Home > Veritas Storage Foundation™ Volume Manager Manual Pages
VEACONFIG (1M) |
|
Maintenance Commands |
Table of contents
veaconfig - used primarily to assign security roles to SF Manager and VEA 3.3 users. It also allows you to view the identity and security settings for Veritas Provider Layer (VxPAL) agents.
veaconfig -h [list_user | add_user | remove_user | agent_info]
veaconfig -c {list_users | add_user | remove_user}{ [-d domain] [-e port] [-u [broker:]user@domain.domain_type] [-p password] [-l SFSMhost] {-o host} {-n [broker:]user@domain.domain_type} {-r security_role} [-g] [-b basedir] }
veaconfig -c agent_info -a agent_name
The
veaconfig
utility is used primarily to assign security roles to SF Manager and VEA 3.3 users. Using
veaconfig, you determine which activities a user or a user group can perform on a particular managed host.
All users in an operating system domain authenticated by the Authentication Service, are granted
Guest
privileges by default. You can assign the same user different roles on a host-by-host basis; or, you can assign a user one role across all managed hosts in the security domain.
veaconfig uses security parameters defined in
csf_resolve.conf
by default.
See
the section called FILES.
-
-h, --help
-
Provides usage information for
veaconfig. For more details about the options of each
veaconfig
command, type:
veaconfig -h command
-
list_users
-
Lists local and private domain users and their permissions on a host. Also lists operating system domain users that have been assigned security roles other than
Guest.
-
add_user
-
Adds a private domain user and assigns a user role, or security level, to a particular host.
In addition to
add_user, specify
-g
if the user you are adding is an operating system user group.
-
remove_user
-
Removes a user or delete user permission from the object.
In addition to
remove_user, specify
-g
if the user you are removing is an operating system user group.
-
-d, --domain domain
-
Short name, IP address, or the fully-qualified domain name for the Domain Controller host.
-d
is optional, provided
veaconfig
can access
csf_resolv.conf.
See
the section called FILES.
It is recommended that you include this option within
csf_resolv.conf
file on the managed host, so that you do not need to specify it within the
veaconfig
command. Any values specified from the
veaconfig
command override values in
csf_resolv.conf.
-
-e, --port port
-
Port through which to connect through on the Domain Controller host. If not specified, defaults to 1556---the port number for VxPBX. It is strongly recommended that you do not change this port setting.
-
-u, --user-id [broker:]user@domain.domain_type
-
Administrator username for the Authentication Broker.
-u
is optional, provided
veaconfig
can access
csf_resolv.conf.
See
the section called FILES.
It is recommended that you include this option within
csf_resolv.conf
file on the managed host, so that you do not need to specify it within the
veaconfig
command. Any values specified from the
veaconfig
command override values in
csf_resolv.conf.
broker
is the fully-qualified host name for the Authentication Service broker host.
user
is a valid administrator account for the broker host.
domain
is a valid authentication domain for the broker host.
domain_type
is the type of authentication domain for the broker host, and can be the following:
vx,
nisplus,
nis,
nt, and
unixpwd.
-
-p, --password password
-
Password for the specified administrator account.
-p
is optional, provided
veaconfig
can access
csf_resolv.conf.
See
the section called FILES.
It is recommended that you include this option within
csf_resolv.conf
file on the managed host, so that you do not need to specify it within the
veaconfig
command. Any values specified from the
veaconfig
command override values in
csf_resolv.conf.
-
[--no-prompt]
-
If
veaconfig
does not find a password for the specified user account in its security store, it prompts for one---unless you specify
--no-prompt. This option is useful in scripting situations, when user interaction is not sought.
-
-l, --host SFMShost
-
host
is the short host name, IP address, or the fully-qualified host name for the Management Server host.
-l
is optional, provided
veaconfig
can access
csf_resolv.conf.
See
the section called FILES.
It is recommended that you include this option within
csf_resolv.conf
file on the managed host, so that you do not need to specify it within the
veaconfig
command. Any values specified from the
veaconfig
command override values in
csf_resolv.conf.
-
-o, --OID host
-
The name of the centrally managed or standalone host on which you want to set authorization for a specified user or user group.
host
can be the IP address or fully-qualified host name for the centrally managed or standalone host.
Specifying the virtual object,
root$
for
host, causes the action to affect all managed hosts in the security domain.
-
-n, --ac_name [broker:]user@domain.domain_type
-
The user or user group name that you want to perform the specified action on.
broker
is the fully-qualified host name for the Authentication Service broker host. If broker is omitted,
veaconfig
defaults to the value specified in
csf_resolv.conf.
user
is a user account or user group name.
domain
is a valid authentication domain for the broker host.
domain_type
is the type of authentication domain for the broker host, and can be the following:
vx,
nisplus,
nis,
nt, and
unixpwd.
