vob_sidwalk, vob_siddump
Reads or changes security identifiers in a schema version 54 or schema version 80 VOB database
Applicability
Product |
Command type |
---|---|
VersionVault |
administrative command |
Platform |
---|
UNIX® |
Linux® |
Windows® |
Synopsis
- Read or change security identifiers
in a VOB database:
- vob_sidwalk [ –p/rofile profile-path ] | [ –s/idhistory ]
- [ –u/nknown ] [ –m/ap mapfile-path ]
[ –l/og logfile-path ]
[ –e/xecute ] [ –delete/_groups ]
[ -raw/_sid ] vob-tag SIDfile-path
- Recover VOB storage directory
protections:
- vob_sidwalk –recover/_filesystem vob-tag SIDfile-path
- Read security identifiers in
a VOB database:
- vob_siddump [ –p/rofile profile-path ] | [ –s/idhistory ]
- [ –u/nknown ] [ -raw/_sid ]
[ –m/ap mapfile-path ]
[ –l/og logfile-path ] vob-tag SIDfile-path
Description
vob_sidwalk and vob_siddump are administrative utilities that can be used to read or change security identifiers (Windows® SIDs or UNIX® and Linux® UIDs and GIDs) stored in VOB databases that are formatted with schema versions 54, 55, 80, or 81, at any supported feature level. vob_sidwalk is installed only on hosts that are configured to support local VOBs and views and to support VOB schema version 54. vob_siddump is installed on all hosts.
The programs are typically needed for these tasks:
- Moving a VOB from one Windows® domain to another Windows® domain
- Migrating a Windows NT domain to an Active Directory domain
- Moving a VOB from a Windows® host to a UNIX® or Linux® host or vice versa
vob_siddump is a read-only version of vob_sidwalk. It can be executed on the VOB server or any client to list the security principal (user and group) names and SIDs stored in a VOB.
vob_sidwalk has all of the capabilities of vob_siddump and can also change SIDs in the VOB database. In addition, vob_sidwalk can be executed with the -recoverT_filesystem option to reset the protections on a VOB storage directory so that they are consistent with the SID of the VOB's owner and group.
For a schema 80 or higher VOB at feature level 8, vob_siddump and vob_sidwalk dump owner SIDs for new metatypes policy and rolemap. A local privileged user could use vob_sidwalk to change the owner identifiers for policy and rolemap objects just like changing other metatypes' owner identifiers. Besides this, vob_siddump and vob_sidwalk will also scan and get all SIDs which do not own any metatypes but exist in form of principals in policy and rolemap objects.
Dump file format
The dump file format of vob_siddump and vob_sidwalk is as follows:
Name,Type,SID-String,New-Name,Type,SID-String,Count
Name: Domain-Name\Account-Name | Account Unknown
New-Name: Domain-Name\Account-Name | IGNORE
Type: USER | GROUP
Restrictions
vob_siddump has no restrictions. vob_sidwalk has the following restrictions:
Identities
You must have one of the following identities:
- root (UNIX® and Linux®)
- Member of the VersionVault administrators group (VersionVault on Windows®)
Locks
- vob_siddump: none
- vob_sidwalk: an error occurs if the VOB is locked and the -execute option is present.
Other
You must enter this command on the VOB server host.
Options and arguments
Read or map SIDs
- Default
- None. These options are allowed with both vob_sidwalk and vob_siddump.
- –s/idhistory
- Generate a SID file of historical SID information stored in the VOB database. Write the current name and SID for each account to the new-name and new-SID fields of SIDfile-path and write the historical name and SID to the old-name and old-SID fields. If either command is invoked without this option, it writes the current name and SID for each account to the old-name and old-SID fields of SIDfile-path, and the new-name field is always IGNORE.
- –u/nknown
- Map SIDs that cannot be resolved to an account in the domain. Any user SID that cannot be resolved is mapped to the SID of the VOB owner. Any group SID that cannot be resolved is mapped to the SID of the VOB's primary group. The mappings are written to the SID file.
- –p/rofile profile-path
- Write a list of all SIDs found in the VOB along with the database
identifiers that describe objects owned by each SID. The list is written
to the file in profile-path. Each line of the file
has the format
metatype,dbid,user-name,user-SID,group-name,group-SID,mode,container...
where each field has the form:
metatype
The VOB metatype name, or one of the special names ROOT, TREE, or FILE for file system objects that have no dbid (database identifier)
dbid
Database identifier for this VOB object
user-name
User name of the object's owner
user-SID
String representation of user SID
group-name
Group name of the object's group
group-SID
String representation of group SID
mode
The object's access mode
container...
