vob_sidwalk, vob_siddump

Reads or changes security identifiers in a schema version 54 or schema version 80 VOB database

Applicability

Product

Command type

ClearCase®

administrative command

Platform

UNIX

Linux

Windows

Synopsis

  • Read or change security identifiers in a VOB database:
    vob_sidwalk [ –p/rofile profile-path ] | [ –s/idhistory ]
    [ –u/nknown ] [ –m/ap mapfile-path ] [ –l/og logfile-path ]

    [ –e/xecute ] [ –delete/_groups ]

    [ -raw/_sid ] vob-tag SIDfile-path

  • Recover VOB storage directory protections:
    vob_sidwalk –recover/_filesystem vob-tag SIDfile-path
  • Read security identifiers in a VOB database:
    vob_siddump [ –p/rofile profile-path ] | [ –s/idhistory ]
    [ –u/nknown ] [ -raw/_sid ] [ –m/ap mapfile-path ]

    [ –l/og logfile-path ] vob-tag SIDfile-path

Description

vob_sidwalk and vob_siddump are administrative utilities that can be used to read or change security identifiers (Windows SIDs or UNIX and Linux UIDs and GIDs) stored in VOB databases that are formatted with schema versions 54 or 80, at any supported feature level. vob_sidwalk is installed only on hosts that are configured to support local VOBs and views and to support VOB schema version 54. vob_siddump is installed on all hosts.

The programs are typically needed for these tasks:

  • Moving a VOB from one Windows domain to another Windows domain
  • Migrating a Windows NT domain to an Active Directory domain
  • Moving a VOB from a Windows host to a UNIX or Linux host or vice versa

vob_siddump is a read-only version of vob_sidwalk. It can be executed on the VOB server or any client to list the security principal (user and group) names and SIDs stored in a VOB.

vob_sidwalk has all of the capabilities of vob_siddump and can also change SIDs in the VOB database. In addition, vob_sidwalk can be executed with the -recoverT_filesystem option to reset the protections on a VOB storage directory so that they are consistent with the SID of the VOB's owner and group.

For a schema 80 VOB at feature level 8, vob_siddump and vob_sidwalk dump owner SIDs for new metatypes policy and rolemap. A local privileged user could use vob_sidwalk to change the owner identifiers for policy and rolemap objects just like changing other metatypes' owner identifiers. Besides this, vob_siddump and vob_sidwalk will also scan and get all SIDs which do not own any metatypes but exist in form of principals in policy and rolemap objects.

Dump file format

The dump file format of vob_siddump and vob_sidwalk is as follows:

Name,Type,SID-String,New-Name,Type,SID-String,Count
 Name: Domain-Name\Account-Name | Account Unknown
 New-Name: Domain-Name\Account-Name | IGNORE
 Type: USER | GROUP

Restrictions

vob_siddump has no restrictions. vob_sidwalk has the following restrictions:

Identities

You must have one of the following identities:

  • root (UNIX and Linux)
  • Member of the ClearCase administrators group (ClearCase on Windows)

Locks

  • vob_siddump: none
  • vob_sidwalk: an error occurs if the VOB is locked and the -execute option is present.

Other

You must enter this command on the VOB server host.

Options and arguments

Read or map SIDs

Default
None. These options are allowed with both vob_sidwalk and vob_siddump.
–s/idhistory
Generate a SID file of historical SID information stored in the VOB database. Write the current name and SID for each account to the new-name and new-SID fields of SIDfile-path and write the historical name and SID to the old-name and old-SID fields. If either command is invoked without this option, it writes the current name and SID for each account to the old-name and old-SID fields of SIDfile-path, and the new-name field is always IGNORE.
–u/nknown
Map SIDs that cannot be resolved to an account in the domain. Any user SID that cannot be resolved is mapped to the SID of the VOB owner. Any group SID that cannot be resolved is mapped to the SID of the VOB's primary group. The mappings are written to the SID file.
–p/rofile profile-path
Write a list of all SIDs found in the VOB along with the database identifiers that describe objects owned by each SID. The list is written to the file in profile-path. Each line of the file has the format

metatype,dbid,user-name,user-SID,group-name,group-SID,mode,container...

where each field has the form:

metatype

The VOB metatype name, or one of the special names ROOT, TREE, or FILE for file system objects that have no dbid (database identifier)

dbid

Database identifier for this VOB object

user-name

User name of the object's owner

user-SID

String representation of user SID

group-name

Group name of the object's group

group-SID

String representation of group SID

mode

The object's access mode

container...

