ADSM-L

Re: Restore of UNIX satellites

1994-08-17 10:55:31
Subject: Re: Restore of UNIX satellites
From: David E Boyes <dboyes AT IS.RICE DOT EDU>
Date: Wed, 17 Aug 1994 09:55:31 -0500
> Your UNIX users (lots and lots of them) have their home directories
> mounted on file servers.  Root on the file server backs up the file
> server, including all the home directories.  The users now cannot restore
> their home directories without a) having a logon on the fileserver or
> b) having the root user on the file server issue SET ACCESS for
> each user that has a home directory (a lot of work with lots of users).

Yes, that's exactly the problem.

>   The NODENAME parameter does work on UNIX, from the command line or from
> the GUI. NODENAME is a good solution to restore user directories backed up
> on fileservers on large networks like yours.  The only drawback is that,
> for security reasons, your users who use NODENAME will need to know the
> ADSM password of that file server client.

*One* of the engineering clusters at Rice has 3500 users.
Requiring each user (and consider that these users may be
UNIX-illiterate) to know _and remember_ the node password is not
a feasible solution. Consider the effort and security
implications of mailing out a cleartext password to 3500 people
-- this isn't MVS where there is adequate security to protect
secure information sent out in cleartext. Assume a hostile
secure information sent out in cleartext. Assume a hostile
environment when you're dealing with networks -- because it is.

Consider also that the passwords generated by the
password=generate options are literally gibberish -- no one _can_
remember them, much less type them at each use.

> the SET ACCESS command (with * for node and the user's ID for user),
> or use the GUI Set Authorization utility (with User:userID and Node:*),
> is better.  The user will have access to the home directory from any
> node, and won't need to know the ADSM password of the file server.

For small networks with assigned workstations, this may work. For
any large scale network, this is impossible.

Why is this such a difficult concept? Pardon my frustration, but
I've explained this to as many people in the ADSM organization as
I can find and given you a simple solution that would easily
solve the problem with almost zero code changes (in fact, it
would probably remove some special case code), and we still are
sitting here discussing the problem as if it were difficult. It's
not hard to do this.
<Prev in Thread] Current Thread [Next in Thread>