Pathname of the object's container file, if applicable
This option can generate a large file in profile-path and consume significant resources on the VOB server host. This option cannot be used with any other option.
- –m/ap mapfile-path
- Force remapping of all SIDs in a VOB database as specified in
the mapping file at mapfile-path. Details about
the SID remappings for the VOB at vob-tag are written
to SIDfile-path.
The mapping file contains one or more lines in the format
old-name,type,old-SID,new-name,type,new-SID
where each field has the form
old-name
domain-name\account-name
new-name
One of domain-name\account-name, IGNORE, DELETE
type
One of USER, GROUP, GLOBALGROUP, LOCALGROUPONDC, LOCALGROUP
old-SID, new-SID
String representation of SID
You can use a SID file from a previous run of vob_sidwalk or vob_siddump as the basis of the mapping file. If you need to change the existing mapping (to reassign ownership of objects), edit the file to make any of the following changes:
Change the new-name field to IGNORE
No changes are made to this SID.
Change the new-name field to DELETE
The SID is changed to the SID of VOB owner or, if it is a group SID, the SID of the VOB's primary group.
Change the new-name field to the name of a user or group and remove the new-SID and second type fields.
Ownership of objects owned by the user or group named in old-name is reassigned to the user or group named in new-name.
Specify a different SID in the new-SID-string field.
Ownership of objects owned by the user or group named in old-SID is reassigned to the user or group named in new-SID (type fields must match).
- –raw/_sid
- Write SIDs in raw (unformatted) style. Use this option when generating a SID file on Windows® in preparation for moving a VOB from Windows® to UNIX® or Linux®.
Update SIDs
- Default
- Only read or map SIDs. Do not change anything in the VOB database unless the -execute option is present. These options are not allowed with vob_siddump.
- –e/xecute
- Modify SIDs stored in the VOB database. Unless the -execute option is used, vob_sidwalk logs, in the SID file, the changes that would have been made but does not actually change anything in a VOB database.
- –delete/_groups
- Remove any historical SIDs found in the group list of an identity-preserving replica. Historical SIDs are always removed from the group list of a non-replicated VOB or a non-identity-preserving replica. The Help provides details about how to use this option.
Logging
- Default
- No logging.
- –l/og logfile-path
- Write a log of SID reassignments. Each line of the file at logfile-path has
the format
metatype,dbid,container,old-SID,reserved,new-SID
where each field has the form:
metatype
The VOB meta-type name, or one of the special names ROOT, TREE, or FILE for file system objects that have no dbid (database identifier)
dbid
Database identifier for this VOB object
container
Pathname of the object's container file, if applicable
old-SID
String representation of old SID
reserved
Reserved for future use
new-SID
String representation of new SID
Fixing storage directory protections
- Default
- Does not change protections.
- –recover/_filesystem
- Fix protections on VOB storage directory. This option is not supported with vob_siddump. With vob_sidwalk, it cannot be used with any other option.
VOB tag
- Default
- None.
- vob-tag
- The VOB on which to operate.
SID file
- Default
- None.
- SIDfile-path
- A pathname at which the command should write the SID file. An
error is returned if SIDfile-path exists or is
not specified. Each line of the SID file has the format:
old-name,type,old-SID,new-name,type,new-SID,count
where each field has the form:
old-name
domain-name\account-name
new-name
One of domain-name\account-name, DELETE
type
One of USER, GROUP, GLOBALGROUP, LOCALGROUPONDC, LOCALGROUP
old-SID, new-SID
String representation of SID
count
Number of objects with this owner
You can use the SID file as the mapping file when running either command with the -map option.
Examples
The Help includes detailed procedures for using vob_sidwalk and vob_siddump. Read them before using either of these programs.
- Generate a SID file showing
the old and new SIDs of security principals after a domain migration,
but do not change any SIDs.
vob_sidwalk -sidhistory vob-tag SIDfile-path
- Replace the historical SIDs
stored in the VOB database with new ones that resolve to the appropriate
security principals in the Active Directory domain.
vob_sidwalk -sidhistory -execute vob-tag SIDfile-path
- Reassign ownership of objects
in the VOB by mapping all existing SIDs to the new SIDs of the VOB
owner and group.
vob_sidwalk -unknown -execute vob SIDfile-path
Note: If you are using UCM, you may not want to reassign ownership with -unknown. Reassigning an open activity to the VOB owner will make it unusable by its creator (unless it was created by the VOB owner). - Recover the ACLs on the VOB
storage directory and container files, and also correct the SIDs for
the VOB's supplementary group list.
vob_sidwalk -recover_filesystem vob-tag SIDfile-path
UNIX or Linux system scenario: transfer ownership of VOB objects from one user to another
- First log in as root and create a dump file (dump_final.out).