Pathname of the object's container file, if applicable

This option can generate a large file in profile-path and consume significant resources on the VOB server host. This option cannot be used with any other option.

–m/ap mapfile-path
Force remapping of all SIDs in a VOB database as specified in the mapping file at mapfile-path. Details about the SID remappings for the VOB at vob-tag are written to SIDfile-path.

The mapping file contains one or more lines in the format

old-name,type,old-SID,new-name,type,new-SID

where each field has the form

old-name

domain-name\account-name

new-name

One of domain-name\account-name, IGNORE, DELETE

type

One of USER, GROUP, GLOBALGROUP, LOCALGROUPONDC, LOCALGROUP

old-SID, new-SID

String representation of SID

You can use a SID file from a previous run of vob_sidwalk or vob_siddump as the basis of the mapping file. If you need to change the existing mapping (to reassign ownership of objects), edit the file to make any of the following changes:

Change the new-name field to IGNORE

No changes are made to this SID.

Change the new-name field to DELETE

The SID is changed to the SID of VOB owner or, if it is a group SID, the SID of the VOB's primary group.

Change the new-name field to the name of a user or group and remove the new-SID and second type fields.

Ownership of objects owned by the user or group named in old-name is reassigned to the user or group named in new-name.

Specify a different SID in the new-SID-string field.

Ownership of objects owned by the user or group named in old-SID is reassigned to the user or group named in new-SID (type fields must match).
–raw/_sid
Write SIDs in raw (unformatted) style. Use this option when generating a SID file on Windows in preparation for moving a VOB from Windows to UNIX or Linux.

Update SIDs

Default
Only read or map SIDs. Do not change anything in the VOB database unless the -execute option is present. These options are not allowed with vob_siddump.
–e/xecute
Modify SIDs stored in the VOB database. Unless the -execute option is used, vob_sidwalk logs, in the SID file, the changes that would have been made but does not actually change anything in a VOB database.
–delete/_groups
Remove any historical SIDs found in the group list of an identity-preserving replica. Historical SIDs are always removed from the group list of a non-replicated VOB or a non-identity-preserving replica. The DevOps Code ClearCase Administrator's Guide provides details about how to use this option.

Logging 

Default
No logging.
–l/og logfile-path
Write a log of SID reassignments. Each line of the file at logfile-path has the format

metatype,dbid,container,old-SID,reserved,new-SID

where each field has the form:

metatype

The VOB meta-type name, or one of the special names ROOT, TREE, or FILE for file system objects that have no dbid (database identifier)

dbid

Database identifier for this VOB object

container

Pathname of the object's container file, if applicable

old-SID

String representation of old SID

reserved

Reserved for future use

new-SID

String representation of new SID

Fixing storage directory protections 

Default
Does not change protections.
–recover/_filesystem
Fix protections on VOB storage directory. This option is not supported with vob_siddump. With vob_sidwalk, it cannot be used with any other option.

VOB tag 

Default
None.
vob-tag
The VOB on which to operate.

SID file 

Default
None.
SIDfile-path
A pathname at which the command should write the SID file. An error is returned if SIDfile-path exists or is not specified. Each line of the SID file has the format:

old-name,type,old-SID,new-name,type,new-SID,count

where each field has the form:

old-name

domain-name\account-name

new-name

One of domain-name\account-name, DELETE

type

One of USER, GROUP, GLOBALGROUP, LOCALGROUPONDC, LOCALGROUP

old-SID, new-SID

String representation of SID

count

Number of objects with this owner

You can use the SID file as the mapping file when running either command with the -map option.

Examples

The DevOps Code ClearCase Administrator's Guide includes detailed procedures for using vob_sidwalk and vob_siddump. Read them before using either of these programs.

  • Generate a SID file showing the old and new SIDs of security principals after a domain migration, but do not change any SIDs.

    vob_sidwalk -sidhistory vob-tag SIDfile-path

  • Replace the historical SIDs stored in the VOB database with new ones that resolve to the appropriate security principals in the Active Directory domain.

    vob_sidwalk -sidhistory -execute vob-tag SIDfile-path

  • Reassign ownership of objects in the VOB by mapping all existing SIDs to the new SIDs of the VOB owner and group.

    vob_sidwalk -unknown -execute vob SIDfile-path

    Note: If you are using UCM, you may not want to reassign ownership with -unknown. Reassigning an open activity to the VOB owner will make it unusable by its creator (unless it was created by the VOB owner).
  • Recover the ACLs on the VOB storage directory and container files, and also correct the SIDs for the VOB's supplementary group list.

    vob_sidwalk -recover_filesystem vob-tag SIDfile-path

UNIX or Linux system scenario: transfer ownership of VOB objects from one user to another

