Backup Central

I a unable to get the NMM 2.3 to start a backup unless I add *@* in the administrator list of the backup server. I have added *@<nmm_host> and the backup still will not start the snapshot. I get this error message:
:nsrsnap_vss_save:NMM has detected error: User Groups Information missing from server[<servername>]. Rejecting the administrator-snapshot request.
I have followed the guide and added the system and administrator lines for the nmm_host to the admin group and still nothing lets the snapshot start. Emc is still researching this as well.

Any help will be appreciated.


Thanks

Craig

Have you tried this format?

user=*, host=name.domain.edu/com/etc
or
user=administrator, host=FQDN

We had to play with ours, specifically the fully qualified domain name.
NMM 2.3 is very, very difficult to troubleshoot. We had a ticket
opened for more than 4 weeks with EMC.

David M. Browning Jr.
IT Project Coordinator Enterprise Backups and Help Desk

-----Original Message-----
From: EMC NetWorker discussion [mailto:NETWORKER < at > LISTSERV.TEMPLE.EDU] On
Behalf Of craig yurchison
Sent: Friday, October 14, 2011 4:08 PM
To: NETWORKER < at > LISTSERV.TEMPLE.EDU
Subject: [Networker] NMM 2.3 backup issue

I a unable to get the NMM 2.3 to start a backup unless I add * < at > * in the
administrator list of the backup server. I have added * < at > <nmm_host> and
the backup still will not start the snapshot. I get this error message:
:nsrsnap_vss_save:NMM has detected error: User Groups Information
missing from server[<servername>]. Rejecting the administrator-snapshot
request.
I have followed the guide and added the system and administrator lines
for the nmm_host to the admin group and still nothing lets the snapshot
start. Emc is still researching this as well.

Any help will be appreciated.


Thanks

Craig

+----------------------------------------------------------------------
|This was sent by craig.yurchison < at > expedient.com via Backup Central.
|Forward SPAM to abuse < at > backupcentral.com.
+----------------------------------------------------------------------


type "signoff networker" in the body of the email. Please write to
networker-request < at > listserv.temple.edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

On 10/14/11 22:07, craig yurchison wrote:
I a unable to get the NMM 2.3 to start a backup unless I add * < at > * in the administrator list of the backup server. I have added * < at > <nmm_host> and the backup still will not start the snapshot. I get this error message:
:nsrsnap_vss_save:NMM has detected error: User Groups Information missing from server[<servername>]. Rejecting the administrator-snapshot request.
I have followed the guide and added the system and administrator lines for the nmm_host to the admin group and still nothing lets the snapshot start. Emc is still researching this as well.


You do of course know how dangerous it is to add * < at > * as an
administrator? You may as well just clear all your root/administrator
passwords, it would have the same effect - anyone with a bit of
knowledge could then gain control of every machine in your datazone.


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

On 10/14/11 22:40, Browning, David wrote:
Have you tried this format?

user=*, host=name.domain.edu/com/etc

You should not put a * in any part of the user spec.


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

Speaking of adding * < at > * to the administrators list on the datazone.

How do you feel about that all of the NMM and Oracle clients of the datazone
are specified as administrators on the datazone?

Yes, if you are backing up a Oracle client or NMM client, a user on that
Oracle and NMM system needs to have administrative privilages on the
datazone.

How's that for security?

Wallace

2011/10/15 Davina Treiber <Davina.Treiber < at > peevro.co.uk>

On 10/14/11 22:07, craig yurchison wrote:
I a unable to get the NMM 2.3 to start a backup unless I add * < at > * in the
administrator list of the backup server. I have added * < at > <nmm_host> and the
backup still will not start the snapshot. I get this error message:
:nsrsnap_vss_save:NMM has detected error: User Groups Information missing
from server[<servername>]. Rejecting the administrator-snapshot request.
I have followed the guide and added the system and administrator lines
for the nmm_host to the admin group and still nothing lets the snapshot
start. Emc is still researching this as well.

You do of course know how dangerous it is to add * < at > * as an
administrator? You may as well just clear all your root/administrator
passwords, it would have the same effect - anyone with a bit of
knowledge could then gain control of every machine in your datazone.


"signoff networker" in the body of the email. Please write to
networker-request < at > listserv.temple.edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER



via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

Oracle needs admin privileges if you want to be able to delete backup from rman. It is not needed / required otherwise. And yes, it is kinda stupid

V.J.
________________________________________
Odesílatel: EMC NetWorker discussion [NETWORKER < at > LISTSERV.TEMPLE.EDU] za u¾ivatele Joe N. Wallace [joe.n.wallace < at > GMAIL.COM]
Odesláno: 17. øíjna 2011 11:29
Komu: NETWORKER < at > LISTSERV.TEMPLE.EDU
Pøedmìt: Re: [Networker] NMM 2.3 backup issue

Speaking of adding * < at > * to the administrators list on the datazone.

How do you feel about that all of the NMM and Oracle clients of the datazone
are specified as administrators on the datazone?