[root@unix1 /]# vob_siddump -v -log /tmp/log.out /vob/sidwalktest /tmp/dump_final.out VOB Tag: /vob/sidwalktest (unix1:/ccstg/vobs/sidwalktest.vbs) Meta-type "directory element" ... 17 object(s) Meta-type "directory version" ... 36 object(s) Meta-type "tree element" ... 0 object(s) Meta-type "element type" ... 13 object(s) Meta-type "file element" ... 80 object(s) Meta-type "derived object" ... 0 object(s) Meta-type "derived object version" ... 0 object(s) Meta-type "version" ... 156 object(s) Meta-type "symbolic link" ... 0 object(s) Meta-type "hyperlink" ... 0 object(s) Meta-type "branch" ... 97 object(s) Meta-type "pool" ... 3 object(s) Meta-type "branch type" ... 1 object(s) Meta-type "attribute type" ... 3 object(s) Meta-type "hyperlink type" ... 9 object(s) Meta-type "trigger type" ... 0 object(s) Meta-type "replica type" ... 1 object(s) Meta-type "label type" ... 3 object(s) Meta-type "replica" ... 1 object(s) Meta-type "activity type" ... 0 object(s) Meta-type "activity" ... 0 object(s) Meta-type "state type" ... 0 object(s) Meta-type "state" ... 0 object(s) Meta-type "role" ... 0 object(s) Meta-type "user" ... 0 object(s) Meta-type "baseline" ... 0 object(s) Meta-type "domain" ... 0 object(s) Total number of objects found: 420 Successfully processed VOB "/vob/sidwalktest".
- Run cat on the dump file. The output shows
that jdoe has a UID of 1000 and owns 136 objects in the VOB while
bobsmith has a UID of 2000 and owns 1 object in the VOB. There are
4 groups reported as owning objects in this VOB. Group named clearusers
has a GID of 20 and owns 136 objects. The other groups (group1, group
2 and group3) own objects as well.
[root@unix1 /]# cat /tmp/dump_final.out jdoe,USER,UNIX:UID-1000,IGNORE,,,136 bobsmith,USER,UNIX:UID-2000,IGNORE,,,1 clearusers,GROUP,UNIX:GID-20,IGNORE,,,136 group1,GROUP,UNIX:GID-10,IGNORE,,,1 group2,GROUP,UNIX:GID-100,IGNORE,,,1 group3,GROUP,UNIX:GID-6000,IGNORE,,,2
- Edit the line in which jdoe is reported to own 136 objects to
replace IGNORE with bobsmith.
The jdoe line could also be entered in the following format eliminating the arguments past the user name on that line which will pick up the proper UID and number of objects when referenced:[root@unix1 /]# cat /tmp/dump_final.out jdoe,USER,UNIX:UID-1000,bobsmith,USER,UNIX:UID-2000,136 bobsmith,USER,UNIX:UID-2000,IGNORE,,,1 clearusers,GROUP,UNIX:GID-20,IGNORE,,,136 group1,GROUP,UNIX:GID-10,IGNORE,,,1 group2,GROUP,UNIX:GID-100,IGNORE,,,1 group3,GROUP,UNIX:GID-6000,IGNORE,,,2
jdoe,USER,UNIX:UID-1000,bobsmith
- Test the edited dump file without executing it.
