1 of 16

ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2Administrative user account concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Control Station user accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Data Mover user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4General user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5EMC NAS Interoperability Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

User interface choices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Managing administrative user accounts roadmap . . . . . . . . . . . . . . . . . . .7Creating a Control Station administrative user account . . . . . . . . . . . . . .8

Task 1: Setting up the shell profile . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Task 2: Creating an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Creating an administrative user for Celerra Manager . . . . . . . . . . . . . . .12Troubleshooting administrative user accounts . . . . . . . . . . . . . . . . . . . .13Related information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Customer training programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Managing Administrative Accountson CelerraP/N 300-002-717

Rev A01

Version 5.5March 2006

Managing Administrative Accounts on Celerra2 of 16 Version 5.5

IntroductionThis technical module explains how to manage administrative user accounts for the Celerra® Network Server. Administrative user accounts can be configured on the Control Station and Data Mover. This technical module focuses on Control Station administrative user accounts. It is part of the Celerra Network Server information set and is intended for system administrators responsible for user access.

TerminologyThis section defines terms important to understanding user accounts on the Celerra Network Server. The Celerra Network Server User Information Glossary provides a complete list of Celerra terminology.

ACL (access control list): (Windows) A list of access control entries (ACEs) that provide information about the users and groups that are allowed access to an object. (Celerra) A table created and recognized only in the Control Station database that contains assigned levels for specified users and groups allowing access to system objects on the Control Station.

Active Directory: An advanced directory service included with Windows 2000 Server. It stores information about objects on a network and makes this information available to users and network administrators through a protocol such as LDAP.

Celerra FileMover: (formerly DHSM) A policy-based system that is used to determine where files should be physically stored. In most cases, policies based on file size and/last access time are used to identify data that can be moved to slower, less expensive data storage.

CIFS (Common Internet File System): A file-sharing protocol based on the Microsoft Server Message Block (SMB). It allows users to share file systems over the Internet and intranets.

Control Station: A hardware and software component of the Celerra Network Server that manages the system and provides the user interface to all Celerra components.

FTP (File Transfer Protocol) : A high-level protocol for transferring files from one machine to another. Implemented as an application-level program (based on the OSI model), FTP uses Telnet and TCP protocols.

GID (group identifier): A number assigned to a particular group of users.

NDMP (Network Data Management Protocol): An open standard network protocol designed for enterprise-wide backup and recovery of heterogeneous network-attached storage.

NIS (Network Information Service): A distributed data lookup service that shares user and system information across a network, including usernames, passwords, home directories, groups, hostnames, IP addresses, and netgroup definitions.

UID (user identifier): A number that corresponds to a particular user.

3 of 16Version 5.5Managing Administrative Accounts on Celerra

Administrative user account conceptsA user account provides a user with access to a computer system and its objects. It also defines that user’s access to those system objects. The Celerra Network Server supports three types of user accounts:

◆ Control Station user accounts that provide administrative access to the Celerra Network Server and its resources.

◆ Data Mover user accounts that provide administrative access to certain Celerra features and third-party applications.

◆ General user accounts for the Windows and/or UNIX users using the Celerra Network Server to access file systems.

Control Station user accountsControl Station user accounts provide administrative access to the Celerra Network Server and its resources. The Celerra Network Server software installation automatically creates a Celerra administrative account called nasadmin, which is the owner of all that server’s Data Movers and their resources.

You might configure additional user accounts to allow specific administrators ownership of a subset of Data Movers. For example, the account sysadmin1 can be configured to provide administrative access to server_2 and server_3 while the account sysadmin2 might be configured to provide administrative access to server_4 and server_5. Special user accounts are required for Control Station to Control Station connectivity when using certain Celerra features such as Replicator and SRDF. In these situations, the necessary user accounts are configured as part of the feature’s CLI command scripts.

You can also create an administrative user account that has permission to log in to Celerra Manager but not the Celerra CLI. This allows you to give a user management access to a Celerra Network Server only through Celerra Manager. Refer to the Celerra Manager online help for information on how to create this user account.

Control Station accounts are actually Linux user accounts and are created and managed using basic Linux commands or the linuxconf utility. Once you create these user accounts, you can then create an access control level table composed of entries limiting the privileges allowed for these users and groups.