-
-r, --role security_role
-
Associates a role with a user. (A role is a collection of access rights or permissions based on one or more product features.)
security_role
can be one of the following pre-defined roles, whose names are case-sensitive:
Administrator,
Operator, or
Guest. Veritas Storage Foundation Manager does not support additional customization of these roles.
-
Administrator
-
The root user on a host is automatically granted Administrator privileges for that host. These privileges cannot be changed.
-
An Administrator user on a Management Server can assign and administer security roles to all the users listed in the Authentication Broker Private Domain Repository (PDR).
-
Operator
A user assigned to this role can perform some management operations, such as performing backups, administrating the database, and making some limited configuration changes. For detailed information about what duties the Operator user can perform, refer to the specific documentation for your Storage Foundation and Disk Protection product.
-
Guest
A user assigned to this role cannot make any changes to the configuration. A Guest can view the objects in the network and print reports. By default, all authenticated users belong to this role.
-
-g
-
Indicates that the account specified is an operating system user group name. This allows you to leverage the operating system access controls that you have already set up.
The
-g
option lets you grant SF Manager access privileges to an existing operating system user group, rather than having to individually grant access privileges per individual username.
-
-b basedir
-
(Solaris only) Sets an alternative base output directory for merging object type information. Typically the -b option is used during Solaris Jumpstart installs where the
basedir
is not equal to root (/).
-
agent_info
-
Provides information about the VxPAL agent on the local host.
-
-a, --agent agent_name
-
agent_name can be one of the following:
StorageAgent,
StorageManager,
DBEDAgent,
actionagent,
gridcentral,
gridnode,
VAILAgent, and so on.
Check the latest list of VxPAL agents.
See the
Veritas Storage Foundation Manager Release Notes.
csf_resolve.conf
is an optional file that contains the default security parameters for a VxPAL agent and the default domains for which an agent can be configured. Any values specified from the
veaconfig
command override values in
csf_resolv.conf.
By default,
csf_resolve.conf
resides in:
/etc/default/csf_resolv.conf
csf_resolv.conf
resides on the Management Server host in:
/etc/default
It is possible to override the default
csf_resolv.conf
by specifying the environment variable:
CSF_RESOLV_CONF. In this manner you can manage domain settings for multiple users.
CSF_RESOLV_CONF
should point to a file that uses the conventions defined in this man page.
See
csf_resolv.conf(4).
This section provides usage examples for
veaconfig.
EXAMPLE 1:
The following command lists all users and their security roles known to the Management Server
my_SFMS_host.example.com:
veaconfig -c list_user -o my_SFMS_host.example.com
EXAMPLE 2:
The following command lists users and user groups with access to all managed hosts in the security domain:
veaconfig -c list_user -o root$
EXAMPLE 3:
The following command authorizes the user
jane
with administrator privileges on the host
dbserver.enterprise.com:
veaconfig -c add_user -o dbserver. enterprise.com -n jane@
myserver.enterprise.com.unixpwd -r Administrator
EXAMPLE 4:
The following command authorizes the user
john
as an Administrator on a host whose IP address is: 10.180.148.137:
veaconfig -c add_user -o 10.180.148.137 -n
john@enterprise.com.nisplus -r Administrator
EXAMPLE 5:
The following command authorizes the user
john
as an Administrator on all managed hosts in the security domain:
veaconfig -c add_user -o root$ -n
john@enterprise.com.nisplus -r Administrator
EXAMPLE 6:
The following command authorizes members of the NT domain user group Backup operator as with operator privileges on a host whose IP address is: 10.180.148.137:
veaconfig -c add_user -o 10.180.148.137 -n "Backup
operator@enterprise.com.nt" -r Operator -g
EXAMPLE 7:
The following command removes the user
jane
from the SF Manager authorized user list:
veaconfig -c remove_user -n jane@enterprise.com.unixpwd
EXAMPLE 8:
The following command removes the user
john
from all managed hosts in the security domain:
veaconfig -c remove_user -o root$ -n
john@enterprise.com.nisplus
EXAMPLE 9:
The following command:
veaconfig -c agent_info -a my_agent
fetches and displays configuration information about a VxPAL agent (my_agent), similar to the following:
Configuration information for the agent my_agent
Security Information:
Security ID:devgiri.example.com:vea_agent/vea_domain.vx
Protocol:VSSIIOP PBX_PORT:0 Mode: 2
Membership Information:
habsol9-03.example.com {3014e67c-1dd2-11b2-933d-0003bac6b8f1}
0---Success
1---Failure
2---Authentication broker is down
3---Authentication failure
4---Access denied
5---Domain Controller (SF Manager host) is down
6---Authentication configuration failed
7---Domain Controller configuration failed
For troubleshooting you can refer to the
veaconfig
log file
/var/vx/isis/veaconfig.log
csf_resolv.conf(4)
veainfo(1m)
Copyright (c) 2007 Symantec Corporation. All rights reserved.
Last updated: 05/17/2007
Copyright ©2009 Symantec Corporation
All rights reserved.