[root@unix1 /]# vob_sidwalk -v -m /tmp/dump_final.out /vob/sidwalktest /tmp/test_out.log VOB Tag: /vob/sidwalktest (unix1:/ccstg/vobs/sidwalktest.vbs) Meta-type "directory element" ... 17 object(s) Meta-type "directory version" ... 36 object(s) Meta-type "tree element" ... 0 object(s) Meta-type "element type" ... 13 object(s) Meta-type "file element" ... 80 object(s) Meta-type "derived object" ... 0 object(s) Meta-type "derived object version" ... 0 object(s) Meta-type "version" ... 156 object(s) Meta-type "symbolic link" ... 0 object(s) Meta-type "hyperlink" ... 0 object(s) Meta-type "branch" ... 97 object(s) Meta-type "pool" ... 3 object(s) Meta-type "branch type" ... 1 object(s) Meta-type "attribute type" ... 3 object(s) Meta-type "hyperlink type" ... 9 object(s) Meta-type "trigger type" ... 0 object(s) Meta-type "replica type" ... 1 object(s) Meta-type "label type" ... 3 object(s) Meta-type "replica" ... 1 object(s) Meta-type "activity type" ... 0 object(s) Meta-type "activity" ... 0 object(s) Meta-type "state type" ... 0 object(s) Meta-type "state" ... 0 object(s) Meta-type "role" ... 0 object(s) Meta-type "user" ... 0 object(s) Meta-type "baseline" ... 0 object(s) Meta-type "domain" ... 0 object(s) Total number of objects found: 420 Successfully processed VOB "/vob/sidwalktest"
- Check the new output file (test_out.log) to determine whether
the new UID/GID (bobsmith) is incorporated in the output file. The
file shows that the user (bobsmith) was correctly mapped and the appropriate
UID was established.
[root@unix1 /]# cat /tmp/test_out.log jdoe,USER,UNIX:UID-1000,bobsmith,USER,UNIX:UID-2000,136 <=== ** bobsmith,USER,UNIX:UID-2000,IGNORE,,,1 clearusers,GROUP,UNIX:GID-20,IGNORE,,,136 group1,GROUP,UNIX:GID-10,IGNORE,,,1 group2,GROUP,UNIX:GID-100,IGNORE,,,1 group3,GROUP,UNIX:GID-6000,IGNORE,,,2
- Apply the changes in the VOB by running vob_sidwalk again, this
time specifying -execute:
VOB Tag: /vob/sidwalktest (unix1:/ccstg/vobs/sidwalktest.vbs) Meta-type "directory element" ... 17 object(s) Meta-type "directory version" ... 36 object(s) Meta-type "tree element" ... 0 object(s) Meta-type "element type" ... 13 object(s) Meta-type "file element" ... 80 object(s) Meta-type "derived object" ... 0 object(s) Meta-type "derived object version" ... 0 object(s) Meta-type "version" ... 156 object(s) Meta-type "symbolic link" ... 0 object(s) Meta-type "hyperlink" ... 0 object(s) Meta-type "branch" ... 97 object(s) Meta-type "pool" ... 3 object(s) Meta-type "branch type" ... 1 object(s) Meta-type "attribute type" ... 3 object(s) Meta-type "hyperlink type" ... 9 object(s) Meta-type "trigger type" ... 0 object(s) Meta-type "replica type" ... 1 object(s) Meta-type "label type" ... 3 object(s) Meta-type "replica" ... 1 object(s) Meta-type "activity type" ... 0 object(s) Meta-type "activity" ... 0 object(s) Meta-type "state type" ... 0 object(s) Meta-type "state" ... 0 object(s) Meta-type "role" ... 0 object(s) Meta-type "user" ... 0 object(s) Meta-type "baseline" ... 0 object(s) Meta-type "domain" ... 0 object(s) Total number of objects found: 420 Successfully processed VOB "/vob/sidwalktest".
- Verify the success of the reprotection by running vob_siddump
and checking the output file. Notice that bobsmith now owns 137 objects.
