Re: [Networker] Sanity Check: Restore to Windows Cluster Resource
2008-06-06 05:42:46
Geoffrey Duke wrote:
What I would like to be able to do is to run the recovery on either node,
selecting the cluster resource client as both the source and destination.
When I attempt this, I get an error message indicating that I need the
"remote access all clients" privilege. I really don't want to give the
server administrator of a cluster rights to every networker client. I would
like the "remote access" attribute of the client to suffice.
Have you tried setting up the remote access fields for the two physical
nodes? It could be that the error message is misleading and that the
normal remote access field is sufficient.
I would set the cluster client remote access as follows:
user=YOURUSER,host=phys1
user=YOURUSER,host=phys2
(any other format for this field is ambiguous and hence insecure)
I've been told by a third party consultant that this should work, and that
he has other clients where this does work. However, I've opened an issue
with EMC, and over the past few weeks, as I tried to explain how the
administrator of a client system wasn't necessarily also a Networker
administrator, they have decided that the product is working as designed.
You are right to be concerned about this. Many users underestimate the
power of the NetWorker administrator. In particular an admin can run a
directed recovery to any client (unless the defaults have been changed
on the clients) and hence overwrite any file - thus gaining full control
of any client.
If this is working as designed, then the designer needs shooting.
I have lost track of the number of times I have gone to a customer and
found *@* in the administrators field. These customers either don't know
or don't care that they have wiped out security on their entire network.
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the body of the email. Please write to networker-request
AT listserv.temple DOT edu if you have any problems with this list. You can access the
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
|
|