Transfer ownership of all the objects (elements, versions, branches, labels and so on) in the VOBs in which user jdoe was working to user bobsmith.
  1. First log in as root and create a dump file (dump_final.out).
    [root@unix1 /]# vob_siddump -v -log /tmp/log.out /vob/sidwalktest /tmp/dump_final.out 

VOB Tag: /vob/sidwalktest (unix1:/ccstg/vobs/sidwalktest.vbs)

Meta-type "directory element" ...   17 object(s)
Meta-type "directory version" ...   36 object(s)
Meta-type "tree element" ...   0 object(s)
Meta-type "element type" ...   13 object(s)
Meta-type "file element" ...   80 object(s)
Meta-type "derived object" ...   0 object(s)
Meta-type "derived object version" ...   0 object(s)
Meta-type "version" ...   156 object(s)
Meta-type "symbolic link" ...   0 object(s)
Meta-type "hyperlink" ...   0 object(s)
Meta-type "branch" ...   97 object(s)
Meta-type "pool" ...   3 object(s)
Meta-type "branch type" ...   1 object(s)
Meta-type "attribute type" ...   3 object(s)
Meta-type "hyperlink type" ...   9 object(s)
Meta-type "trigger type" ...   0 object(s)
Meta-type "replica type" ...   1 object(s)
Meta-type "label type" ...   3 object(s)
Meta-type "replica" ...   1 object(s)
Meta-type "activity type" ...   0 object(s)
Meta-type "activity" ...   0 object(s)
Meta-type "state type" ...   0 object(s)
Meta-type "state" ...   0 object(s)
Meta-type "role" ...   0 object(s)
Meta-type "user" ...   0 object(s)
Meta-type "baseline" ...   0 object(s)
Meta-type "domain" ...   0 object(s)

Total number of objects found: 420

Successfully processed VOB "/vob/sidwalktest".
  2. Run cat on the dump file. The output shows that jdoe has a UID of 1000 and owns 136 objects in the VOB while bobsmith has a UID of 2000 and owns 1 object in the VOB. There are 4 groups reported as owning objects in this VOB. Group named clearusers has a GID of 20 and owns 136 objects. The other groups (group1, group 2 and group3) own objects as well.
    [root@unix1 /]# cat /tmp/dump_final.out
jdoe,USER,UNIX:UID-1000,IGNORE,,,136
bobsmith,USER,UNIX:UID-2000,IGNORE,,,1

clearusers,GROUP,UNIX:GID-20,IGNORE,,,136
group1,GROUP,UNIX:GID-10,IGNORE,,,1
group2,GROUP,UNIX:GID-100,IGNORE,,,1
group3,GROUP,UNIX:GID-6000,IGNORE,,,2
  3. Edit the line in which jdoe is reported to own 136 objects to replace IGNORE with bobsmith.
    [root@unix1 /]# cat /tmp/dump_final.out
jdoe,USER,UNIX:UID-1000,bobsmith,USER,UNIX:UID-2000,136
bobsmith,USER,UNIX:UID-2000,IGNORE,,,1

clearusers,GROUP,UNIX:GID-20,IGNORE,,,136
group1,GROUP,UNIX:GID-10,IGNORE,,,1
group2,GROUP,UNIX:GID-100,IGNORE,,,1
group3,GROUP,UNIX:GID-6000,IGNORE,,,2
    The jdoe line could also be entered in the following format eliminating the arguments past the user name on that line which will pick up the proper UID and number of objects when referenced:
    jdoe,USER,UNIX:UID-1000,bobsmith
  4. Test the edited dump file without executing it. 
    [root@unix1 /]# vob_sidwalk -v -m /tmp/dump_final.out /vob/sidwalktest /tmp/test_out.log

VOB Tag: /vob/sidwalktest (unix1:/ccstg/vobs/sidwalktest.vbs)

Meta-type "directory element" ...   17 object(s)
Meta-type "directory version" ...   36 object(s)
Meta-type "tree element" ...   0 object(s)
Meta-type "element type" ...   13 object(s)
Meta-type "file element" ...   80 object(s)
Meta-type "derived object" ...   0 object(s)
Meta-type "derived object version" ...   0 object(s)
Meta-type "version" ...   156 object(s)
Meta-type "symbolic link" ...   0 object(s)
Meta-type "hyperlink" ...   0 object(s)
Meta-type "branch" ...   97 object(s)
Meta-type "pool" ...   3 object(s)
Meta-type "branch type" ...   1 object(s)
Meta-type "attribute type" ...   3 object(s)
Meta-type "hyperlink type" ...   9 object(s)
Meta-type "trigger type" ...   0 object(s)
Meta-type "replica type" ...   1 object(s)
Meta-type "label type" ...   3 object(s)
Meta-type "replica" ...   1 object(s)
Meta-type "activity type" ...   0 object(s)
Meta-type "activity" ...   0 object(s)
Meta-type "state type" ...   0 object(s)
Meta-type "state" ...   0 object(s)
Meta-type "role" ...   0 object(s)
Meta-type "user" ...   0 object(s)
Meta-type "baseline" ...   0 object(s)
Meta-type "domain" ...   0 object(s)