[root@unix1 /]# vob_siddump -v -log /tmp/log.out /vob/sidwalktest /tmp/dump_final_check.out VOB Tag: /vob/sidwalktest (unix1:/ccstg/vobs/sidwalktest.vbs) Meta-type "directory element" ... 17 object(s) Meta-type "directory version" ... 36 object(s) Meta-type "tree element" ... 0 object(s) Meta-type "element type" ... 13 object(s) Meta-type "file element" ... 80 object(s) Meta-type "derived object" ... 0 object(s) Meta-type "derived object version" ... 0 object(s) Meta-type "version" ... 156 object(s) Meta-type "symbolic link" ... 0 object(s) Meta-type "hyperlink" ... 0 object(s) Meta-type "branch" ... 97 object(s) Meta-type "pool" ... 3 object(s) Meta-type "branch type" ... 1 object(s) Meta-type "attribute type" ... 3 object(s) Meta-type "hyperlink type" ... 9 object(s) Meta-type "trigger type" ... 0 object(s) Meta-type "replica type" ... 1 object(s) Meta-type "label type" ... 3 object(s) Meta-type "replica" ... 1 object(s) Meta-type "activity type" ... 0 object(s) Meta-type "activity" ... 0 object(s) Meta-type "state type" ... 0 object(s) Meta-type "state" ... 0 object(s) Meta-type "role" ... 0 object(s) Meta-type "user" ... 0 object(s) Meta-type "baseline" ... 0 object(s) Meta-type "domain" ... 0 object(s) Total number of objects found: 420 Successfully processed VOB "/vob/sidwalktest". [root@unix1 /]# cat /tmp/dump_final_check.out bobsmith,USER,UNIX:UID-2000,IGNORE,,,137 clearusers,GROUP,UNIX:GID-20,IGNORE,,,136 group1,GROUP,UNIX:GID-10,IGNORE,,,1 group2,GROUP,UNIX:GID-100,IGNORE,,,1 group3,GROUP,UNIX:GID-6000,IGNORE,,,2
Windows system scenario: transfer ownership of VOB objects from one user to another
This scenario is similar to the scenario for UNIX or Linux systems: transfer object ownership from user jdoe to user bobsmith. Further, the Windows group Domain Users owns all the objects in the VOB, which is replicated and identity-preserving. Another objective is to use a different Windows group (users) to tighten VOB security. These same steps would be applicable if a group change were to be made.
- Run creds to obtain the Security ID (SID) of the users and groups. Note that C:\Program
Files\HCL\CCM\VersionVault\etc\utils is specified in the system path on
the host to allow Windows commands that reside in that directory to be run from the C:
drive.
C:>creds bobsmith Login name: DOMAIN\bobsmith USID: NT:S-1-5-21-141845252-1443263951-584457872-1644 Primary group: DOMAIN\clearuser (NT:S-1-5-21-141845252-1443263951-584457872-1023) Groups: (11) Everyone (NT:S-1-1-0) BUILTIN\Administrators (NT:S-1-5-32-544) BUILTIN\Users (NT:S-1-5-32-545) DOMAIN\Domain Users (NT:S-1-5-21-141845252-1443263951-584457872-513) DOMAIN\Domain Admins (NT:S-1-5-21-141845252-1443263951-584457872-512) DOMAIN\versionvault (NT:S-1-5-21-141845252-1443263951-584457872-1022) DOMAIN\users (NT:S-1-5-21-141845252-1443263951-584457872-1199) LOCAL (NT:S-1-2-0) NT AUTHORITY\INTERACTIVE (NT:S-1-5-4) NT AUTHORITY\Authenticated Users (NT:S-1-5-11) You have VersionVault administrative privileges. C:>creds jdoe Login name: DOMAIN\jdoe USID: NT:S-1-5-21-141845252-1443263951-584457872-2038 Primary group: DOMAIN\Domain Users (NT:S-1-5-21-141845252-1443263951-584457872-513) Groups: (10) Everyone (NT:S-1-1-0) BUILTIN\Administrators (NT:S-1-5-32-544) BUILTIN\Users (NT:S-1-5-32-545) DOMAIN\Domain Admins (NT:S-1-5-21-141845252-1443263951-584457872-512) DOMAIN\users (NT:S-1-5-21-141845252-1443263951-584457872-1199) LOCAL (NT:S-1-2-0) NT AUTHORITY\INTERACTIVE (NT:S-1-5-4) NT AUTHORITY\Authenticated Users (NT:S-1-5-11) You do not have VersionVault administrative privileges.
- Log in as VOB owner or Administrator and create a dump file (sid1)
using the vob_sidwalk command, which lists all
the objects in the VOB and reports the SIDs (user and group) that
own those objects.
C:\>vob_sidwalk \sidwalktest c:\sid1 VOB Tag: \sidwalktest (VOB_SERVER:D:\cc_storage\vobs\sidwalktest.vbs) Meta-type "directory element" ... 6 object(s) Meta-type "directory version" ... 15 object(s) Meta-type "tree element" ... 0 object(s) Meta-type "element type" ... 11 object(s) Meta-type "file element" ... 27 object(s) Meta-type "derived object" ... 0 object(s) Meta-type "derived object version" ... 0 object(s) Meta-type "version" ... 54 object(s) Meta-type "symbolic link" ... 0 object(s) Meta-type "hyperlink" ... 0 object(s) Meta-type "branch" ... 33 object(s) Meta-type "pool" ... 3 object(s) Meta-type "branch type" ... 1 object(s) Meta-type "attribute type" ... 3 object(s) Meta-type "hyperlink type" ... 9 object(s) Meta-type "trigger type" ... 0 object(s) Meta-type "replica type" ... 1 object(s) Meta-type "label type" ... 3 object(s) Meta-type "replica" ... 1 object(s) Meta-type "activity type" ... 0 object(s) Meta-type "activity" ... 0 object(s) Meta-type "state type" ... 0 object(s) Meta-type "state" ... 0 object(s) Meta-type "role" ... 0 object(s) Meta-type "user" ... 0 object(s) Meta-type "checkpoint" ... 0 object(s) Meta-type "domain" ... 0 object(s) Total number of objects found: 167 Successfully processed VOB "\sidwalktest".
