Veritas NetBackup™ Troubleshooting Guide
- Introduction
- Troubleshooting procedures- About troubleshooting procedures
- Troubleshooting NetBackup problems
- Troubleshooting installation problems
- Troubleshooting configuration problems
- Device configuration problem resolution
- Testing the master server and clients
- Testing the media server and clients
- Resolving network communication problems with UNIX clients
- Resolving network communication problems with Windows clients
- Troubleshooting vnetd proxy connections- vnetd proxy connection requirements
- Where to begin to troubleshoot vnetd proxy connections
- Verify that the vnetd process and proxies are active
- Verify that the host connections are proxied
- Test the vnetd proxy connections
- Examine the log files of the connecting and accepting processes
- Viewing the vnetd proxy log files
 
- Troubleshooting security certificate revocation- Troubleshooting cloud provider's revoked SSL certificate issues
- Troubleshooting cloud provider's CRL download issues
- How a host's CRL affects certificate revocation troubleshooting
- NetBackup job fails because of revoked certificate or unavailability of CRLs
- NetBackup job fails because of apparent network error
- NetBackup job fails because of unavailable resource
- Master server security certificate is revoked
- Determining a NetBackup host's certificate state
- Troubleshooting issues with external CA-signed certificate revocation
 
- About troubleshooting networks and host names
- Verifying host name and service entries in NetBackup- Example of host name and service entries on UNIX master server and client
- Example of host name and service entries on UNIX master server and media server
- Example of host name and service entries on UNIX PC clients
- Example of host name and service entries on UNIX server that connects to multiple networks
 
- About the bpclntcmd utility
- Using the Host Properties window to access configuration settings
- Resolving full disk problems
- Frozen media troubleshooting considerations
- Troubleshooting problems with the NetBackup web services
- Troubleshooting problems with the NetBackup web server certificate
- Resolving PBX problems
- Troubleshooting problems with validation of the remote host
- Troubleshooting Auto Image Replication
- Troubleshooting network interface card performance
- About SERVER entries in the bp.conf file
- About unavailable storage unit problems
- Resolving a NetBackup Administration operations failure on Windows
- Resolving garbled text displayed in NetBackup Administration Console on a UNIX computer
- Troubleshooting error messages in the NetBackup Administration Console
- Extra disk space required for logs and temporary files for the NetBackup Administration Console
- Unable to logon to the NetBackup Administration Console after external CA configuration
- Troubleshooting file-based external certificate issues
- Troubleshooting Windows certificate store issues
- Troubleshooting backup failures
- Troubleshooting backup failure issues with NAT clients or NAT servers
- Troubleshooting issues with the NetBackup Messaging Broker (or nbmqbroker) service
- Issues with email notifications for Windows systems
- Issues with KMS configuration
- Issues with initiating the NetBackup CA migration because of large key size
- Issues with the non-privileged user (service user) account
- Issues with group name format in the auth.conf file
 
- Using NetBackup utilities- About NetBackup troubleshooting utilities
- About the analysis utilities for NetBackup debug logs
- About the Logging Assistant
- About network troubleshooting utilities
- About the NetBackup support utility (nbsu)
- About the NetBackup consistency check utility (NBCC)
- About the NetBackup consistency check repair (NBCCR) utility
- About the nbcplogs utility
- About the robotic test utilities
- About the NetBackup Smart Diagnosis (nbsmartdiag) utility
 
- Disaster recovery- About disaster recovery
- About disaster recovery requirements
- Disaster recovery packages
- About disaster recovery settings
- Recommended backup practices
- About disk recovery procedures for UNIX and Linux
- About clustered NetBackup server recovery for UNIX and Linux
- About disk recovery procedures for Windows
- About clustered NetBackup server recovery for Windows
- Generating a certificate on a clustered master server after disaster recovery installation
- About restoring disaster recovery package
- About the DR_PKG_MARKER_FILE environment variable
- Restoring disaster recovery package on Windows
- Restoring disaster recovery package on UNIX
- About recovering the NetBackup catalog- About NetBackup catalog recovery on Windows computers
- About NetBackup catalog recovery from disk devices
- About NetBackup catalog recovery and symbolic links
- About NetBackup catalog recovery and OpsCenter
- NetBackup disaster recovery email example
- About recovering the entire NetBackup catalog
- Establishing a connection with NAT media server before catalog recovery
- About recovering the NetBackup catalog image files
- About recovering the NetBackup relational database
- Recovering the NetBackup catalog when NetBackup Access Control is configured
- Recovering the NetBackup catalog from a nonprimary copy of a catalog backup
- Recovering the NetBackup catalog without the disaster recovery file
- Recovering a NetBackup user-directed online catalog backup from the command line
- Restoring files from a NetBackup online catalog backup
- Unfreezing the NetBackup online catalog recovery media
- Steps to carry out when you see exit status 5988 during catalog recovery
 