Total number of objects found: 420


Successfully processed VOB "/vob/sidwalktest"
  5. Check the new output file (test_out.log) to determine whether the new UID/GID (bobsmith) is incorporated in the output file. The file shows that the user (bobsmith) was correctly mapped and the appropriate UID was established.
    [root@unix1 /]# cat /tmp/test_out.log
jdoe,USER,UNIX:UID-1000,bobsmith,USER,UNIX:UID-2000,136    <=== **
bobsmith,USER,UNIX:UID-2000,IGNORE,,,1   

clearusers,GROUP,UNIX:GID-20,IGNORE,,,136
group1,GROUP,UNIX:GID-10,IGNORE,,,1
group2,GROUP,UNIX:GID-100,IGNORE,,,1
group3,GROUP,UNIX:GID-6000,IGNORE,,,2
  6. Apply the changes in the VOB by running vob_sidwalk again, this time specifying -execute:
    VOB Tag: /vob/sidwalktest (unix1:/ccstg/vobs/sidwalktest.vbs)

Meta-type "directory element" ...   17 object(s)
Meta-type "directory version" ...   36 object(s)
Meta-type "tree element" ...   0 object(s)
Meta-type "element type" ...   13 object(s)
Meta-type "file element" ...   80 object(s)
Meta-type "derived object" ...   0 object(s)
Meta-type "derived object version" ...   0 object(s)
Meta-type "version" ...   156 object(s)
Meta-type "symbolic link" ...   0 object(s)
Meta-type "hyperlink" ...   0 object(s)
Meta-type "branch" ...   97 object(s)
Meta-type "pool" ...   3 object(s)
Meta-type "branch type" ...   1 object(s)
Meta-type "attribute type" ...   3 object(s)
Meta-type "hyperlink type" ...   9 object(s)
Meta-type "trigger type" ...   0 object(s)
Meta-type "replica type" ...   1 object(s)
Meta-type "label type" ...   3 object(s)
Meta-type "replica" ...   1 object(s)
Meta-type "activity type" ...   0 object(s)
Meta-type "activity" ...   0 object(s)
Meta-type "state type" ...   0 object(s)
Meta-type "state" ...   0 object(s)
Meta-type "role" ...   0 object(s)
Meta-type "user" ...   0 object(s)
Meta-type "baseline" ...   0 object(s)
Meta-type "domain" ...   0 object(s)

Total number of objects found: 420


Successfully processed VOB "/vob/sidwalktest".
  7. Verify the success of the reprotection by running vob_siddump and checking the output file. Notice that bobsmith now owns 137 objects.
    [root@unix1 /]# vob_siddump -v -log /tmp/log.out /vob/sidwalktest /tmp/dump_final_check.out

VOB Tag: /vob/sidwalktest (unix1:/ccstg/vobs/sidwalktest.vbs)

Meta-type "directory element" ...   17 object(s)
Meta-type "directory version" ...   36 object(s)
Meta-type "tree element" ...   0 object(s)
Meta-type "element type" ...   13 object(s)
Meta-type "file element" ...   80 object(s)
Meta-type "derived object" ...   0 object(s)
Meta-type "derived object version" ...   0 object(s)
Meta-type "version" ...   156 object(s)
Meta-type "symbolic link" ...   0 object(s)
Meta-type "hyperlink" ...   0 object(s)
Meta-type "branch" ...   97 object(s)
Meta-type "pool" ...   3 object(s)
Meta-type "branch type" ...   1 object(s)
Meta-type "attribute type" ...   3 object(s)
Meta-type "hyperlink type" ...   9 object(s)
Meta-type "trigger type" ...   0 object(s)
Meta-type "replica type" ...   1 object(s)
Meta-type "label type" ...   3 object(s)
Meta-type "replica" ...   1 object(s)
Meta-type "activity type" ...   0 object(s)
Meta-type "activity" ...   0 object(s)
Meta-type "state type" ...   0 object(s)
Meta-type "state" ...   0 object(s)
Meta-type "role" ...   0 object(s)
Meta-type "user" ...   0 object(s)
Meta-type "baseline" ...   0 object(s)
Meta-type "domain" ...   0 object(s)

Total number of objects found: 420


Successfully processed VOB "/vob/sidwalktest".