- Run type on sid1. The output shows one user
owning 65 objects in this VOB. That user is jdoe and has a SID of
NT:S-1-5-21-141845252-1443263951-584457872-2038. There is one group
reported as owning 65 objects in this VOB. The group is named Domain
Users and has a SID of NT:S-1-5-21-141845252-1443263951-584457872-513.
C:\>type sid1 DOMAIN\jdoe,USER,NT:S-1-5-21-141845252-1443263951-584457872-2038,IGNORE,,,65 DOMAIN\Domain Users,GROUP,NT:S-1-5-21-141845252-1443263951-584457872-513,IGNORE,,,65
- Edit the dump file (sid1) with a text editor to map the names
of the objects owned by the old SID (jdoe) to the new SID (bobsmith),
as follows.
DOMAIN\jdoe,USER,NT:S-1-5-21-141845252-1443263951-584457872-2038,DOMAIN\bobsmith,USER,S-1-5-21-141845252-1443263951-584457872-1644,65 DOMAIN\Domain Users,GROUP,NT:S-1-5-21-141845252-1443263951-584457872-513,DOMAIN\clearuser,GLOBALGROUP,S-1-5-21-141845252-1443263951-584457872-1023,65
The line in which jdoe is reported as owning 65 objects was modified: the word IGNORE was replaced with DOMAIN\bobsmith,USER,S-1-5-21-141845252-1443263951-584457872-1644. The line where DOMAIN\Domain Users is reported as owning 65 objects was modified: the word IGNORE was replaced with DOMAIN\user,GLOBALGROUP,S-1-5-21-141845252-1443263951-584457872-1023.
- Apply the mapping in the VOB by running vob_sidwalk, this time
with the -execute option:
C:\>vob_sidwalk -map c:\sid1 -execute \sidwalktest c:\sid2 VOB Tag: \sidwalktest (VOB_SERVER:D:\cc_storage\vobs\sidwalktest.vbs) Meta-type "directory element" ... 6 object(s) Meta-type "directory version" ... 15 object(s) Meta-type "tree element" ... 0 object(s) Meta-type "element type" ... 11 object(s) Meta-type "file element" ... 27 object(s) Meta-type "derived object" ... 0 object(s) Meta-type "derived object version" ... 0 object(s) Meta-type "version" ... 54 object(s) Meta-type "symbolic link" ... 0 object(s) Meta-type "hyperlink" ... 0 object(s) Meta-type "branch" ... 33 object(s) Meta-type "pool" ... 3 object(s) Meta-type "branch type" ... 1 object(s) Meta-type "attribute type" ... 3 object(s) Meta-type "hyperlink type" ... 9 object(s) Meta-type "trigger type" ... 0 object(s) Meta-type "replica type" ... 1 object(s) Meta-type "label type" ... 3 object(s) Meta-type "replica" ... 1 object(s) Meta-type "activity type" ... 0 object(s) Meta-type "activity" ... 0 object(s) Meta-type "state type" ... 0 object(s) Meta-type "state" ... 0 object(s) Meta-type "role" ... 0 object(s) Meta-type "user" ... 0 object(s) Meta-type "checkpoint" ... 0 object(s) Meta-type "domain" ... 0 object(s) Total number of objects found: 167 Successfully processed VOB "\sidwalktest".
- Check the new output file (sid2) to ensure that the new SID (user
bobsmith and group clearuser) is incorporated into the output file.
