NetBackup 6.5.1 master server on Solaris 10 update 4. System
uses LDAP to authenticate logins vs. Active Directory on Win2k3 R2. This works
fine for local and SSH logins. Using it to authenticate NBAC logins doesn’t
seem to work though.
The root broker is running on the master server and is
configured for “unixpwd” and works fine for actual local accounts
in the /etc/passwd file. For accounts that are in AD, I am able to successfully
add them as users in the Access Management section of the GUI, and can also
pass username/password authentication at the Admin GUI.
However, for AD users, the GUI will show me the master
server as if it were only a client, offering just backup/restore options. The
bpjava-msvc log shows this:
15:54:59.183 [4768] <2> setIDs: setuid = 10008
15:54:59.183 [4768] <2> setIDs: setgid = 10001
15:54:59.193 [4768] <2> VssInit: ++++ ENTERING
++++
15:54:59.193 [4768] <2> VssInit: (vss_auth.cpp,749):
ARGS: ReqVersion="4", BrokerName="host.name.org",
BrokerPort="0", LoadReentrant="NO"
15:54:59.193 [4768] <2> VssGetFQDNHostName: ++++
ENTERING ++++
15:54:59.193 [4768] <2> VssGetFQDNHostName:
(vss_auth.cpp,4356): ARGS: InputName="host.name.org", FullNameSize="1024"
15:54:59.194 [4768] <2> VssGetFQDNHostName:
(vss_auth.cpp,4704): RETURNING: Match = "host.name.org"
15:54:59.194 [4768] <2> VssGetFQDNHostName: ----
EXITING ----
15:54:59.195 [4768] <2> VssInit: (vss_auth.cpp,797):
Using Cached entries: FALSE
15:54:59.235 [4768] <2> VssInit: ---- EXITING
----
15:54:59.235 [4768] <2> VssGetRootCert: ++++
ENTERING ++++
15:54:59.235 [4768] <2> VssGetRootCert:
(vss_auth.cpp,1165): ARGS: BrokerName="NULL",
BrokerPort="0"
15:54:59.340 [4768] <2> VssGetRootCert: ---- EXITING
----
15:54:59.340 [4768] <2> VssAuthenticate: ++++
ENTERING ++++
15:54:59.340 [4768] <2> VssAuthenticate:
(vss_auth.cpp,3026): ARGS: Name="user_name_here",
NameLen="8", Domain="host.name.org",
DomainLen="17", DomainType="unixpwd"
15:54:59.479 [4768] <2> VssAuthenticate:
(vss_auth.cpp,3034): vrtsAtAuthenticate returned FAILURE
15:54:59.481 [4768] <2> VssAuthenticate:
(vss_auth.cpp,3067): VxStatus = 24587 (0x0000600b): Status = 45 : "One or
more of Name, Password and domain are incorrect."
15:54:59.481 [4768] <2> VssAuthenticate: ----
EXITING ----
15:54:59.481 [4768] <2> vnet_vxss_change_user:
vnet_vxss_helper.c.1459: VssAuthenticate failed: 45 0x0000002d
15:54:59.481 [4768] <2> vnet_vxss_change_user:
vnet_vxss_helper.c.1461: User name: user_name_here
15:54:59.481 [4768] <2> vnet_vxss_change_user:
vnet_vxss_helper.c.1463: Domain name: host.name.org
15:54:59.481 [4768] <2> vnet_vxss_change_user:
vnet_vxss_helper.c.1464: Auth mode: 4 0x00000004
15:54:59.481 [4768] <2> vnet_vxss_change_user:
vnet_vxss_helper.c.1465: Broker: host.name.org
15:54:59.481 [4768] <2> vnet_vxss_change_user:
vnet_vxss_helper.c.1466: Port: 0 0x00000000
15:54:59.481 [4768] <2> VssCleanUp: ++++
ENTERING ++++
15:54:59.481 [4768] <2> VssCleanUp:
(vss_auth.cpp,948): ARGS: VerToClean="4"
15:54:59.485 [4768] <2> VssCleanUp: ---- EXITING
----
15:54:59.485 [4768] <2> vnet_vxss_java_login:
vnet_vxss_helper.c.2300: vnet_vxss_change_user failed: 36 0x00000024
15:54:59.485 [4768] <2> vnet_vxss_java_login:
vnet_vxss_helper.c.2317: Unable to VxSS login: 36 0x00000024
15:54:59.492 [4767] <2> fork_off_createCredential:
vxss_status is >36<
15:54:59.493 [4767] <2> fork_off_createCredential:
bp_status is >116<, VxSS authentication failed
15:54:59.493 [4767] <2> createCredential: bp_status is
>116<, VxSS authentication failed
15:54:59.493 [4767] <16> isVxssActive: authentication
determination failed, assume none required: (116) VxSS authentication failed
15:54:59.493 [4767] <2> isVxssActive: vxss
authentication is NOT required
15:54:59.493 [4767] <2> userIsAuthorizedAdmin:
auth.conf file is /usr/openv/java/auth.conf
15:54:59.493 [4767] <2> userIsAuthorizedAdmin:
user_name_here does NOT have admin privileges
15:54:59.494 [4767] <2> setIDs: setuid = 10008
15:54:59.494 [4767] <2> setIDs: setgid = 10001
I know this is kind of an odd setup, but if I could get it
working, it would fit very nicely in our environment.
Thanks,
Eric