 
- Index
Issues with the non-privileged user (service user) account
This topic provides troubleshooting information about the issues specific to the non-privileged, non-root, or service user.
Starting with NetBackup 9.1, most of the master server services can be run as non-privileged user, which is highly recommended. This new user is called service user.
For more information on the service user, see the NetBackup Security and Encryption Guide.
The nbcertcmd command options internally run under the service user context. You can find the logs of the nbcertcmd command options in the SERVICE_USER.xxxxxx_xxxxx.log file.
Table: Troubleshooting service user issues
| Sr. No. | Issue | Possible reason | Resolution | 
|---|---|---|---|
| 1 | During NetBackup installation or upgrade on UNIX platform, unable to specify the service user even after three prompts. | Possible reasons are as follows: 
 | Resolutions are as follows: 
 | 
| 2 | During NetBackup installation on an inactive cluster node on UNIX platform, one of the following errors occurs: 
 | The service user name and the user ID do not match. | Ensure that the service user name and the user ID match on all cluster nodes and the same is provided during NetBackup installation on active and inactive nodes. | 
| 3 | During NetBackup upgrade of an inactive cluster node on UNIX platform, the following error occurs: Failed to retrieve the 'SERVICE_USER' or 'SERVICE_USER_ID' entries from the configuration file on the server 'cluster_virtual_name'. You must provide the same 'SERVICE_USER' (daemon user name) that is configured on the active node. | The bpgetconfig command could not retrieve the service user and the ID from active node. | Provide the service user as that of the active node and ensure that the service user has the same user ID on all cluster nodes. | 
| 4 | During NetBackup installation or upgrade on UNIX platform, the following error occurs: The user serviceuser cannot be set as the owner of files in /usr/openv. | This may be because of the issues while changing the ownership of the installation directory. | Fix the errors specified in installation trace under the following heading: Fix below errors and then retry | 
| 5 | NetBackup host communication does not work when external CA is configured with Windows Certificate Store and services run in a Local Service account context. | NetBackup services do not have access to the private key. Usually, the error in this case can be seen in the nbpxyhelper logs: The Windows API CryptAcquireCertificatePrivateKey fails with error 0x80090016: Keyset does not exist. | Check private key permissions as follows: Right-click the certificate. Go to . All NetBackup services should have permissions to read the private key. Run the following command to set permissions: nbcertcmd -setWinCertPrivKeyPermissions Run the following command to validate the configuration: nbcertcmd -ecaHealthCheck | 
| 6 | The setconfig command fails with the following error: Failed to open /usr/openv/netbackup/bp.conf.d53: Permission denied (13) | Ownership of /usr/openv/netbackup is changed to the root user. Other possible reason may be that the language pack is installed using rpm. | Run the following command to fix the ownership issues: /usr/openv/netbackup/bin/goodies/ update_install_folder_perms | 
| 7 | 
 | Service user account may not have access to the disaster recovery (DR) path specified in policy. | Review status code 9201 and 9202. Refer to the NetBackup Status Codes Guide. Refer to the NetBackup Security and Encryption Guide for giving access permissions to the service user account. | 
| 8 | Disaster recovery fails. | The NBHostIdentity -import command fails. | Ensure the following: 
 | 
| 9 | Any of the following commands fail with error: Ensure that the service user account [service_user_name] has access permissions on the specified paths and their contents. 
 Path: For UNIX - Install_Path/db/bin For Windows - Install_Path\netbackup\bin | Service user account may not have access permissions on specified paths and their contents. | Refer to the NetBackup Security and Encryption Guide for giving access permissions to the service user account. | 
| 10 | Adding VMware server operation fails | 500 system error | Ensure that the temp directory (/tmp) is accessible to the service user account | 
| 11 | Issue in bpjava-test-login workflow | File ownership is shown as 'root' | Change the ownership of the file to the service user account. | 
| 12 | nbcertcmd operations fail. | Lack of permissions | Check if the certmapinfo.json file is created and owned by the service user. | 
| 13 | nbcertcmd or bpnbaz fails with error code 123. | The private key file (PrivKeyFile-2048.pem), public key file (PubKeyFile-2048.pem), or access control list (ACL) update failed. | Ensure that NetBackup SIDs are configured and both public and private keys are present in AT_DATA_DIR. | 
| 14 | nbserviceusercmd -changeUser operation failed with authorization failure, when NBAC is configured. | The new service user is not part of the NBAC security admin group. | Add the new service user in the NBAC security admin group. Run the following command: vssaz addazgrpmember --azgrpname \"Security Administrators\" --prplinfo prplinfo | 
| 15 | After NetBackup 9.1 installation and upgrade, NetBackup Administration Console login fails for root user, if NetBackup access control (NBAC) or Enhanced Auditing (EA) is enabled. | The user certificate directory is changed. | If NBAC or EA is enabled in your environment, you must run the bpnbat -login command after NetBackup upgrade. | 
| 16 | The nbcertcmd -enrollCertificate command fails as external CA (ECA) health check fails. An error occurs while accessing the files at the following path: certificates/private key/passphrase file/crl | The nbcertcmd -enrollCertificate command runs under the service user context, however the service user does not have access to the associated files. | Provide the required access to the service user. It is recommended that you run the following command to verify the access rights before running the enrollCertificate command again: nbcertcmd -ecaHealthCheck -serviceUser user_name |