[root@unix1 /]# cat /tmp/dump_final_check.out
bobsmith,USER,UNIX:UID-2000,IGNORE,,,137

clearusers,GROUP,UNIX:GID-20,IGNORE,,,136
group1,GROUP,UNIX:GID-10,IGNORE,,,1
group2,GROUP,UNIX:GID-100,IGNORE,,,1
group3,GROUP,UNIX:GID-6000,IGNORE,,,2

Windows system scenario: transfer ownership of VOB objects from one user to another

This scenario is similar to the scenario for UNIX or Linux systems: transfer object ownership from user jdoe to user bobsmith. Further, the Windows group Domain Users owns all the objects in the VOB, which is replicated and identity-preserving. Another objective is to use a different Windows group (users) to tighten VOB security. These same steps would be applicable if a group change were to be made.

  1. Run creds to obtain the Security ID (SID) of the users and groups. Note that C:\Program Files\DevOps\Code\ClearCase\etc\utils is specified in the system path on the host to allow Windows commands that reside in that directory to be run from the C: drive.
    C:>creds bobsmith
Login name:       DOMAIN\bobsmith
USID:             NT:S-1-5-21-141845252-1443263951-584457872-1644
Primary group: DOMAIN\clearuser (NT:S-1-5-21-141845252-1443263951-584457872-1023)
Groups: (11)
Everyone (NT:S-1-1-0)
BUILTIN\Administrators (NT:S-1-5-32-544)
BUILTIN\Users (NT:S-1-5-32-545)
DOMAIN\Domain Users (NT:S-1-5-21-141845252-1443263951-584457872-513)
DOMAIN\Domain Admins (NT:S-1-5-21-141845252-1443263951-584457872-512)
DOMAIN\clearcase (NT:S-1-5-21-141845252-1443263951-584457872-1022)
DOMAIN\users (NT:S-1-5-21-141845252-1443263951-584457872-1199)
LOCAL (NT:S-1-2-0)
NT AUTHORITY\INTERACTIVE (NT:S-1-5-4)
NT AUTHORITY\Authenticated Users (NT:S-1-5-11)

You have ClearCase administrative privileges.

C:>creds jdoe
Login name:       DOMAIN\jdoe
USID:             NT:S-1-5-21-141845252-1443263951-584457872-2038
Primary group: DOMAIN\Domain Users (NT:S-1-5-21-141845252-1443263951-584457872-513)
Groups: (10)
Everyone (NT:S-1-1-0)
BUILTIN\Administrators (NT:S-1-5-32-544)
BUILTIN\Users (NT:S-1-5-32-545)
DOMAIN\Domain Admins (NT:S-1-5-21-141845252-1443263951-584457872-512)
DOMAIN\users (NT:S-1-5-21-141845252-1443263951-584457872-1199)
LOCAL (NT:S-1-2-0)
NT AUTHORITY\INTERACTIVE (NT:S-1-5-4)
NT AUTHORITY\Authenticated Users (NT:S-1-5-11)

You do not have ClearCase administrative privileges.
  2. Log in as VOB owner or Administrator and create a dump file (sid1) using the vob_sidwalk command, which lists all the objects in the VOB and reports the SIDs (user and group) that own those objects.
    C:\>vob_sidwalk \sidwalktest c:\sid1
VOB Tag: \sidwalktest (VOB_SERVER:D:\cc_storage\vobs\sidwalktest.vbs)

Meta-type "directory element" ...     6 object(s)
Meta-type "directory version" ...     15 object(s)
Meta-type "tree element" ...     0 object(s)
Meta-type "element type" ...     11 object(s)
Meta-type "file element" ...     27 object(s)
Meta-type "derived object" ...     0 object(s)
Meta-type "derived object version" ...     0 object(s)
Meta-type "version" ...     54 object(s)
Meta-type "symbolic link" ...     0 object(s)
Meta-type "hyperlink" ...     0 object(s)
Meta-type "branch" ...     33 object(s)
Meta-type "pool" ...     3 object(s)
Meta-type "branch type" ...     1 object(s)
Meta-type "attribute type" ...     3 object(s)
Meta-type "hyperlink type" ...     9 object(s)
Meta-type "trigger type" ...     0 object(s)
Meta-type "replica type" ...     1 object(s)
Meta-type "label type" ...     3 object(s)
Meta-type "replica" ...     1 object(s)
Meta-type "activity type" ...     0 object(s)
Meta-type "activity" ...     0 object(s)
Meta-type "state type" ...     0 object(s)
Meta-type "state" ...     0 object(s)
Meta-type "role" ...     0 object(s)
Meta-type "user" ...     0 object(s)
Meta-type "checkpoint" ...     0 object(s)
Meta-type "domain" ...     0 object(s)

