In many enterprise environments the ActiveDirectory authentication is used even on Unix/Linux servers. It’s much smarter way how to manage a lot of users and groups.

But - by default - NBU requires local Unix user. What is you want to used AD auth for NBU Java console too?

I was inspired by discussion forum on Symantec web. Solution is easy.

But how to handle authorization configured in /usr/openv/java/auth.conf?
Here is my solution.

To configure ActiveDirectory authentication for NBI Java console you need to create plugin “nbu” in PAM configuration.

UPDATE: Name of PAM service (in my case nbu) has to be written to file /usr/openv/netbackup/pam_service.txt.

I have made it very easy. As my NBU master server was already configured for AD authentication to sshd I have just copied /etc/pam.d/sshd to /etc/pam.d/nbu (oh, did I told you that my NBU master is running on Linux?). Here is the content of the file:

#%PAM-1.0
#hosted.internal AD auth
auth sufficient pam_winbind.so require_membership_of=NBU-3rdlinesupport,NBU-administrators,NBU-operators
account sufficient pam_winbind.so
password sufficient pam_winbind.so use_authtok
#Linux auth
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0027
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

Users from three different AD groups (3rd line) are the only ones allowed to log into NBU Java console. That was the standard part.

But what is not possible is to integrate Java console authorization with ActiveDirectory or LDAP. Usernames just have to be in /usr/openv/java/auth.conf file.

The only way is to put all required users to this file. (Or not? If you know hot to integrate authorization with AD, give me a notice.)

Do it manually? Are you crazy?

I even don’t know all people in all three AD groups (mentioned above).
But automation seems to be pretty simple.
Take all users from particular AD groups and put them to auth.conf file.

Here is my script. Just run it by cron in reasonable intervals (once daily is enough for me).

#!/usr/bin/perl -w
#
# Script that will generate file /usr/openv/java/auth.conf according the membership
# ActiveDirectory groups in HOSTED domain
# It could be written even nicer (loop around admins and operator)
# but this is working fine.

$debug = 0;
$domain = 'INTERNAL';
@admin_groups = ( 'NBU-3rdlinesupport', 'NBU-administrators' );
@operator_groups = ( 'NBU-operators' );

$fixed_content = <<ENDOFFIXEDCONTENT;
# Please, don't edit manually this file as it is recreated
# everyday by script $0
# Any fixed content you want to add to this file, please,
# add to this script.
# 
# Standard content of the file:
# There are 2 permissions - ADMIN= Admin GUI, JBP = Backup, Archive & Restore GUI on clients
# ALL = Administration of all applications
# AM = Activity Monitor
# BMR = Bare Metal Restore
# BPM = Backup Policy Management
# BAR or JBP = Backup, Archive and Restore
# CAT = Catalog
# DM = Device Manager
# HPD = Host Properties
# MM = Media Management
# REP = Reports
# SUM = Storage Unit Management
# VLT = Vault Management
#
# Next line should be deleted is all AD auth is working fine
root ADMIN=ALL JBP=ALL
#
# Don't delete next line
* ADMIN=JBP JBP=ALL
#
# Dynamic content of the file:
#
ENDOFFIXEDCONTENT

$wbinfo = '/usr/bin/wbinfo';
$java_auth_conf = '/usr/openv/java/auth.conf';

sub remove_duplicities {
        my @temp_array = @_;
        my %temp_hash = map { $_, 0 } @temp_array;
        @temp_array = sort keys %temp_hash;
        return @temp_array;
};                                              # stollen from Internet

if ( $debug eq 0 ) {
        open(STDOUT, "> $java_auth_conf");
};
print STDOUT $fixed_content;
print STDOUT "# NBU administrators - groups:\n";
foreach $group ( @admin_groups ) {
        print "# $domain\\$group\n";
}
print STDOUT "#\n";
@users = ();
foreach $group ( @admin_groups ) {
        open(WBINFO, "$wbinfo --domain $domain --group-info $group |");
        $line = <WBINFO>;
        close WBINFO;
        chomp $line;
        ( undef, undef, undef, $line) = split(/:/, $line);      # to get just list of users
        my @x = split(/,/, $line);
        @users = (@users, @x);                                  # add users from currently processed group to the list
}

@users = remove_duplicities( @users );
foreach $user ( @users ) {
        print STDOUT "$user ADMIN=ALL JBP=ALL\n";
};
print STDOUT "#\n#\n# NBU operators - groups:\n";

foreach $group ( @operator_groups ) {
        print "# $domain\\$group\n";
}
print STDOUT "#\n";
@users = ();
foreach $group ( @operator_groups ) {
        open(WBINFO, "$wbinfo --domain $domain --group-info $group |");
        $line = <WBINFO>;
        close WBINFO;
        chomp $line;
        ( undef, undef, undef, $line) = split(/:/, $line);      # to get just list of users
        my @x = split(/,/, $line);
        @users = (@users, @x);                                  # add users from currently processed group to the list
}
@users = remove_duplicities( @users );
foreach $user ( @users ) {
        print STDOUT "$user ADMIN=AM+BPM+JBP+HPD+REP JBP=ALL\n";
};

close STDOUT;

You need to modify just four variables at the beginning - AD domain, list of group(s) that should have full NBU admin rights and list of group(s) with just operator rights (can change list of priviledges on the 3rd line from the end.

When everything is working fine I suggest to comment out the line root ADMIN=ALL JBP=ALL . Oh, I forgot to tell you that you need a /usr/bin/wbinfo utility. But if you have AD authentication configured, this binary is probably on your system already.

Enjoy…