Note: By default, the permission level assigned to a new user account is admin. The admin permission level is the most privileged, as it is at the top of the hierarchy that includes the privileges of the other levels (operator and observer).

After you define the permission level of your administrative user accounts, assign access control levels to the objects to which you want to control access. For Control Station users, these objects are Data Movers, volumes, and file systems. The Controlling Access to Celerra System Objects technical module provides more information.

Managing Administrative Accounts on Celerra4 of 16 Version 5.5

Data Mover user accountsData Mover user accounts provide administrative access to certain Celerra features and third-party applications. You must create a special user account using the server_user command for the FTP, NDMP backup, and Celerra FileMover features. The online Celerra man pages or the Celerra Network Server Command Reference Manual provide a detailed synopsis of the server_user command. The Using FTP on Celerra Network Server, Configuring NDMP Backups on Celerra, and Using Celerra FileMover technical modules provide specific information on configuring user accounts for these features.

Data Mover user accounts are also used to provide administrative access to third-party applications such as Oracle and ClearCase. In this situation, the username and password entered on the Data Mover must match those entered in the third-party application. Refer to the third-party application’s documentation for appropriate usernames.

General user accountsTypically you do not configure individual general user accounts. These user accounts and their access rights are configured using system-wide services such as NIS in a UNIX environment or Active Directory. This is in conjunction with one of the Celerra Network Server’s user mapping tools, in a Windows environment.

5 of 16Version 5.5Managing Administrative Accounts on Celerra

System requirementsThis section describes the Celerra Network Server software, hardware, network, and storage configurations required for using administrative user accounts as described in this technical module.

EMC NAS Interoperability MatrixThe EMC NAS Interoperability Matrix is available on Powerlink™. It contains definitive information on supported software and hardware, such as backup software, Fibre Channel switches, and application support for Celerra network-attached storage (NAS) products.

Table 1 System requirements for user accounts

Software Celerra Network Server Version 5.5

Hardware No specific hardware requirements

Network No specific network requirements

Storage No specific storage requirements

Managing Administrative Accounts on Celerra6 of 16 Version 5.5

User interface choicesThis technical module describes how to manage administrative user accounts using the command line interface (CLI). You cannot use other Celerra management applications to manage administrative user accounts.

7 of 16Version 5.5Managing Administrative Accounts on Celerra

Managing administrative user accounts roadmapTable 2 lists the tasks that allow you to manage the administrative user accounts described in this technical module.

Important: After you create a Control Station administrative user, you can create an entry in the access control level table limiting the privileges allowed for that user as well as assign access control levels to the objects to which you want that user to have access. For Control Station users, these objects are Data Movers, volumes, and file systems. The Controlling Access to Celerra System Objects technical module provides more information.

Table 2 Managing user accounts roadmap

Task Procedure

Add, modify, and delete accounts on the Control Station.

"Creating a Control Station administrative user account" on page 8

Add an account for Celerra Manager. "Creating an administrative user for Celerra Manager" on page 12

Managing Administrative Accounts on Celerra8 of 16 Version 5.5

Creating a Control Station administrative user accountControl Station user accounts provide administrative access for the Celerra Network Server and its resources. The Celerra Network Server software installation automatically creates a Celerra administrative account called nasadmin, which is the owner of all that server’s Data Movers and their resources.

You can configure additional user accounts to allow specific administrators ownership of a subset of Data Movers.

Task 1: Setting up the shell profileA Control Station user account has an associated shell profile that sets up the necessary environment variables and paths for that user when this user logs in. Before creating a new account, you must edit the basic .bash_profile portion of the /etc/skel file to include information relevant to the new account. When the new account and the new user’s directory is created, the .bash_profile is automatically copied to it.