C:\>type sid2 DOMAIN\jdoe,USER,NT:S-1-5-21-141845252-1443263951-584457872-2038,DOMAIN\bobsmith,USER,NT:S-1-5-21-141845252-1443263951-584457872-1644,65 DOMAIN\Domain Users,GROUP,NT:S-1-5-21-141845252-1443263951-584457872-513,DOMAIN\clearuser,GLOBALGROUP,NT:S-1-5-21-141845252-1443263951-584457872-1023,65
The output shows that the user (bobsmith) and the group (user) were correctly mapped: the line in which jdoe is reported as owning 65 objects now includes DOMAIN\bobsmith,USER,S-1-5-21-141845252-1443263951-584457872-1644. The line in which DOMAIN\Domain Users is reported as owning 65 objects now includes DOMAIN\user,GLOBALGROUP,S-1-5-21-141845252-1443263951-584457872-1023.
- Because the VOB in this example is an identity-preserving replica,
the vob_sidwalk command needs to be run a second time to remove any
historical SIDs found in the group list.
C:\>vob_sidwalk -delete_groups \sidwalktest c:\sid3 VOB Tag: \sidwalktest (VOB_SERVER:D:\cc_storage\vobs\sidwalktest.vbs) Meta-type "directory element" ... 6 object(s) Meta-type "directory version" ... 15 object(s) Meta-type "tree element" ... 0 object(s) Meta-type "element type" ... 11 object(s) Meta-type "file element" ... 27 object(s) Meta-type "derived object" ... 0 object(s) Meta-type "derived object version" ... 0 object(s) Meta-type "version" ... 54 object(s) Meta-type "symbolic link" ... 0 object(s) Meta-type "hyperlink" ... 0 object(s) Meta-type "branch" ... 33 object(s) Meta-type "pool" ... 3 object(s) Meta-type "branch type" ... 1 object(s) Meta-type "attribute type" ... 3 object(s) Meta-type "hyperlink type" ... 9 object(s) Meta-type "trigger type" ... 0 object(s) Meta-type "replica type" ... 1 object(s) Meta-type "label type" ... 3 object(s) Meta-type "replica" ... 1 object(s) Meta-type "activity type" ... 0 object(s) Meta-type "activity" ... 0 object(s) Meta-type "state type" ... 0 object(s) Meta-type "state" ... 0 object(s) Meta-type "role" ... 0 object(s) Meta-type "user" ... 0 object(s) Meta-type "checkpoint" ... 0 object(s) Meta-type "domain" ... 0 object(s) Total number of objects found: 167 Successfully processed VOB "\sidwalktest".
- Check the new output file (sid3) to see if the old SIDs (user
jdoe and group Domain Users) have been removed from the VOB database.
C:\>type sid3 DOMAIN\bobsmith,USER,NT:S-1-5-21-141845252-1443263951-584457872-1644,IGNORE,,,65 DOMAIN\clearuser,GLOBALGROUP,NT:S-1-5-21-141845252-1443263951-584457872-1023,IGNORE,,,65
- Fix protections on the VOB storage directory after removing the
old user and group. This step would not be required if the old user
and group had not been removed.
C:\>vob_sidwalk -recover_filesystem \sidwalktest c:\sid4 VOB Tag: \sidwalktest (VOB_SERVER:D:\cc_storage\vobs\sidwalktest.vbs) Meta-type "element type" ... 11 object(s) Meta-type "file element" ... 27 object(s) Meta-type "derived object" ... 0 object(s) Meta-type "derived object version" ... 0 object(s) Meta-type "version" ... 54 object(s) Total number of objects found: 92 Successfully processed VOB "\sidwalktest".
UNIX or Linux system scenario: using vob_siddump and vob_sidwalk on a schema version 80 VOB at feature level 8
- Below is an example of what vob_siddump outputs
against a newly created schema 80 feature level 8 VOB:
-bash-3.2$ vob_siddump /var/tmp/vob00 dump.txt VOB Tag: /var/tmp/vob00 (xsles11:/var/tmp/vob00.vbs) Meta-type "directory element" ... 2 object(s) Meta-type "directory version" ... 2 object(s) Meta-type "tree element" ... 0 object(s) Meta-type "element type" ... 18 object(s) Meta-type "file element" ... 0 object(s) Meta-type "derived object" ... 0 object(s) Meta-type "derived object version" ... 0 object(s) Meta-type "version" ... 0 object(s) Meta-type "pool" ... 3 object(s) Meta-type "symbolic link" ... 0 object(s) Meta-type "hyperlink" ... 0 object(s) Meta-type "branch" ... 2 object(s) Meta-type "branch type" ... 1 object(s) Meta-type "attribute type" ... 3 object(s) Meta-type "hyperlink type" ... 9 object(s) Meta-type "trigger type" ... 0 object(s) Meta-type "replica type" ... 1 object(s) Meta-type "label type" ... 3 object(s) Meta-type "replica" ... 1 object(s) Meta-type "activity type" ... 0 object(s) Meta-type "state type" ... 0 object(s) Meta-type "state" ... 0 object(s) Meta-type "role" ... 0 object(s) Meta-type "user" ... 0 object(s) Meta-type "domain" ... 0 object(s) Meta-type "folder" ... 0 object(s) Meta-type "project" ... 0 object(s) Meta-type "stream" ... 0 object(s) Meta-type "component" ... 0 object(s) Meta-type "timeline" ... 0 object(s) Meta-type "baseline" ... 0 object(s) Meta-type "activity" ... 0 object(s) Meta-type "ucm legacy" ... 0 object(s) Meta-type "policy" ... 1 object(s) Meta-type "rolemap" ... 1 object(s) Total number of objects found: 47 Successfully processed VOB "/var/tmp/vob00".
