Let me start by saying that I have made many attempts to implement VxSS, with
extremely limited success. I caution anyone who is considering implementing
VxSS in an existing environment. I can almost promise you that the backups
will fail and you will pull some of your hair out. The only times that I have
been successful with VxSS have been small lab environments where I implemented
it from the start. Even then, the implementation is clear as mud.
I can also tell you that sudo and RBAC methods do not work to circumvent the
root requirement for NetBackup either. The binaries are hard-coded to look for
root (uid 0) and they fail if the user running them is not root or uid 0.
Sorry to rain on your parade or likely confirm what you already know, but
NetBackup almost forces your hand to be root.
On a possible brighter note, some of the netbackup commands give data to
non-root users, though I will caution that we have seen cases that the output
is not the same for root and non-root users. I would imagine that some of the
commands that you are looking for are root only though. I believe that there
are ways to grant other users access to the GUI, but I have not tried this, as
I needed script/CLI access.
For any Symantec folks reading the list, I can assure you that granting
non-root access to users is much easier with competitive backup products that
will remain nameless.
-Kyle
------
On Wed, Jul 2, 2008 at 8:06 AM, Esson, Paul <Paul.Esson AT redstor DOT com>
wrote:
Can I ask the group with UNIX Master Servers how they administer
NetBackup? We have just moved up to 6.5 on Solaris 10 from 5.x and
discovered the nonroot_admin script is gone. I could re-apply the
equivalent manually but this method obviously has limitations.
I need to be able to run various commands use these in scripts
and edit certain files on the Master and the UNIX admin won't give me
root access. Will sudo help here?
We use sudo extensively here but then we use it to get root. Our DBAs
use sudo to be able to kick off database restores from our master
server.
A UNIX admin that will let you backup and restore his system but won't
give you root access is being very shortsighted. If he thinks he's
added any level of security at all, he's wrong. You can simply
"restore" your own copy of the password file, sudoers, etc. If you are
able to do backups and restores, you effectively have total control of
those systems.
We have a good working relationship with our system admins - we manage
the application from start to finish but they manage the OS, including
patches. We always communicate what we're doing and why. Once you
build that level of trust, you should be able to get the access you need
to do your job completely.
If the admins are going to be pains, however, call them frequently in
the middle of the night. Every time a backup job fails, wake them up
and ask them to look at a log or config file. They'll get the hint...
:-)
I believe I've said it here before - if you don't trust your backup
administrator, find yourself another one. The same holds true for your
system administrators and everybody who has physical access to your
systems. And your receptionists :-)
.../Ed
--
Ed Wilts, Mounds View, MN, USA
RHCE, BCFP, BCSD, SCSP, SCSE
mailto:ewilts AT ewilts DOT org
If I've helped you, please make a donation to my favorite charity at
http://firstgiving.com/edwilts
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed. If
you have received this email in error please notify the system manager. This
message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mailman.eng.auburn.edu/pipermail/veritas-bu/attachments/20080702/cf430c31/attachment-0001.htm
_______________________________________________
Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
|