Yes, if you are backing up a Oracle client or NMM client, a user on that
Oracle and NMM system needs to have administrative privilages on the
datazone.

How's that for security?

Wallace

2011/10/15 Davina Treiber <Davina.Treiber < at > peevro.co.uk>

On 10/14/11 22:07, craig yurchison wrote:
I a unable to get the NMM 2.3 to start a backup unless I add * < at > * in the
administrator list of the backup server. I have added * < at > <nmm_host> and the
backup still will not start the snapshot. I get this error message:
:nsrsnap_vss_save:NMM has detected error: User Groups Information missing
from server[<servername>]. Rejecting the administrator-snapshot request.
I have followed the guide and added the system and administrator lines
for the nmm_host to the admin group and still nothing lets the snapshot
start. Emc is still researching this as well.

You do of course know how dangerous it is to add * < at > * as an
administrator? You may as well just clear all your root/administrator
passwords, it would have the same effect - anyone with a bit of
knowledge could then gain control of every machine in your datazone.


"signoff networker" in the body of the email. Please write to
networker-request < at > listserv.temple.edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER



via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

EMC has been planning on NMM replacing the old client.

So will then all the cleints in the datazone need to be on the admins lists?

That would be the same as addin * < at > * on the admin list.

Can someone from PM please explain that it is not an issue that NMM and
Oracle clients need to be admins on the datazone?

Unfortunatelly, I don't think they can.

J.W.

2011/10/17 Jánský Vítìzslav <Vitezslav.Jansky < at > t-systems.cz>

Oracle needs admin privileges if you want to be able to delete backup from
rman. It is not needed / required otherwise. And yes, it is kinda stupid

V.J.
________________________________________
Odesílatel: EMC NetWorker discussion [NETWORKER < at > LISTSERV.TEMPLE.EDU] za
u¾ivatele Joe N. Wallace [joe.n.wallace < at > GMAIL.COM]
Odesláno: 17. øíjna 2011 11:29
Komu: NETWORKER < at > LISTSERV.TEMPLE.EDU
Pøedmìt: Re: [Networker] NMM 2.3 backup issue

Speaking of adding * < at > * to the administrators list on the datazone.

How do you feel about that all of the NMM and Oracle clients of the
datazone
are specified as administrators on the datazone?

Yes, if you are backing up a Oracle client or NMM client, a user on that
Oracle and NMM system needs to have administrative privilages on the
datazone.

How's that for security?

Wallace

2011/10/15 Davina Treiber <Davina.Treiber < at > peevro.co.uk>

On 10/14/11 22:07, craig yurchison wrote:
I a unable to get the NMM 2.3 to start a backup unless I add * < at > * in the
administrator list of the backup server. I have added * < at > <nmm_host> and
the
backup still will not start the snapshot. I get this error message:
:nsrsnap_vss_save:NMM has detected error: User Groups Information
missing
from server[<servername>]. Rejecting the administrator-snapshot request.
I have followed the guide and added the system and administrator lines
for the nmm_host to the admin group and still nothing lets the snapshot
start. Emc is still researching this as well.

You do of course know how dangerous it is to add * < at > * as an
administrator? You may as well just clear all your root/administrator
passwords, it would have the same effect - anyone with a bit of
knowledge could then gain control of every machine in your datazone.


type
"signoff networker" in the body of the email. Please write to
networker-request < at > listserv.temple.edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER



"signoff networker" in the body of the email. Please write to
networker-request < at > listserv.temple.edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER


"signoff networker" in the body of the email. Please write to
networker-request < at > listserv.temple.edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER



via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

On 17/10/11 11:52, Joe N. Wallace wrote:
EMC has been planning on NMM replacing the old client.

So will then all the cleints in the datazone need to be on the admins lists?


This was not new with NMM, it has always been this way with NMO.

That would be the same as addin * < at > * on the admin list.

Not exactly. It only requires one Oracle user on the client to be the
admin. It's still not great though.


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

This is true, all machines using nmm will have to be admins. I'm not in the office right now, but there is an open issue with this.

When I get back in the office,I can forward the case to the list.



On Oct 17, 2011, at 5:52 AM, "Joe N. Wallace" <joe.n.wallace < at > GMAIL.COM> wrote:

EMC has been planning on NMM replacing the old client.

So will then all the cleints in the datazone need to be on the admins lists?

That would be the same as addin * < at > * on the admin list.

Can someone from PM please explain that it is not an issue that NMM and
Oracle clients need to be admins on the datazone?

Unfortunatelly, I don't think they can.

J.W.

2011/10/17 Jánský Vítězslav <Vitezslav.Jansky < at > t-systems.cz>

Oracle needs admin privileges if you want to be able to delete backup from
rman. It is not needed / required otherwise. And yes, it is kinda stupid

V.J.
________________________________________
Odesílatel: EMC NetWorker discussion [NETWORKER < at > LISTSERV.TEMPLE.EDU] za
uživatele Joe N. Wallace [joe.n.wallace < at > GMAIL.COM]
Odesláno: 17. října 2011 11:29
Komu: NETWORKER < at > LISTSERV.TEMPLE.EDU
Předmět: Re: [Networker] NMM 2.3 backup issue

Speaking of adding * < at > * to the administrators list on the datazone.

