correctly.
NetBackup has enhanced the audit capability that helps to audit users without having to enable NBAC. NetBackup administrators can delegate NetBackup administrator privileges to designated users. For more information about enhanced auditing and the use of the bpnbaz command with this feature, see the NetBackup Security and Encryption Guide.
OPTIONS
- -all
Scans all the storage units or policies and collects all the associated unique host names that are found in the policies. You can scan in a sorted order. The results are written to the progress file.
- client.server.com
Specifies the name of a single target host. Use this option to add a single additional host for use with NBAC.
- -CredFile Credential
Specifies a file name (Credential) from which to obtain a Veritas Product Authentication and Authorization Service credential, rather than the default location.
- -disable
Disables NBAC (USE_VXSS = PROHIBITED) on targeted hosts.
- -DisableExAudit
Disables Enhanced Auditing mode. You must restart the NetBackup services after you run this command. For additional information about Enhanced Auditing, see Auditing NetBackup Operations in the NetBackup Security and Encryption Guide.
- Group_Name
Identifies the authorization group on which an operation is to be performed. NetBackup does not allow user groups to be nested.
- Domain_Type:Domain_Name:User_Name
The Domain_Type variable is the domain to which the user or group belongs, and the User_Name variable defines the applicable user or group name designating the NetBackup administrator.
- -dryrun
Generates a list of computers to receive the security certificate. The exact details of how this option works depends on the parameter with which it is used.
dryrun, when used with ProvisionCert
Generates a list of hosts to receive the security certificate and writes that list to the file name that is provided in the -out option. The -dryrun option only works with the - AllMediaservers and the - Allclients parameters. Generates a list of hosts to receive the security certificate and writes that list to the file name that is provided in the -out option. If the -out file option is not provided, then the host list is written to the default DeploySecurityCerts.progress file.
dryrun, when used with either SetupMedia or SetupClient
Generates a list of media server names or client names depending on the option used. The command writes the list of names to the log. This option works with client.server.com and media.server.com but the intention is to use it with the -all option. Generates the list of media server names and writes them to the log. The log file name is
SetupMedia.nbac
if the command is used with SetupMedia option. The log file name isSetupClient.nbac
if the command is used with SetupClient option.If you have more than 250 clients, use -dryrun with -SetupClient to see all of the clients that are visible to the master server.
- -file progress_file
Specify a different file name for the progress log. If -file is used, the input and the output files are the same, which allows multiple rounds to execute without changing the command. Use the progress file iteratively by feeding the file back in multiple times until all clients are available online.
- -fsa
Provisions a specific OS user as the NetBackup administrator. You are asked for the password for your current OS user identity.
- Group_Name
Adds the users by creating a unique enterprise account name, following this format: <Authentication type>:<Domain_Type>:<User_Name>
The supported Authentication types for this variable are the following:
Nis - Network Information Services
NISPLUS - Network Information Services Plus
Unixpwd - UNIX Password file on the Authentication server
WINDOWS - Primary Domain Controller or Active Directory
Vx - Veritas Private database.
- -images
-images searches all images for unique host names. Do not use this option with large catalogs unless you include the -dryrun option. This option discovers all unique clients that are contained in the image catalog. Older catalogs may contain a large number of decommissioned hosts, renamed hosts, and hosts relocated to new masters. Run-time can increase significantly as this command tries to contact unreachable hosts.
- -M server
Specifies the name of the master server as defined in the variable server. This server name may be different from the local host name.
- Machine_Name
Specifies the computer to be allowed or disallowed to perform authorization checks. The security administrator must specify which master servers or media servers can examine the Authorization database to perform authorization checks.
- media.server.com
Specifies the name of a single target host. Use this option to add a single additional host for use with NBAC.
- -Object Object
Controls the access to specified objects or object collections.
- -OSGroup
Defines a named collection of authentication principals that are established in a native operating system and treated as a single entity. All members of an authentication group or OS group are from the same authentication domain.
- -out file
Specifies a custom output file name. By default, the output is written to the
SetupMedia.nbac
file. Use this option with the -all option.- Permission_1[,Permission_2,...]
Permissions for the role that is given to the designated object or policy.
- policy_name
Specifies the name of the policy from the main NetBackup resource objects.
