PasswordAccess Generate Confusion

S

smithm

Active Newcomer
Joined
Feb 16, 2010
Messages
9
Reaction score
0
Points
0
Environment: Windows Client 6.1.2.0, Server 5.5.2.0 Client dsm.opt file contains passwordaccess generate.

Scenario:
The TSM administrator runs

update node smithm forcepwreset=yes passexp=1

My scheduled backup runs the next day without user intervention and I can see that the client has stored a new encrypted password in the registry. This is good because the original password is weak and nobody knows the automatically generated password.

The Problem:
The password isn't really changed, that is, I can go to another computer and login to smithm's backups by providing the legacy password. Clearly I'm confused. My underlying problem is that many of my 1100 TSM Nodeids have weak passwords. I was hoping I could automagically change them and existing clients would not have to know a password until they moved to a new computer.
 
I'm not 100% sure but possibly when you try the login from another computer, you are using the administrator with name "smithm" which is created with client owner priviledges when you create a node without specifying the userid=none parameter.

As an experiment, lock the smithm administrator account (not the node - the administrator) and try to login again from the other computer.
 
We run a script to register our nodes on the TSM server. We use a default password .... in this case I have entered secret .... that is set to expire every 10 days.

***********SCRIPT WIN1_ADD********************
cd "C:\program files\tivoli\tsm\baclient"
dsmadmc -optfile=tsm1dsm.opt -id=%1 -pa=%2 reg node %3 SECRET PASSEXP=10 USERID=none DOMAIN=STANDARD CLOPTSET=WINDOWS FORCEPWRESET=NO
dsmadmc -optfile=tsm1dsm.opt -id=%1 -pa=%2 def assoc standard %4 %3
cd \
************END SCRIPT***********

example:
WIN1_ADD MYUSER MYPW SERVERNAME SCHEDULE
 
Thank you BBB and Jeff. I'm not a TSM server administrator, hence I did not know there were actually two accounts for all our TSM users. It does seem that the automatically generated password changed the node password but not the admin password.

I had my server admin execute update admin smithm forcepwreset=yes passexp=1 and that gave me baffling results, too. I was able to do a backup and restore without supplying a new password and looking at the registry it appears no new password was generated. However, when I ran query node -type=client DSMC reported that my password had expired and guided me through a password change. It accepted my values but reported that it was 1 day since my password was set. I certainly expected 0 at that point.

I hate to admit defeat but it looks like passwordaccess generate is not the magic bullet I hoped for.
 
You must log in or register to reply here.

Data Privacy Impact Assessment

Compliance Assurance in Every Byte: Discover the Impact of Our DPIA Services.

Sponsor ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

Navigation Menu

Forums
   IBM TSM
   EMC Backup and Recovery
   Symantec NetBackup  
   SAN  
   NAS
   Platforms / OS
Mailing List Archives
   ADSM-L
User Groups

NordVPN 3 Months FREE

Help Support ADSM.ORG and Get NordVPN with 64% Off and 3 Months FREE.

NordVPN with 64% off + 3 months FREE

Forum statistics

Threads
31,968
Messages
135,431
Members
21,947
Latest member
dylbrawn
Back
Top