The basic .bash_profile appears as follows:# .bash_profile

# Get the aliases and functionsif [ -f ~/.bashrc ]; then . ~/.bashrcfi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

export PATHunset USERNAME

Using an editor such as vi, add the following information:NAS_DB=/nasexport NAS_DBMANPATH=/usr/share/man:/usr/man:$NAS_DB/manexport MANPATHPATH=$PATH:$NAS_DB/binexport PATH/nasmcd/.emc_login

To view the revised profile information, type:# more .bash_profile

Table 3 Administrative user account tasks

Task Action Procedure

1. Set up the shell profile. Task 1: "Setting up the shell profile" on page 8

2. Create user and group accounts. Task 2: "Creating an account" on page 9

9 of 16Version 5.5Managing Administrative Accounts on Celerra

# .bash_profile

# Get the aliases and functionsif [ -f ~/.bashrc ]; then . ~/.bashrcfi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

export PATHunset USERNAMENAS_DB=/nasexport NAS_DBMANPATH=/usr/share/man:/usr/man:$NAS_DB/manexport MANPATHPATH=$PATH:$NAS_DB/binexport PATH/nasmcd/.emc_login

Task 2: Creating an accountYou can use either Linux commands or the linuxconf utility to create accounts. You must be root to run these commands.

Note: Do not directly edit the Control Station’s passwd or group files.

Note: The Celerra Network Server does not support two user accounts with the same UID.

The Linux commands, entered at the command line, allow you to add, modify, and delete user and group accounts:

◆ useradd

◆ usermod

◆ userdel

◆ groupadd

◆ groupmod

◆ groupdel

For complete syntax information, refer to the Linux man pages on the Control Station.

The linuxconf utility is a GUI-based program that allows you to add, modify, and delete user and group accounts. For more information, refer to www.solucorp.qc.ca/linuxconf.

Note: If you Telnet from a Windows system to connect to a Control Station, type export TERM=pcansi before starting linuxconf.

Creating group accounts Administrative user accounts must belong to the default Celerra administrative account nasadmin group (GID 201) either as their primary or supplementary group.

Managing Administrative Accounts on Celerra10 of 16 Version 5.5

If you plan to manage administrative accounts individually (that is, they are defined as user accounts in the Control Station access control level table), then GID 201 can be the primary GID of the new account. You do not need other group affiliations.

If you plan to manage administrative accounts by group affiliation, the primary GID should be the new administrative account to determine the user’s level of access. This is the value that is compared to the Control Station access control level table to determine the defined administrative level. You should create the new administrative group account before creating any new administrative user accounts. For example, if you create a new group with Observer level privileges, this should be the primary group for any new Observer-level user accounts you intend to create. In this situation, the nasadmin group must be a supplementary group for the new user account.

In the following example, adminusr2 has a primary group of admingrp and a supplementary group of nasadmin.

[adminusr2]$ id uid=503(adminusr2) gid=501(admingrp) groups=501(admingrp),201(nasadmin)

ExamplesThe following sections illustrate the use of the Linux commands to manage administrative user accounts on the Control Station.

Adding a user account with the useradd commandUse this procedure to add a user account to the Control Station with the useradd command.

Step Action

1. Log in to the Control Station and change to the root directory.

2. To add a user account, use this command syntax: /usr/sbin/useradd -u <uid> -G <initial_group> -p <passwd> <username>

Where:<uid> = the user ID number of the account <initial_group> = the primary group to which you want to assign the new user<passwd> = the password. If no password is entered, the account is disabled<username> = the name of the user accountFor example, to add user jsmith to the sales user group, type:/usr/sbin/useradd -u 1002 -G sales -p abc jsmith

Note: The group name must already exist. You must create the group account before creating an user account.

3. Repeat steps 1 and 2 to add other user accounts.

11 of 16Version 5.5Managing Administrative Accounts on Celerra

Modifying a user account with the usermod commandUse this procedure to modify a user account to the Control Station with the usermod command.

Deleting a user account with the useradd commandUse this procedure to delete a user account to the Control Station with the userdel command.