- -ProvisionCert media_server_name
Generates an authentication certificate for the media server that is indicated.
- -reason "reason"
For enhanced auditing, the reason indicates the reason why the command is used. The reason text string that is entered is captured and appears in the audit report. The string must be enclosed in double quotes ("...") and cannot exceed 512 characters. In addition, it cannot begin with a dash character (-) and must not contain the single quotation mark symbol (').
- -Server server1.domain.com
This option specifies the Az server being used. Currently we expect the Az server and the NetBackup master server to exist on the same system.
Determines if an upgrade of existing authorization information is needed for the specified server. If so, this option returns "61". Only NetBackup installers use this option.
- -SetupExAudit
Enables Enhanced Auditing mode. You must restart the NetBackup services after you run this command. For additional information about Enhanced Auditing, see Auditing NetBackup Operations in the NetBackup Security and Encryption Guide.
- -Silent
Directs the upgrade operation to automatically enhance the permissions of groups to account for new objects in the system. This option occurs only for the default groups, and only if those groups have never been changed.
- target.server.com
Specifies the name of a single target host. Use this option to find the NBAC status on a single host. It captures the status of the host in the
ConfiguredHosts.nbac
file.
EXAMPLES
Example 1 - Create and list an Az group.
An Az group is a collection within the Authorization engine where other OS groups and OS users are placed. This collection is the building block against which permissions are applied on the objects within the database. If you add a user to an Az group, you grant them all the rights and privileges that are associated with that group. When a user is placed in more than one group, that user's effective permissions are as follows: the logical "or" of the applicable permissions of each group to which the user belongs. The following example demonstrates how to create and list an existing Az group:
# bpnbaz -AddGroup "New Group 1" -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ListGroups -server test.domain.veritas.com Administrators Operatorsroo Security Administrators Resource Management Applications Applications New Group 1 NBU_Unknown NBU_User NBU_Operator NBU_Media Device Operator NBU_Admin NBU_Executive NBU_Security Admin NBU_Database Agent Operator NBU_Database Agent Administrator Operation completed successfully.
Example 2 - Delete an Az group.
If you delete an Az group from the authorization engine, all the members are removed from the group. This operation is not reversible. When you remove a group, you revoke the rights that are granted to members of the group. Therefore, carefully consider the implications of deleting groups.
# bpnbaz -DelGroup "New Group 1" -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ListGroups -server test.domain.veritas.com Administrators Operators Security Administrators Resource Management Applications Applications NBU_Unknown NBU_User NBU_Operator NBU_Media Device Operator NBU_Admin NBU_Executive NBU_Security Admin NBU_Database Agent Operator NBU_Database Agent Administrator Operation completed successfully.
Example 3 - Add and remove users from Az groups (and List group members)
Add users by creating a unique enterprise name of the following format: <Authentication type>:<Domain to which user or group belongs>:<user or group name>
The following are the Supported Authentication types:
Nis - Network Information Services
NisPlus - Network Information Services Plus
Unixpwd - UNIX Password file on the Authentication server
WINDOWS - Primary Domain Controller or Active Directory
Vx - Veritas Private database
# bpnbaz -AddUser NBU_Operator nis:domain.veritas.com:ssosa -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ListGroupMembers NBU_Operator -server test.domain.veritas.com ========== Type: User Domain Type: nis Domain:domain.veritas.com Name: jdimaggio ========== Type: User Domain Type: nis Domain:domain.veritas.com Name: ssosa Operation completed successfully. # bpnbaz -DelUser NBU_Operator nis:domain.veritas.com:ssosa -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ListGroupMembers NBU_Operator -server test.domain.veritas.com ========== Type: User Domain Type: nis Domain:domain.veritas.com Name: jdimaggio Operation completed successfully.
Example 4 - List applicable permissions
The -ListPerms option shows all applicable permissions for a given object or object type within the database. This information helps the user to create meaningful customizations to their authorization.
# bpnbaz -ListPerms -server test.domain.veritas.com Object Type: Unknown Browse Object Type: Media Browse Read New Delete Eject . . . Restart Synchronize Object Type: PolicyGroup Browse Read New Delete Activate Deactivate Backup Operation completed successfully.