- The output indicates that the metatypes policy and rolemap (in
a newly created VOB, they are DefaultPolicy and DefaultRolemap) were
also dumped. Next, we check the output dump file dump.txt to get the
SIDs in this VOB.
-bash-3.2$ cat dump.txt CMBUQE/tester0,USER,UNIX:UID-2003,IGNORE,,,47 CMBUQE/user,GROUP,UNIX:GID-20,IGNORE,,,43
- If the VOB owner changes DefaultPolicy to grant a new principal
the permission to access the VOB, it would still be dumped by vob_siddump (or vob_sidwalk)
even when this SID is not any object's owner. Next, the chpolicy
command adds the principal CMBUQE/testernt in DefaultPolicy. The new
principal is also referenced in this VOB, even though the SID does
not own any VOB object.
-bash-3.2$ cleartool chpolicy -vob -add Read -principal user:CMBUQE/testernt -c "add new user to VOB access list" DefaultPolicy@/var/tmp/vob00 This command may take a long time to execute as it reprotects containers associated with the policies and/or rolemaps which are being modified. If this command is interrupted it may be necessary to run cleartool subcommand(s) as described below to fix container protections. Potential fix command: chpolicy -validate_pools DefaultPolicy Modified definition of policy "DefaultPolicy". Completed modification of ACLs on containers protected by policy "DefaultPolicy". -bash-3.2$ vob_siddump /var/tmp/vob00 dump.txt VOB Tag: /var/tmp/vob00 (xsles11:/var/tmp/vob00.vbs) Meta-type "directory element" ... 2 object(s) Meta-type "directory version" ... 2 object(s) Meta-type "tree element" ... 0 object(s) Meta-type "element type" ... 18 object(s) Meta-type "file element" ... 0 object(s) Meta-type "derived object" ... 0 object(s) Meta-type "derived object version" ... 0 object(s) Meta-type "version" ... 0 object(s) Meta-type "pool" ... 3 object(s) Meta-type "symbolic link" ... 0 object(s) Meta-type "hyperlink" ... 0 object(s) Meta-type "branch" ... 2 object(s) Meta-type "branch type" ... 1 object(s) Meta-type "attribute type" ... 3 object(s) Meta-type "hyperlink type" ... 9 object(s) Meta-type "trigger type" ... 0 object(s) Meta-type "replica type" ... 1 object(s) Meta-type "label type" ... 3 object(s) Meta-type "replica" ... 1 object(s) Meta-type "activity type" ... 0 object(s) Meta-type "state type" ... 0 object(s) Meta-type "state" ... 0 object(s) Meta-type "role" ... 0 object(s) Meta-type "user" ... 0 object(s) Meta-type "domain" ... 0 object(s) Meta-type "folder" ... 0 object(s) Meta-type "project" ... 0 object(s) Meta-type "stream" ... 0 object(s) Meta-type "component" ... 0 object(s) Meta-type "timeline" ... 0 object(s) Meta-type "baseline" ... 0 object(s) Meta-type "activity" ... 0 object(s) Meta-type "ucm legacy" ... 0 object(s) Meta-type "policy" ... 1 object(s) Meta-type "rolemap" ... 1 object(s) Total number of objects found: 47 Successfully processed VOB "/var/tmp/vob00". -bash-3.2$ cat dump.txt CMBUQE/tester0,USER,UNIX:UID-2003,IGNORE,,,47 CMBUQE/testernt,USER,UNIX:UID-2009,IGNORE,,,1 CMBUQE/user,GROUP,UNIX:GID-20,IGNORE,,,43