Step Action

1. Log in to the Control Station and change to the root directory.

2. To modify a user account with the usermod command, use this command syntax: /usr/sbin/usermod <username> -c <comment> <newusername>

Where:<username> = the user account being modified<comment> = the option lets you add a “comment” for the user account<newusername> = the new usernameFor example, to change the username of an existing user account from jsmith to treed: type:/usr/sbin/usermod jsmith -c “newuser” treed

3. Repeat steps 1 and 2 to modify other user accounts.

Step Action

1. Log in to the Control Station and change to the root directory.

2. To delete a user account with the useradd command, use this command syntax: /usr/sbin/userdel -r <username>

Where:<username> = the user account being deletedFor example, to delete the jsmith user account, type:usr/sbin/userdel -r jsmith

3. Repeat steps 1 and 2 to delete other user accounts.

Managing Administrative Accounts on Celerra12 of 16 Version 5.5

Creating an administrative user for Celerra ManagerYou can create an administrative user account that has permission to log in to Celerra Manager but not the Celerra command line interface. This allows you to give a user management access to a Celerra Network Server only through Celerra Manager.

Use this procedure to create an administrative user account for use exclusively with Celerra Manager.

Step Action

1. Log in to the Control Station and change to the root directory.

2. Create a new administrative account: $ adduser newadmin

3. Set the password for the new administrative account:$ passwd newadmin

4. Set the new administrative account so it does not start a shell on the Control Station:$ chsh newadmin -s /sbin/nologin

Note: This command effectively prevents the user from logging in to the Control Station using the CLI.

13 of 16Version 5.5Managing Administrative Accounts on Celerra

Troubleshooting administrative user accountsYou can query the EMC® WebSupport database for problem information, obtain release notes, or report a Celerra technical problem to EMC on Powerlink, the EMC secure extranet site. The Celerra Problem Resolution Roadmap technical module contains additional information about using Powerlink and resolving problems.

If you have trouble accessing an object from a new account with a command from the Celerra Network Server command set, check the access control levels associated with the various system objects, such as the Data Movers, volumes, and file systems. For example, if the command server_mount ALL does not provide any output, but terminates with a success status code, it is likely the user did not have appropriate write access levels. This is the case in the following example:

[adminusr]$ server_mount ALL[adminusr]$ echo $?0[adminusr]$

Managing Administrative Accounts on Celerra14 of 16 Version 5.5

Related information For specific information related to the features and functionality described in this technical module, refer to:

◆ Celerra Network Server Command Reference Manual

◆ Online Celerra man pages

◆ Controlling Access to Celerra System Objects

The Celerra Network Server Documentation CD, supplied with your Celerra Network Server and also available on Powerlink, provides general information on other EMC Celerra publications.

Customer training programsEMC customer training programs are designed to help you learn how EMC storage products work together and integrate within your environment to maximize your entire infrastructure investment. EMC customer training programs feature online and hands-on training in state-of-the-art labs conveniently located throughout the world. EMC customer training programs are developed and delivered by EMC experts. For program information and registration, refer to Powerlink, our customer and partner website.

15 of 16Version 5.5Managing Administrative Accounts on Celerra

Index

CCelerra Manager

user account 12Control Station

defining user access to system objects 3, 7user accounts 3

creating 9setting up the shell profile 8

creating accountsusing Linux commands 9

creating ccountsusing linuxconf 9

creating group accounts 9

DData Mover

user accounts 4

Ggroup accounts 9groupadd 9groupdel 9groupmod 9

LLinux commands 9linuxconf 9

Nnasadmin 3

Tterminology 2

Uuser accounts

adding 10administrative 3Celerra Manager 12Control Station 3

creating 9defining user access to system objects 3, 7setting up the shell profile 8

Data Mover 4deleting 11general users 4modifying 11nasadmin 3troubleshooting 13

useradd 9userdel 9usermod 9

About this technical moduleAs part of its effort to continuously improve and enhance the performance and capabilities of the Celerra Network Server product line, EMC from time to time releases new revisions of Celerra hardware and software. Therefore, some functions described in this document may not be supported by all revisions of Celerra software or hardware presently in use. For the most up-to-date information on product features, see your product release notes. If your Celerra system does not offer a function described in this document, contact your EMC Customer Support Representative for a hardware upgrade or software update.

Comments and suggestions about documentationYour suggestions will help us improve the accuracy, organization, and overall quality of the user documentation. Send a message to celerradoc_comments@EMC.com with your opinions of this document.

Copyright © 1998-2006 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

All other trademarks used herein are the property of their respective owners.

Version 5.5 16 of 16