NetBackup service user setup steps for a NetBackup primary server

Problem

Starting with NetBackup 9.1, most primary server services can run as non-privileged user, which is the recommended configuration. Services that require elevated privileges will continue to run as the privileged user.

• On UNIX, the user will start seeing a new prompt during the primary server fresh install or upgrade from the previous release. The new prompt will ask the user to provide a ‘service user’ (preferably non-root). Most daemons on the primary server will now run as this user. This user must be created in advance and must have the WEBSVC_GROUP (typically 'nbwebgrp') as the secondary group. This user must be available on each primary server (or each node of a clustered primary server). 
• On Windows, there would be no prompt and fresh install will default to use LocalService built-in account. There will be no visible impact on upgrades. More details are provided below.

Solution

About service user on UNIX

Numerous procedures can be used to create users and groups in operating systems. Some specific approaches are listed below, but other methods may accomplish the same goal. The home directory path, user name, and group names are not hardcoded and can be changed. Also, ensure that the WEBSVC_USER for the NetBackup primary server is already configured before creating the NetBackup service user. The detailed steps for configuring web service user for NetBackup primary server can be found at Web server user/group setup steps for a NetBackup master server 

• In clustered environments, make sure the local users are defined consistently on all cluster nodes. If you use a clustered environment on UNIX platforms, the NetBackup service user can be a local user, but the NetBackup service user must have the same name and UID on all nodes of the cluster. Also, it is recommended to use domain users (Example: NIS) for clustered environments.
• LDAP users are supported and can be used on UNIX.
• The NetBackup service user must use a POSIX compliant shell.
• It is recommended not to use an user that has sudo privileges. See OS documentation for steps on removing sudo privileges for an existing user.
• Using the root user as a service user is not recommended.
• Although root can be used as a service user, starting with NetBackup 10.2, the NetBackup database service on the primary server must run under a non-root user. The database service cannot run as root. For more information, refer Requirements and need for database user with release 10.2 (or higher)

Creating service user and group on UNIX

1. Create a local primary group for the service user.
   groupadd <groupname>

2. Create a local service user.
   useradd -g <groupname> -c 'NetBackup Service User' -d /usr/openv/ <username>

3. Add the WEBSVC_GROUP group as a secondary group for the service user.
   usermod -a -G <nbwebgrp> <username>

About service user on Windows

• NetBackup services run under different accounts depending on their privilege requirements.
• By default, services that do not require elevated privileges run under the built-in Local Service account, while services that require elevated privileges run under the Local System account.

Note: The Local Service account is different from the Local System account. For more information, refer Local Service Account.

• The Local Service account is the only non-administrator account that can be used to run NetBackup services.
• For services requiring elevated privileges, either the Local System account or a custom local administrator account can be used.
• You can run all services under the Local System or a custom local administrator account, but using the Local Service account for services that don’t require elevated privileges is recommended.

When the Typical Install option is selected in the NetBackup installer, a combination of the Local System and Local Service accounts is used. That is, services that do not require elevated privileges run under the Local Service account, while those that require elevated privileges run under the Local System account.

You can specify a different account to run NetBackup services only when using the Custom Install option of the NetBackup installer. You can enter the desired user credentials under Privileged Account Details section, and select Same as privileged under Non-Privileged Account Details section.
The specified account must be a member of the local Administrators group on the system where NetBackup is being installed.
An account other than Local Service cannot be used to run non-privileged services.

The Local Service or Local System account is not used for the NetBackup Web Management Console (nbwmc) and NetBackup Messaging Broker (nbmqbroker) services. These components continue to use a separate Web service user account.
Detailed instructions for configuring the web service user for a NetBackup primary server are available at Web server user/group setup steps for a NetBackup master server

The NetBackup database service runs under the Local Service account, and this configuration cannot be changed. For more information, refer Requirements and need for database user with release 10.2 (or higher)

Changing service account

To run supported services under a different service account, the nbserviceusercmd command can be run post-installation.

On UNIX systems:

1. Stop all NetBackup services.
   /usr/openv/netbackup/bin/goodies/netbackup stop
   If required, stop PBX exchange to migrate it to service user.

2. /opt/VRTSpbx/bin/vxpbx_exchanged stop
3. Change service user.
   /usr/openv/netbackup/bin/goodies/nbserviceusercmd --changeUser
4. If step 2 was performed, start PBX exchange.
   /opt/VRTSpbx/bin/vxpbx_exchanged start
5. Start all NetBackup services.
   /usr/openv/netbackup/bin/goodies/netbackup start

On Windows Systems:

1. Stop all NetBackup services.
   <install_path>\NetBackup\bin\bpdown -v -f
2. Change service user. 
   <install_path>\NetBackup\bin\goodies\nbserviceusercmd.exe -changeUser <desired user>
3. Start all NetBackup services.
   <install_path>\NetBackup\bin\bpup -v -f

More information on nbserviceusercmd is available in the NetBackup Commands Reference Guide.

Additional Considerations:

1. Paths that are external to the NetBackup install directory must manually be made accessible to the service user. Generally they fall into two categories.

   • Paths that are shared with other applications such as ECA path and /tmp
     Users can choose their preferred method for granting access to service user, such as assigning group permissions, using the chmod command, or applying any other suitable approach.
     For Windows systems, users can use the nbserviceusercmd command as described below.

   • Paths that are not shared with other applications.
     For example: 
     • DR path
     • NetBackup catalog relational database files placed on separate disks or paths

     • All directories listed in ALTPATH files present under <install directory>/NetBackup/db/images/<client>/

     • HOST_CACHE_PATH directory in the NetBackup configuration

     • NetBackup log folders if relocated via links
     • When running as non-root service user on UNIX, the <DR file directory> must have permissions rwx------
       chmod 700 /drfile
       
       The ownership of these directories must simply be updated to the service user using chown command.
       chown nbservice:nbservicegrp /nbhostcache
       For Windows systems, users can use the nbserviceusercmd command as described below.
        
   • On Windows, you can execute nbserviceusercmd command to give access to NetBackup services.
     For example:
     <install_path>\NetBackup\bin\goodies\nbserviceusercmd.exe -addAcl "D:\alt_path\target" -reason “Updating ACLs for external path”
      
2. Using a service user other than root involves a one-time conversion that may significantly increase upgrade time based on your catalog size.
3. When the NetBackup install or upgrade puts the service user into use, the ownership and permissions of pathnames that are part of the NetBackup install directory are updated automatically.
4. Users must take full backup whether Windows/Standard Policy File System or BMR policy configuration after changing the service user.
5. If previous NetBackup installation (10.2 or older) configured with service user, then in case of upgrade using native installer, configure service user for Private Branch Exchange by referring How to use vxpbxserviceusercmd in PBX

Additional considerations for UNIX:

1. Resource limits like number of processes that can be spawned must be at par with that of the root user.
2. Number of files that can be opened must be at par with that of the root user.
3. It is not recommended to use the root user as the service user.
4. The WEBSVC_USER should not be used as the service user.
5. The WEBSVC_GROUP must be a secondary group of the service user.
6. The NetBackup service user name should contain only ASCII characters. Non-English characters are not supported for service user.
7. If service user name length is more than system defined user column width (usually it's 8 characters), then you might see  a truncated user name or UID in bpps output.
8. The service user name cannot exceed 32 characters and can only contain English characters. 
9. Ownership of the /usr/openv directory changes to the new service user.
10. The service user should maintain the minimum O/S ulimit settings on primary, media server and client of UNIX platforms.
11. The detailed steps for minimum O/S ulimit settings can be found at Minimum O/S ulimit settings on primary and media server Linux/UNIX platforms