Security Hardening NetBackup MP4 Requirements - oprd network error 39 - Veritas Net Backup

This is a discussion on Security Hardening NetBackup MP4 Requirements - oprd network error 39 - Veritas Net Backup ; Hello, We have deployed a faily simple configuration with a single master server and single media server directly connected to each other (no firewalls). From an installation perspective, things are running fine, and we start all services under backup users ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Security Hardening NetBackup MP4 Requirements - oprd network error 39

  1. Security Hardening NetBackup MP4 Requirements - oprd network error 39

    Hello,

    We have deployed a faily simple configuration with a single master server
    and single media server directly connected to each other (no firewalls).
    From an installation perspective, things are running fine, and we start all
    services under backup users within the domain that are members of the Domain
    Admins group (for now). We are having a problem when communicating to the
    vmd process of the media server, though. We consistenly receive an oprd
    network error (39) message when attempting to add the local tape drive fom
    the media server. The client can be accessed (bpcd) without any problem,
    though. We think that it may have something to do with domain security
    policies that we have set (security options and/or user rights). I have not
    found any definitive documentation on necessary user rights + security
    options for a proper master/media server combination. Standard clients seem
    to work fine. Here are my main questions:

    1) What are the proper user rights that should be granted to a Domain User
    to properly start the NB services without being a Domain Admin? These would
    include Access this computer from network, Manage security logs, Act as part
    of the operating system, etc.
    2) What security policies affect the usage or communications of NB? These
    would include things such as LDAP signing, digital signatures, FIPS
    encryption, named pipes access, etc.

    Our goal is to keep out systems configured as tightly as possible while not
    interfering with the proper operation of NB.

    Non-related questions:

    1) Is it normal for a 20-30 second delay to communicate with hosts or media
    servers across the network? For instance, double-clicking the master
    server's hostname under the clients listing immediately brings up the client
    attributes. When double-clicking a network host, it takes forever. Things
    work fine, and backups occur at high-speed, but there seems to be large
    delays in communication. This occurs on at least 3 different installations
    to 3 different networks (ruling out a network issue). Maybe I'm just not
    patient.
    2) What authentication does NB use when accessing remote systems? We see
    security logins attempting as the local system account of the master to the
    media server. There were several failed authentication attempts. When
    granting the machine name the access computer from network right, the errors
    went away, but we still had our initial problem listed above.
    3) What would cause the NetBackup Service Layer service to all of a sudden
    stop starting up - it hangs for a while and then gives an error about not
    responding in a timely fashion.
    4) What are the best commandline tools to troubleshoot all of this stuff?
    What are the best "go to" logs to start with when troubleshooting this
    beast?

    OK, thanks for sticking with this long-winded post. We're just trying to
    grasp this product before we go into real production in a few weeks.

    Mark


  2. Re: Security Hardening NetBackup MP4 Requirements - oprd network error 39


    "Mark W." wrote:
    >Hello,
    >
    >We have deployed a faily simple configuration with a single master server


    >and single media server directly connected to each other (no firewalls).


    >From an installation perspective, things are running fine, and we start

    all
    >services under backup users within the domain that are members of the Domain


    >Admins group (for now). We are having a problem when communicating to the


    >vmd process of the media server, though. We consistenly receive an oprd


    >network error (39) message when attempting to add the local tape drive fom


    >the media server. The client can be accessed (bpcd) without any problem,


    >though. We think that it may have something to do with domain security
    >policies that we have set (security options and/or user rights). I have

    not
    >found any definitive documentation on necessary user rights + security
    >options for a proper master/media server combination. Standard clients seem


    >to work fine. Here are my main questions:
    >
    >1) What are the proper user rights that should be granted to a Domain User


    >to properly start the NB services without being a Domain Admin? These would


    >include Access this computer from network, Manage security logs, Act as

    part
    >of the operating system, etc.
    >2) What security policies affect the usage or communications of NB? These


    >would include things such as LDAP signing, digital signatures, FIPS
    >encryption, named pipes access, etc.
    >
    >Our goal is to keep out systems configured as tightly as possible while

    not
    >interfering with the proper operation of NB.
    >
    >Non-related questions:
    >
    >1) Is it normal for a 20-30 second delay to communicate with hosts or media


    >servers across the network? For instance, double-clicking the master
    >server's hostname under the clients listing immediately brings up the client


    >attributes. When double-clicking a network host, it takes forever. Things


    >work fine, and backups occur at high-speed, but there seems to be large


    >delays in communication. This occurs on at least 3 different installations


    >to 3 different networks (ruling out a network issue). Maybe I'm just not


    >patient.
    >2) What authentication does NB use when accessing remote systems? We see


    >security logins attempting as the local system account of the master to

    the
    >media server. There were several failed authentication attempts. When
    >granting the machine name the access computer from network right, the errors


    >went away, but we still had our initial problem listed above.
    >3) What would cause the NetBackup Service Layer service to all of a sudden


    >stop starting up - it hangs for a while and then gives an error about not


    >responding in a timely fashion.
    >4) What are the best commandline tools to troubleshoot all of this stuff?


    >What are the best "go to" logs to start with when troubleshooting this
    >beast?
    >
    >OK, thanks for sticking with this long-winded post. We're just trying to


    >grasp this product before we go into real production in a few weeks.
    >
    >Mark
    >


    Hi Mark
    Did you find out anything more on this - it could be similar to what I'm
    seeing as I get the same error - I think it's name resolution of some sort,
    but all the DNS seems ok and I've even got hosts files.
    I only get this messages when trying to get to media servers in a different
    domain to the master server - albeit these servers backup ok as clients that
    fail when I try to back them up as their own media server.
    Thanks
    Keir

+ Reply to Thread