NetBackup Access Control Use Case: Using Active Directory users to manage UNIX/Linux based NetBackup environment from Windows Admin UI or CLIs.(Netbackup 7.X)
Problem
Using Active Directory users to manage UNIX/Linux based NetBackup environment from Windows Admin UI or CLIs.(Netbackup 7.X)
Note: This method is using the depreciated Windows Administration Console, and is provided for attempting to support customers on EOSL products with extended support.
Solution
This note describes the steps to make use of existing users from Active Directory to manage/operate/use a NetBackup environment that is primarily on UNIX/Linux platforms.
In order to authenticate users from Active Directory domain, there should be at least one Microsoft Windows system that acts as the Authentication Broker. This system should be Windows based NetBackup Media Server. Note that the windows server should be added to the Active directory domain and then media server should be installed on it.
In this configuration NetBackup Windows Remote Administration Console can be installed on users Windows based host to administer NetBackup if the user is given appropriate role (e.g. NBU_Admin) in NetBackup Access Control. Please note that Active Directory users cannot be used to login with Java GUI for administration of Unix NetBackup master server.
Following steps gives an illustration of the configuration.
Master server        : dbxxxx.vxindia.veritas.com
Windows media server : mediaxxx.PUNxx.xxx.Veritas.com
Objective: Enable master server dbxxxx.vxindia.veritas.com to be able to authenticate AD users who belong to Active directory domain 'PUNxx'. Use windows remote admin console to login with AD user and administer Netbackup.
Note: Please ensure machines are reachable by the configure machines names and reverse name lookup works. You can use bptestnetconn:
/usr/openv/netbackup/bin/bptestnetconn mediaxxx.PUNxx.xxx.Veritas.com 
Similarly ensure that the master server is reachable with the configured machine name from the media sever host and the remote admin host machine before proceeding with the following steps.
1) It is assumed that the master server is installed and configured with NBAC. If not done, run /usr/openv/netbackup/bin/admincmd/bpnbaz -SetupMaster on the master
Restart the NetBackup services and login as NetBackup Security Administrator (root) using bpnbat -login
2) Install Media server on a windows machine which is part of the AD domain.
In this example the domain is 'PUNxx'. Windows Media server installed on mediaserver.PUNxx.xxx.Veritas.com pointing to the master dbxxxx.vxindia.veritas.com
3) Configure NBAC on the Windows media server. This can be done from the master server itself.
dbxxxx.vxindia.veritas.com:/usr/openv/netbackup/bin/admincmd>./bpnbaz -SetupMedia mediaxxx.PUNxx.xxx.Veritas.com
Gathering configuration information.
You will have to restart NetBackup services on 'mediaxxx.PUNxx.xxx.Veritas.com' after the command completes successfully.
WARNING! Please remove <INSTALL_DIR>/var/vxss/AzHandleCache.data on media server if exists before restarting!
Do you want to continue(y/n)y
Enter password if the media server is pre 7.0 else press ENTER:
Setting up NBAC on target host: mediaxxx.PUNxx.xxx.Veritas.com
Granting authorization check permissions to host 'mediaxxx.PUNxx.xxx.Veritas.com'
The file: SetupMedia.nbac has been updated in the current directory with results of this operation
Warning: NetBackup Media Server is currently configured in AUTOMATIC mode. Security will be enforced only in REQUIRED mode. This can be done after entire NetBackup domain is configured with NBAC
Operation completed successfully.
5) Add windows media server as a authentication broker. From the master server run the following.
dbxxxx.vxindia.veritas.com:/usr/openv/netbackup/bin/admincmd>./bpnbaz -SetupAuthBroker mediaxxx.PUNxx.xxx.Veritas.com
Managing Authentication Broker on target host: mediasxxx.PUNxx.xxx.Veritas.com
The file: SetupAuthBroker.nbac has been updated in the current directory with results of this operation
Operation completed successfully.
6) Install Windows Remote Admin console on the workstation from which you want to administer NetBackup.
7) Dump settings from the master so that they can be deployed on the remote admin console.
/usr/openv/netbackup/bin/admincmd/bpgetconfig USE_VXSS AUTHENTICATION_DOMAIN AUTHORIZATION_SERVICE  >  /tmp/vxss_config.txt 
8) Setup NBAC for the remote admin console host using the file vxss_config.txt generated at the master server.
If the file was kept at C:\temp, run:
C:\Program Files\VERITAS\NetBackup\bin\admincmd\bpsetconfig -h host C:\temp\vxss_config.txt 
(see the NetBackup Commands Reference Guide for more details on using bpsetconfig, including using it to set configuration on a remote server)
9) Configuring Active Directory users to administer NetBackup.
This needs to be setup by root using Java GUI or command line (bpnbaz -adduser). Windows Admin Console cannot be used at this time as none of the Active Directory users are available in 'NBU_Admin Security' group in NBAC.
Launch the Java GUI and login as root. Then add the relevant Active Direcotory user/groups in respective Netbackup group from the "Access Management" option.
Example: Click on NBU_Admin group -> Change-> Users Tab-> New User
10) After this the active directory users can login to the Windows system where NetBackup Admin Console is installed and startup the Admin Console. When the Admin Console is launched for the first time as a specific user, a request to establish a trust with master server Authentication Broker is initiated. Once the trust is established (i.e. answer 'yes') the Admin Console will be available.
11) The SetupAuthBroker would not succeed for 9.1 and above if services are running under Local Service, So for Exercising RB setup please switch to Local System
