Using -delete_groups with replicas that preserve identities and permissions

About this task

DevOps Code ClearCase® MultiSite customers who use identity-preserving and permissions-preserving replicas (created with mkreplica –preserve) must take several additional steps when they migrate those replicas’ hosts from Windows NT® domains to Active Directory.

Because the changes in SIDs made by vob_sidwalk are not propagated by replication, you must run vob_sidwalk on each identity-preserving and permissions-preserving replica in a replica family when the server that hosts the replica is migrated to Active Directory. When run on such a replica, vob_sidwalk preserves the original SIDs on the VOB’s group list, so that operations that require container creation continue to succeed whether or not all such replicas in a family have been updated. After all such members of a replica family are updated, the administrator must run vob_sidwalk again, using the –delete_groups option to remove these historical group SIDs. Remove historical SIDs, because a VOB has a limit of 32 groups on its group list. Keeping unused historical SIDs on the list may cause the list to overflow as new groups are added.
Note: This procedure assumes that you have migrated user and group accounts for all users of all replicas to Active Directory and that all users have set their CLEARCASE_PRIMARY_GROUP environment variable to the name of the DevOps Code ClearCase users group in the Active Directory domain.

Procedure

  1. Synchronize all replicas in the family to ensure that each replica includes the same set of user and group SIDs.
  2. Follow the procedure in Migrating individual hosts to migrate hosts.
    All identity-preserving and permissions-preserving replicas in a family must be processed using the same vob_sidwalk options. If the –map option is used, you can save time by generating one mapping file and using it on all identity-preserving and permissions-preserving replicas in a family.
  3. After the replica has been synchronized again with other replicas whose SIDs have been updated, as described in Step 2 of this procedure, run this command:

    vob_sidwalk –sid_history vob-tag SIDfile-path

    Examine the resulting SID file to see whether any new SID mappings are needed (because new user or group identities have been added to the replica). If new SID mappings are required, run vob_sidwalk again using the options you used in Step 2.
  4. After all identity-preserving and permissions-preserving replicas have been updated (Step ) and the SID file generated (Step 3) shows that no new SID mappings are needed, run vob_sidwalk –execute –delete_groups on each replica.
    This command deletes historical group SIDs from the VOB’s group list.