Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Veritas-bu] NBAC with AD-originated UNIXPWD Groups (RHEL Master Server)

2011-08-17 22:02:38
Subject: [Veritas-bu] NBAC with AD-originated UNIXPWD Groups (RHEL Master Server)
From: thjones2 <nbu-forum AT backupcentral DOT com>
To: VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU
Date: Wed, 17 Aug 2011 18:52:49 -0700 
I'm attempting to get NBAC configured as part of a large NBU 7.x rollout. I'm 
running my NBU master on RHEL 5.6 server. The RHEL server is configured, via 
LikeWise, to do central user authentication/management through Active 
Directory. As far as getting NBAC to use AD-managed users through the UNIXPWD 
entry point (such that NBAC calls the OS native authentication system, which, 
by way of PAM and LikeWise pulls user/authentication data from Active 
Directory), everything works. I can add my AD userid into NBAC. However, if I 
try to use the "O.S. Group" option, while NBAC seems happy to use users that 
show up in /etc/group, it's being pissy about the AD-managed groups: it allowed 
me to add the "wheel" group (GID 10 in /etc/passwd) to the NBAC group using the 
"O.S. Group" method; however, when I tried to add "san^admins" or 
"netbackup-tier3" (AD-managed groups) I get the error message saying it's not a 
valid group. I used getent() to verify that I wasn't fat-fingering the groups 
 or otherwise passing them incorrectly to NBAC.

This would be a lot less confusing if NBAC was refusing non-locally managed 
users through the UNIXPWD module, but, that's not the case. It seems to only be 
a groups issue (and only non-local groups). While I could do my NBAC 
role-management via individually enumerated users, it makes it a HUGE pain in 
the ass  to do so, particularly if I've got more than one NBU master per 
network. Being able to create an AD-managed group and then map NBAC 
roles/groups to those (now) OS-level groups would make NBAC a lot less onerous 
to manage.

Any suggestions or such would be greatly appreciated. Even if it's something as 
simple as "NBAC doesn't support groupnames longer than X characters", I could 
shoehorn my AD groupnames into compliant name-lengths, I just need to know what 
the maximum is.

+----------------------------------------------------------------------
|This was sent by backupcentral AT xanthia DOT com via Backup Central.
|Forward SPAM to abuse AT backupcentral DOT com.
+----------------------------------------------------------------------


_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Veritas-bu] adding active directory domain to unixpwd domain in netbacku, thjones2
Next by Date:  Re: [Veritas-bu] Data Domain Question, scott . george
Previous by Thread:  [Veritas-bu] adding active directory domain to unixpwd domain in netbacku, thjones2
Next by Thread:  Re: [Veritas-bu] NBAC with AD-originated UNIXPWD Groups (RHEL Master Server), scott . george
Indexes:  [Date] [Thread] [Top] [All Lists]