Total number of objects found: 167


Successfully processed VOB "\sidwalktest".
  3. Run type on sid1. The output shows one user owning 65 objects in this VOB. That user is jdoe and has a SID of NT:S-1-5-21-141845252-1443263951-584457872-2038. There is one group reported as owning 65 objects in this VOB. The group is named Domain Users and has a SID of NT:S-1-5-21-141845252-1443263951-584457872-513. 
    C:\>type sid1
DOMAIN\jdoe,USER,NT:S-1-5-21-141845252-1443263951-584457872-2038,IGNORE,,,65

DOMAIN\Domain Users,GROUP,NT:S-1-5-21-141845252-1443263951-584457872-513,IGNORE,,,65
  4. Edit the dump file (sid1) with a text editor to map the names of the objects owned by the old SID (jdoe) to the new SID (bobsmith), as follows. 
    DOMAIN\jdoe,USER,NT:S-1-5-21-141845252-1443263951-584457872-2038,DOMAIN\bobsmith,USER,S-1-5-21-141845252-1443263951-584457872-1644,65

DOMAIN\Domain Users,GROUP,NT:S-1-5-21-141845252-1443263951-584457872-513,DOMAIN\clearuser,GLOBALGROUP,S-1-5-21-141845252-1443263951-584457872-1023,65

    The line in which jdoe is reported as owning 65 objects was modified: the word IGNORE was replaced with DOMAIN\bobsmith,USER,S-1-5-21-141845252-1443263951-584457872-1644. The line where DOMAIN\Domain Users is reported as owning 65 objects was modified: the word IGNORE was replaced with DOMAIN\user,GLOBALGROUP,S-1-5-21-141845252-1443263951-584457872-1023.

  5. Apply the mapping in the VOB by running vob_sidwalk, this time with the -execute option:
    C:\>vob_sidwalk -map c:\sid1 -execute \sidwalktest c:\sid2

VOB Tag: \sidwalktest (VOB_SERVER:D:\cc_storage\vobs\sidwalktest.vbs)

Meta-type "directory element" ...     6 object(s)
Meta-type "directory version" ...     15 object(s)
Meta-type "tree element" ...     0 object(s)
Meta-type "element type" ...     11 object(s)
Meta-type "file element" ...     27 object(s)
Meta-type "derived object" ...     0 object(s)
Meta-type "derived object version" ...     0 object(s)
Meta-type "version" ...     54 object(s)
Meta-type "symbolic link" ...     0 object(s)
Meta-type "hyperlink" ...     0 object(s)
Meta-type "branch" ...     33 object(s)
Meta-type "pool" ...     3 object(s)
Meta-type "branch type" ...     1 object(s)
Meta-type "attribute type" ...     3 object(s)
Meta-type "hyperlink type" ...     9 object(s)
Meta-type "trigger type" ...     0 object(s)
Meta-type "replica type" ...     1 object(s)
Meta-type "label type" ...     3 object(s)
Meta-type "replica" ...     1 object(s)
Meta-type "activity type" ...     0 object(s)
Meta-type "activity" ...     0 object(s)
Meta-type "state type" ...     0 object(s)
Meta-type "state" ...     0 object(s)
Meta-type "role" ...     0 object(s)
Meta-type "user" ...     0 object(s)
Meta-type "checkpoint" ...     0 object(s)
Meta-type "domain" ...     0 object(s)

Total number of objects found: 167


Successfully processed VOB "\sidwalktest".
  6. Check the new output file (sid2) to ensure that the new SID (user bobsmith and group clearuser) is incorporated into the output file. 
    C:\>type sid2

DOMAIN\jdoe,USER,NT:S-1-5-21-141845252-1443263951-584457872-2038,DOMAIN\bobsmith,USER,NT:S-1-5-21-141845252-1443263951-584457872-1644,65

DOMAIN\Domain Users,GROUP,NT:S-1-5-21-141845252-1443263951-584457872-513,DOMAIN\clearuser,GLOBALGROUP,NT:S-1-5-21-141845252-1443263951-584457872-1023,65

    The output shows that the user (bobsmith) and the group (user) were correctly mapped: the line in which jdoe is reported as owning 65 objects now includes DOMAIN\bobsmith,USER,S-1-5-21-141845252-1443263951-584457872-1644. The line in which DOMAIN\Domain Users is reported as owning 65 objects now includes DOMAIN\user,GLOBALGROUP,S-1-5-21-141845252-1443263951-584457872-1023.