Example 5 - List main objects
The -ListMainObjects option lists the current permissions for each group on each of the main NetBackup objects. This list is an informative view that can be used to verify changes to permissions on an object. It shows what permissions each group has within the authorization system.
# bpnbaz -ListMainObjects -server test.domain.veritas.com . . . NBU_RES_Policy: Role: NBU_User Unknown Role: NBU_Media Device Operator Browse Read Role: NBU_Executive Read Browse Role: NBU_Database Agent Operator Unknown Role: NBU_Unknown Unknown Role: NBU_Operator Browse Read Role: NBU_Admin Browse New Activate Backup Read Delete Deactivate Role: NBU_Security Admin Unknown Role: NBU_Database Agent Administrator Unknown Role: Administrators Unknown Role: Operators Unknown Role: Applications Unknown Role: NBU_Security Admin Unknown . . . NBU_RES_Job: Role: NBU_Media Device Operator Browse Suspend Cancel Read Resume Delete Role: NBU_Executive Browse Read Role: NBU_Database Agent Operator Unknown Role: NBU_User Unknown Role: NBU_Unknown Unknown Role: NBU_Operator Browse Suspend Cancel Read Resume Delete Role: NBU_Admin Browse Delete Resume Read Suspend Cancel Role: NBU_Security Admin Unknown Role: NBU_Database Agent Administrator Unknown Role: Administrators Unknown Role: Operators Unknown Role: Applications Unknown Role: NBU_Security Admin Unknown . . . Operation completed successfully.
Example 6 - Add and delete permissions from an object or policy
Delete all permissions from an object for a given group. Add the permissions that are specified for the given role to the object or policy in question.
# bpnbaz -AddPerms Browse,Read, New,Delete -Group TestGroup1 -Object NBU_RES_Job -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ListMainObjects -server test.domain.veritas.com NBU_RES_Unknown: Role: NBU_User . . . NBU_RES_Job: Role: NBU_Media Device Operator Browse Suspend Cancel Read Resume Delete Role: NBU_Executive Browse Read Role: NBU_Database Agent Operator Unknown Role: TestGroup1 Read Delete New Browse Role: NBU_User Unknown Role: NBU_Unknown Unknown Role: NBU_Operator Browse Suspend Cancel Read Resume Delete Role: NBU_Admin Browse Delete Resume Read Suspend Cancel Role: NBU_Security Admin Unknown Role: NBU_Database Agent Administrator Unknown Role: Administrators Unknown Role: Operators Unknown Role: Applications Unknown Role: NBU_Security Admin Unknown NBU_RES_Service: Role: NBU_Unknown . . . Operation completed successfully. # bpnbaz -DelPerms -Group TestGroup1 -Object NBU_RES_Policy -server test.domain.veritas.com Operation completed successfully.
Example 7 - Specify what servers can perform authorization checks
This example also views what servers can perform authorization checks. In addition. It also disallows a server from performing authorization checks.
The -AllowAuthorization option specifies which computers are allowed to perform authorization checks. The security administrator must specify which servers (Master or Media) are permitted to examine the Authorization database to perform authorization checks. The following examples demonstrate how to allow or disallow a computer to perform authorization.
# bpnbaz -AllowAuthorization butterball.domain.veritas.com -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ShowAuthorizers -server test.domain.veritas.com ========== Type: User Domain Type: vx Domain:NBU_Machines@test.domain.veritas.com Name: butterball.domain.veritas.com Operation completed successfully. # bpnbaz --DisallowAuthorization butterball.domain.veritas.com -server test.domain.veritas.com Operation completed successfully. # bpnbaz -ShowAuthorizers -server test.domain.veritas.com Operation completed successfully.
Example 8 - Set up initial security boot strapping
The user must run the -SetupSecurity option as root on the Az server. The user must then provide the logon information for the first NetBackup Security administrator.
Note:
The root user on the system upon which the Az server is installed is always a security administrator.
# bpnbaz -SetupSecurity test.domain.veritas.com -server test.domain.veritas.com Authentication Broker: test.domain.veritas.com Authentication port[ Enter = default]: Domain: domain.veritas.com Name: ssosa Password: Authentication type (NIS, NISplus, WINDOWS, vx, unixpwd: NIS Operation completed successfully.
SEE ALSO
See bpnbat.