• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

PasswordAccess Generate Confusion

smithm

Active Newcomer
Joined
Feb 16, 2010
Messages
9
Reaction score
0
Points
0
Environment: Windows Client 6.1.2.0, Server 5.5.2.0 Client dsm.opt file contains passwordaccess generate.

Scenario:
The TSM administrator runs

update node smithm forcepwreset=yes passexp=1

My scheduled backup runs the next day without user intervention and I can see that the client has stored a new encrypted password in the registry. This is good because the original password is weak and nobody knows the automatically generated password.

The Problem:
The password isn't really changed, that is, I can go to another computer and login to smithm's backups by providing the legacy password. Clearly I'm confused. My underlying problem is that many of my 1100 TSM Nodeids have weak passwords. I was hoping I could automagically change them and existing clients would not have to know a password until they moved to a new computer.
 

BBB

ADSM.ORG Moderator
Joined
Feb 13, 2007
Messages
2,076
Reaction score
20
Points
0
Location
Brisbane, Australia
I'm not 100% sure but possibly when you try the login from another computer, you are using the administrator with name "smithm" which is created with client owner priviledges when you create a node without specifying the userid=none parameter.

As an experiment, lock the smithm administrator account (not the node - the administrator) and try to login again from the other computer.
 

Jeff_Jeske

ADSM.ORG Senior Member
Joined
Jul 17, 2006
Messages
485
Reaction score
7
Points
0
Location
Stevens Point, WI
Website
http
We run a script to register our nodes on the TSM server. We use a default password .... in this case I have entered secret .... that is set to expire every 10 days.

***********SCRIPT WIN1_ADD********************
cd "C:\program files\tivoli\tsm\baclient"
dsmadmc -optfile=tsm1dsm.opt -id=%1 -pa=%2 reg node %3 SECRET PASSEXP=10 USERID=none DOMAIN=STANDARD CLOPTSET=WINDOWS FORCEPWRESET=NO
dsmadmc -optfile=tsm1dsm.opt -id=%1 -pa=%2 def assoc standard %4 %3
cd \
************END SCRIPT***********

example:
WIN1_ADD MYUSER MYPW SERVERNAME SCHEDULE
 

smithm

Active Newcomer
Joined
Feb 16, 2010
Messages
9
Reaction score
0
Points
0
Thank you BBB and Jeff. I'm not a TSM server administrator, hence I did not know there were actually two accounts for all our TSM users. It does seem that the automatically generated password changed the node password but not the admin password.

I had my server admin execute update admin smithm forcepwreset=yes passexp=1 and that gave me baffling results, too. I was able to do a backup and restore without supplying a new password and looking at the registry it appears no new password was generated. However, when I ran query node -type=client DSMC reported that my password had expired and guided me through a password change. It accepted my values but reported that it was 1 day since my password was set. I certainly expected 0 at that point.

I hate to admit defeat but it looks like passwordaccess generate is not the magic bullet I hoped for.
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 19 19.0%
  • Keep using TSM for Spectrum Protect.

    Votes: 61 61.0%
  • Let's be formal and just say Spectrum Protect

    Votes: 12 12.0%
  • Other (please comement)

    Votes: 8 8.0%

Forum statistics

Threads
31,773
Messages
135,485
Members
21,761
Latest member
bastischubert
Top