  7. Because the VOB in this example is an identity-preserving replica, the vob_sidwalk command needs to be run a second time to remove any historical SIDs found in the group list.
    C:\>vob_sidwalk -delete_groups \sidwalktest c:\sid3

VOB Tag: \sidwalktest (VOB_SERVER:D:\cc_storage\vobs\sidwalktest.vbs)

Meta-type "directory element" ...     6 object(s)
Meta-type "directory version" ...     15 object(s)
Meta-type "tree element" ...     0 object(s)
Meta-type "element type" ...     11 object(s)
Meta-type "file element" ...     27 object(s)
Meta-type "derived object" ...     0 object(s)
Meta-type "derived object version" ...     0 object(s)
Meta-type "version" ...     54 object(s)
Meta-type "symbolic link" ...     0 object(s)
Meta-type "hyperlink" ...     0 object(s)
Meta-type "branch" ...     33 object(s)
Meta-type "pool" ...     3 object(s)
Meta-type "branch type" ...     1 object(s)
Meta-type "attribute type" ...     3 object(s)
Meta-type "hyperlink type" ...     9 object(s)
Meta-type "trigger type" ...     0 object(s)
Meta-type "replica type" ...     1 object(s)
Meta-type "label type" ...     3 object(s)
Meta-type "replica" ...     1 object(s)

Meta-type "activity type" ...     0 object(s)
Meta-type "activity" ...     0 object(s)
Meta-type "state type" ...     0 object(s)
Meta-type "state" ...     0 object(s)
Meta-type "role" ...     0 object(s)
Meta-type "user" ...     0 object(s)
Meta-type "checkpoint" ...     0 object(s)
Meta-type "domain" ...     0 object(s)

Total number of objects found: 167

Successfully processed VOB "\sidwalktest".
  8. Check the new output file (sid3) to see if the old SIDs (user jdoe and group Domain Users) have been removed from the VOB database. 
    C:\>type sid3

DOMAIN\bobsmith,USER,NT:S-1-5-21-141845252-1443263951-584457872-1644,IGNORE,,,65

DOMAIN\clearuser,GLOBALGROUP,NT:S-1-5-21-141845252-1443263951-584457872-1023,IGNORE,,,65
  9. Fix protections on the VOB storage directory after removing the old user and group. This step would not be required if the old user and group had not been removed. 
    C:\>vob_sidwalk -recover_filesystem \sidwalktest c:\sid4

VOB Tag: \sidwalktest (VOB_SERVER:D:\cc_storage\vobs\sidwalktest.vbs)

Meta-type "element type" ...     11 object(s)
Meta-type "file element" ...     27 object(s)
Meta-type "derived object" ...     0 object(s)
Meta-type "derived object version" ...     0 object(s)
Meta-type "version" ...     54 object(s)

Total number of objects found: 92

Successfully processed VOB "\sidwalktest".

UNIX or Linux system scenario: using vob_siddump and vob_sidwalk on a schema version 80 VOB at feature level 8

  1. Below is an example of what vob_siddump outputs against a newly created schema 80 feature level 8 VOB:
    -bash-3.2$ vob_siddump /var/tmp/vob00 dump.txt
VOB Tag: /var/tmp/vob00 (xsles11:/var/tmp/vob00.vbs)

Meta-type "directory element" ...   2 object(s)
Meta-type "directory version" ...   2 object(s)
Meta-type "tree element" ...   0 object(s)
Meta-type "element type" ...   18 object(s)
Meta-type "file element" ...   0 object(s)
Meta-type "derived object" ...   0 object(s)
Meta-type "derived object version" ...   0 object(s)
Meta-type "version" ...   0 object(s)
Meta-type "pool" ...   3 object(s)
Meta-type "symbolic link" ...   0 object(s)
Meta-type "hyperlink" ...   0 object(s)
Meta-type "branch" ...   2 object(s)
Meta-type "branch type" ...   1 object(s)
Meta-type "attribute type" ...   3 object(s)
Meta-type "hyperlink type" ...   9 object(s)
Meta-type "trigger type" ...   0 object(s)
Meta-type "replica type" ...   1 object(s)
Meta-type "label type" ...   3 object(s)
Meta-type "replica" ...   1 object(s)
Meta-type "activity type" ...   0 object(s)
Meta-type "state type" ...   0 object(s)
Meta-type "state" ...   0 object(s)
Meta-type "role" ...   0 object(s)
Meta-type "user" ...   0 object(s)
Meta-type "domain" ...   0 object(s)
Meta-type "folder" ...   0 object(s)
Meta-type "project" ...   0 object(s)
Meta-type "stream" ...   0 object(s)
Meta-type "component" ...   0 object(s)
Meta-type "timeline" ...   0 object(s)
Meta-type "baseline" ...   0 object(s)
Meta-type "activity" ...   0 object(s)
Meta-type "ucm legacy" ...   0 object(s)
Meta-type "policy" ...   1 object(s)
Meta-type "rolemap" ...   1 object(s)

