Troubleshooting issues with the non-privileged user (service user) account
This topic provides troubleshooting information about the issues specific to the non-privileged, non-root, or service user.
Most of the primary server services can be run as non-privileged user, which is highly recommended. This new user is called service user.
For more information on the service user, see the NetBackup Security and Encryption Guide.
The nbcertcmd command options internally run under the service user context. You can find the logs of the nbcertcmd command options in the SERVICE_USER.xxxxxx_xxxxx.log file.
Table: Troubleshooting service user issues
Sr. No. | Issue | Possible reason | Resolution |
|---|---|---|---|
1 | During NetBackup installation or upgrade on UNIX platform, unable to specify the service user even after three prompts. | Possible reasons are as follows:
| Resolutions are as follows:
|
2 | During NetBackup installation on an inactive cluster node on UNIX platform, one of the following errors occurs:
| The service user name and the user ID do not match. | Ensure that the service user name and the user ID match on all cluster nodes and the same is provided during NetBackup installation on active and inactive nodes. |
3 | During NetBackup upgrade of an inactive cluster node on UNIX platform, the following error occurs: Failed to retrieve the 'SERVICE_USER' or 'SERVICE_USER_ID' entries from the configuration file on the server 'cluster_virtual_name'. You must provide the same 'SERVICE_USER' (daemon user name) that is configured on the active node. | The bpgetconfig command could not retrieve the service user and the ID from active node. | Provide the service user as that of the active node and ensure that the service user has the same user ID on all cluster nodes. |
4 | During NetBackup installation or upgrade on UNIX platform, the following error occurs: The user serviceuser cannot be set as the owner of files in /usr/openv. | This may be because of the issues while changing the ownership of the installation directory. | Fix the errors specified in installation trace under the following heading: Fix below errors and then retry |
5 | NetBackup host communication does not work when external CA is configured with Windows Certificate Store and services run in a Local Service account context. | NetBackup services do not have access to the private key. Usually, the error in this case can be seen in the nbpxyhelper logs: The Windows API CryptAcquireCertificatePrivateKey fails with error 0x80090016: Keyset does not exist. | Check private key permissions as follows: Right-click the certificate. Go to . All NetBackup services should have permissions to read the private key. Run the following command to set permissions: nbcertcmd -setWinCertPrivKeyPermissions Run the following command to validate the configuration: nbcertcmd -ecaHealthCheck |
6 | The setconfig command fails with the following error: Failed to open /usr/openv/netbackup/bp.conf.d53: Permission denied (13) | Ownership of /usr/openv/netbackup is changed to the root user. Other possible reason may be that the language pack is installed using rpm. | Run the following command to fix the ownership issues: /usr/openv/netbackup/bin/goodies/ update_install_folder_perms |
7 |
| Service user account may not have access to the disaster recovery (DR) path specified in policy. | Review status code 9201 and 9202. Refer to the NetBackup Status Codes Guide. Refer to the NetBackup Security and Encryption Guide for giving access permissions to the service user account. |
8 | Disaster recovery fails. | The NBHostIdentity -import command fails. | Ensure the following:
|
9 | Any of the following commands fail with error: Ensure that the service user account [service_user_name] has access permissions on the specified paths and their contents.
Path: For UNIX - Install_Path/db/bin For Windows - Install_Path\netbackup\bin | Service user account may not have access permissions on specified paths and their contents. | Refer to the NetBackup Security and Encryption Guide for giving access permissions to the service user account. |
10 | Adding VMware server operation fails | 500 system error | Ensure that the temp directory (/tmp) is accessible to the service user account |
11 | Issue in bpjava-test-login workflow | File ownership is shown as 'root' | Change the ownership of the file to the service user account. |
12 | nbcertcmd operations fail. | Lack of permissions | Check if the certmapinfo.json file is created and owned by the service user. |
13 | nbcertcmd or bpnbaz fails with error code 123. | The private key file (PrivKeyFile-2048.pem), public key file (PubKeyFile-2048.pem), or access control list (ACL) update failed. | Ensure that NetBackup SIDs are configured and both public and private keys are present in AT_DATA_DIR. |
14 | nbserviceusercmd -changeUser operation failed with authorization failure, when NBAC is configured. | The new service user is not part of the NBAC security admin group. | Add the new service user in the NBAC security admin group. Run the following command: vssaz addazgrpmember --azgrpname \"Security Administrators\" --prplinfo prplinfo |
15 | After NetBackup 9.1 installation and upgrade, NetBackup Administration Console login fails for root user, if NetBackup access control (NBAC) or Enhanced Auditing (EA) is enabled. | The user certificate directory is changed. | If NBAC or EA is enabled in your environment, you must run the bpnbat -login command after NetBackup upgrade. |
16 | The nbcertcmd -enrollCertificate command fails as external CA (ECA) health check fails. An error occurs while accessing the files at the following path: certificates/private key/passphrase file/crl | The nbcertcmd -enrollCertificate command runs under the service user context, however the service user does not have access to the associated files. | Provide the required access to the service user. It is recommended that you run the following command to verify the access rights before running the enrollCertificate command again: nbcertcmd -ecaHealthCheck -serviceUser user_name |
17 | Before upgrade or change user, the service user is deleted. | The service user may be deleted because of certain user actions. | Do the following: Reconfigure the user to restore the service user. Refer to the article. Run the following commands::
|
18 | During backup or restore, operation error is encountered. | The media server version is earlier than the client version. | Upgrade the media server or use an alternate media server with the version that is later or same as the client version. |