How do you feel about that all of the NMM and Oracle clients of the
datazone
are specified as administrators on the datazone?

Yes, if you are backing up a Oracle client or NMM client, a user on that
Oracle and NMM system needs to have administrative privilages on the
datazone.

How's that for security?

Wallace

2011/10/15 Davina Treiber <Davina.Treiber < at > peevro.co.uk>

On 10/14/11 22:07, craig yurchison wrote:
I a unable to get the NMM 2.3 to start a backup unless I add * < at > * in the
administrator list of the backup server. I have added * < at > <nmm_host> and
the
backup still will not start the snapshot. I get this error message:
:nsrsnap_vss_save:NMM has detected error: User Groups Information
missing
from server[<servername>]. Rejecting the administrator-snapshot request.
I have followed the guide and added the system and administrator lines
for the nmm_host to the admin group and still nothing lets the snapshot
start. Emc is still researching this as well.

You do of course know how dangerous it is to add * < at > * as an
administrator? You may as well just clear all your root/administrator
passwords, it would have the same effect - anyone with a bit of
knowledge could then gain control of every machine in your datazone.


type
"signoff networker" in the body of the email. Please write to
networker-request < at > listserv.temple.edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER



"signoff networker" in the body of the email. Please write to
networker-request < at > listserv.temple.edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER


"signoff networker" in the body of the email. Please write to
networker-request < at > listserv.temple.edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER



via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

I have tried :
user=*, host=name.domain.edu/com/etc
or
user=administrator, host=FQDN

I am aware of the security risk of *@*, this was how emc's testing started, I also can't have * <at> the host name as well, we backup many different customers and with this added to the admins gives one customer way too much power. I have also tried administrator, system, even a seperate local account in the adminstrator list. Emc had me run the networker processes under an account that has admin access to the sharepoint, but I have another sharepoint server that the service is running under the local system account.

I have read the mnn admin guide, but there is nothing in there stating what account should run the services.

Can someone from PM please explain that it is not an issue that NMM and
Oracle clients need to be admins on the datazone?


This is an admin challenge that we've tracked for some time.

1) I can validate that promoting an admin, like a DBA, from 'users'
to 'administrator' not only adds the desired permissions like 'configure'
and 'operate devices', but also includes permissions that you might not
want the DBA to have.

2) Current NetWorker releases, like 7.6S SPx, do allow the NetWorker
administrator to create a new users group with a set of customized
permissions. We know that this is not always reasonable, but it is an
option available to you today.

3) In the next NetWorker release we will include several new, standard
roles in addition to 'users' and 'adminsitrator'. The new roles will have
appropriate permissions already set for you. e.g. 'Application
Adminsitrator' will still have backup, restore, & monitor permissions, but
will include 'configure' and 'operate devices'. Along with a few other
enahncements we have in store for you, this will make it much easier for
NetWorker administrators to give users autonomy without compromising
security policies.

Best regards,
NetWorkerPM


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

Mark,

I for one will welcome the additional granularity you are describing. I
think a lot of us out here get very frustrated that a frequent request
from the technicians when working an SR that seems to have anything to
do with authorization is to give * < at > * access. A much better option, in
my opinion, would be increased logging that could be enabled when needed
to determine authentication/authorization issues - and it would probably
reduce the number of SR's that were opened as well.

Frank

On Mon, 17 Oct 2011 at 6:45pm, Mark Wiertalla wrote:


Can someone from PM please explain that it is not an issue that NMM and
Oracle clients need to be admins on the datazone?


This is an admin challenge that we've tracked for some time.

1) I can validate that promoting an admin, like a DBA, from 'users'
to 'administrator' not only adds the desired permissions like 'configure'
and 'operate devices', but also includes permissions that you might not
want the DBA to have.

2) Current NetWorker releases, like 7.6S SPx, do allow the NetWorker
administrator to create a new users group with a set of customized
permissions. We know that this is not always reasonable, but it is an
option available to you today.

3) In the next NetWorker release we will include several new, standard
roles in addition to 'users' and 'adminsitrator'. The new roles will have
appropriate permissions already set for you. e.g. 'Application
Adminsitrator' will still have backup, restore, & monitor permissions, but
will include 'configure' and 'operate devices'. Along with a few other
enahncements we have in store for you, this will make it much easier for
NetWorker administrators to give users autonomy without compromising
security policies.

Best regards,
NetWorkerPM


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER


--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

Ok I am still having issues getting the nmm to work, if I let the system account run the networker service the backups will fail with error about rejecting the administrator-snapshot request.

I have the fqdn and short names in the admin list with all variations of system and administrator. I have tried all upper case and all lower case.

I did notice that if I simply add the account system to the admin list with no client or hostname after it, I can get the backups to run. This is not the way we want the admin list to be configured. I do have other systems that are being successfully backed up with the NMM using the system account on the local machine.

Does anyone have any other suggestions?

Craig