Total number of objects found: 47

Successfully processed VOB "/var/tmp/vob00".
  2. The output indicates that the metatypes policy and rolemap (in a newly created VOB, they are DefaultPolicy and DefaultRolemap) were also dumped. Next, we check the output dump file dump.txt to get the SIDs in this VOB.
    -bash-3.2$ cat dump.txt
CMBUQE/tester0,USER,UNIX:UID-2003,IGNORE,,,47

CMBUQE/user,GROUP,UNIX:GID-20,IGNORE,,,43
  3. If the VOB owner changes DefaultPolicy to grant a new principal the permission to access the VOB, it would still be dumped by vob_siddump (or vob_sidwalk) even when this SID is not any object's owner. Next, the chpolicy command adds the principal CMBUQE/testernt in DefaultPolicy. The new principal is also referenced in this VOB, even though the SID does not own any VOB object.
    -bash-3.2$ cleartool chpolicy -vob -add Read -principal user:CMBUQE/testernt -c "add new user to VOB access list" DefaultPolicy@/var/tmp/vob00
This command may take a long time to execute as it reprotects containers
associated with the policies and/or rolemaps which are being modified.
If this command is interrupted it may be necessary to run cleartool
subcommand(s) as described below to fix container protections.
Potential fix command: chpolicy -validate_pools DefaultPolicy
Modified definition of policy "DefaultPolicy".
Completed modification of ACLs on containers protected by policy "DefaultPolicy".

-bash-3.2$ vob_siddump /var/tmp/vob00 dump.txt
VOB Tag: /var/tmp/vob00 (xsles11:/var/tmp/vob00.vbs)

Meta-type "directory element" ...   2 object(s)
Meta-type "directory version" ...   2 object(s)
Meta-type "tree element" ...   0 object(s)
Meta-type "element type" ...   18 object(s)
Meta-type "file element" ...   0 object(s)
Meta-type "derived object" ...   0 object(s)
Meta-type "derived object version" ...   0 object(s)
Meta-type "version" ...   0 object(s)
Meta-type "pool" ...   3 object(s)
Meta-type "symbolic link" ...   0 object(s)
Meta-type "hyperlink" ...   0 object(s)
Meta-type "branch" ...   2 object(s)
Meta-type "branch type" ...   1 object(s)
Meta-type "attribute type" ...   3 object(s)
Meta-type "hyperlink type" ...   9 object(s)
Meta-type "trigger type" ...   0 object(s)
Meta-type "replica type" ...   1 object(s)
Meta-type "label type" ...   3 object(s)
Meta-type "replica" ...   1 object(s)
Meta-type "activity type" ...   0 object(s)
Meta-type "state type" ...   0 object(s)
Meta-type "state" ...   0 object(s)
Meta-type "role" ...   0 object(s)
Meta-type "user" ...   0 object(s)
Meta-type "domain" ...   0 object(s)
Meta-type "folder" ...   0 object(s)
Meta-type "project" ...   0 object(s)
Meta-type "stream" ...   0 object(s)
Meta-type "component" ...   0 object(s)
Meta-type "timeline" ...   0 object(s)
Meta-type "baseline" ...   0 object(s)
Meta-type "activity" ...   0 object(s)
Meta-type "ucm legacy" ...   0 object(s)
Meta-type "policy" ...   1 object(s)
Meta-type "rolemap" ...   1 object(s)

Total number of objects found: 47


Successfully processed VOB "/var/tmp/vob00".

-bash-3.2$ cat dump.txt
CMBUQE/tester0,USER,UNIX:UID-2003,IGNORE,,,47
CMBUQE/testernt,USER,UNIX:UID-2009,IGNORE,,,1

CMBUQE/user,GROUP,UNIX:GID-20,IGNORE,,,43

See also

DevOps Code ClearCase Administrator's Guide