vob_sidwalk, vob_siddump

Reads or changes security identifiers in a schema version 54 VOB database

APPLICABILITY

ProductCommand type
ClearCaseadministrative command
ClearCase LTadministrative command

Platform
UNIX
Windows

SYNOPSIS

  • Read or change security identifiers in a VOB database:
    vob_sidwalk [ –p·rofile profile-path ] | [ –s·idhistory ]
    [ –u·nknown ] [ –m·ap mapfile-path ] [ –l·og logfile-path ]
    [ –e·xecute ] [ –delete·_groups ]
    [ -raw·_sid ] vob-tag SIDfile-path

  • Recover VOB storage directory protections:
    vob_sidwalk –recover·_filesystem vob-tag SIDfile-path

  • Read security identifiers in a VOB database:
    vob_siddump [ –p·rofile profile-path ] | [ –s·idhistory ]
    [ –u·nknown ] [ -raw·_sid ] [ –m·ap mapfile-path ]
    [ –l·og logfile-path ] vob-tag SIDfile-path

DESCRIPTION

vob_sidwalk and vob_siddump are administrative utilities that can be used to read or change security identifiers (Windows SIDs or UNIX UIDs and GIDs) stored in VOB databases that are formatted with schema version 54. vob_sidwalk is installed only on hosts that are configured to support local VOBs and views and to support VOB schema version 54. vob_siddump is installed on all hosts.

The programs are typically needed for these tasks:

  • Moving a VOB from one Windows domain to another Windows domain
  • Migrating a Windows NT domain to an Active Directory domain
  • Moving a VOB from a Windows host to a UNIX host or vice versa

vob_siddump is a read-only version of vob_sidwalk. It can be executed on the VOB server or any client to list the security principal (user and group) names and SIDs stored in a VOB.

vob_sidwalk has all of the capabilities of vob_siddump and can also change SIDs in the VOB database. In addition, vob_sidwalk can be executed with the -recover_filesystem option to reset the protections on a VOB storage directory so that they are consistent with the SID of the VOB's owner and group.

RESTRICTIONS

vob_siddump has no restrictions. vob_sidwalk has the following restrictions:

Identities

You must have one of the following identities:

  • VOB owner
  • root (UNIX)
  • Member of the ClearCase administrators group (ClearCase on Windows)
  • Local administrator of the ClearCase LT server (ClearCase LT on Windows)

Locks

An error occurs if the VOB is locked.

Other

You must enter this command on the VOB server host.

OPTIONS AND ARGUMENTS

Read or Map SIDs

Default
None. These options are allowed with both vob_sidwalk and vob_siddump.

–s·idhistory
Generate a SID file of historical SID information stored in the VOB database. Write the current name and SID for each account to the new-name and new-SID fields of SIDfile-path and write the historical name and SID to the old-name and old-SID fields. If either command is invoked without this option, it writes the current name and SID for each account to the old-name and old-SID fields of SIDfile-path, and the new-name field is always IGNORE.

–u·nknown
Map SIDs that cannot be resolved to an account in the domain. Any user SID that cannot be resolved is mapped to the SID of the VOB owner. Any group SID that cannot be resolved is mapped to the SID of the VOB's primary group. The mappings are written to the SID file.

–p·rofile profile-path
Write a list of all SIDs found in the VOB along with the database identifiers that describe objects owned by each SID. The list is written to the file in profile-path. Each line of the file has the format

metatype,dbid,user-name,user-SID,group-name,group-SID,mode,container...

where each field has the form:

metatypeThe VOB metatype name, or one of the special names ROOT, TREE, or FILE for file system objects that have no dbid (database identifier)
dbidDatabase identifier for this VOB object
user-nameUser name of the object's owner
user-SIDString representation of user SID
group-nameGroup name of the object's group
group-SIDString representation of group SID
modeThe object's access mode
container...Pathname of the object's container file, if applicable

This option can generate a large file in profile-path and consume significant resources on the VOB server host. This option cannot be used with any other option.

–m·ap mapfile-path
Force remapping of all SIDs in a VOB database as specified in the mapping file at mapfile-path. Details about the SID remappings for the VOB at vob-tag are written to SIDfile-path.

The mapping file contains one or more lines in the format

old-name,type,old-SID,new-name,type,new-SID

where each field has the form

old-namedomain-name\account-name
new-nameOne of domain-name\account-name, IGNORE, DELETE
typeOne of USER, GROUP, GLOBALGROUP, LOCALGROUPONDC, LOCALGROUP
old-SID, new-SIDString representation of SID

You can use a SID file from a previous run of vob_sidwalk or vob_siddump as the basis of the mapping file. If you need to change the existing mapping (to reassign ownership of objects), edit the file to make any of the following changes:

Change the new-name field to IGNORENo changes are made to this SID.
Change the new-name field to DELETEThe SID is changed to the SID of VOB owner or, if it is a group SID, the SID of the VOB's primary group.
Change the new-name field to the name of a user or group and remove the new-SID and second type fields.Ownership of objects owned by the user or group named in old-name is reassigned to the user or group named in new-name.
Specify a different SID in the new-SID-string field.Ownership of objects owned by the user or group named in old-SID is reassigned to the user or group named in new-SID (type fields must match).
–raw·_sid
Write SIDs in raw (unformatted) style. Use this option when generating a SID file on Windows in preparation for moving a VOB from Windows to UNIX.

Update SIDs

Default
Only read or map SIDs. Do not change anything in the VOB database unless the -execute option is present. These options are not allowed with vob_siddump.

–e·xecute
Modify SIDs stored in the VOB database. Unless the -execute option is used, vob_sidwalk logs, in the SID file, the changes that would have been made but does not actually change anything in a VOB database.

–delete·_groups
Remove any historical SIDs found in the group list of an identity-preserving replica. Historical SIDs are always removed from the group list of a non-replicated VOB or a non-identity-preserving replica. The Administrator's Guide provides details about how to use this option.

Logging 

Default
No logging.

–l·og logfile-path
Write a log of SID reassignments. Each line of the file at logfile-path has the format

metatype,dbid,container,old-SID,reserved,new-SID

where each field has the form:

metatypeThe VOB meta-type name, or one of the special names ROOT, TREE, or FILE for file system objects that have no dbid (database identifier)
dbidDatabase identifier for this VOB object
containerPathname of the object's container file, if applicable
old-SIDString representation of old SID
reservedReserved for future use
new-SIDString representation of new SID

Fixing Storage Directory Protections 

Default
Does not change protections.

–recover·_filesystem
Fix protections on VOB storage directory. This option is not supported with vob_siddump. With vob_sidwalk, it cannot be used with any other option.

VOB Tag 

Default
None.

vob-tag
The VOB on which to operate.

SID File 

Default
None.

SIDfile-path
A pathname at which the command should write the SID file. An error is returned if SIDfile-path exists or is not specified. Each line of the SID file has the format:

old-name,type,old-SID,new-name,type,new-SID,count

where each field has the form:

old-namedomain-name\account-name
new-nameOne of domain-name\account-name, DELETE
typeOne of USER, GROUP, GLOBALGROUP, LOCALGROUPONDC, LOCALGROUP
old-SID, new-SIDString representation of SID
countNumber of objects with this owner

You can use the SID file as the mapping file when running either command with the -map option.

EXAMPLES

The Administrator's Guide includes detailed procedures for using vob_sidwalk and vob_siddump. We recommend that you read them before using either of these programs.

  • Generate a SID file showing the old and new SIDs of security principals after a domain migration, but do not change any SIDs.

    vob_sidwalk -sidhistory vob-tag SIDfile-path

  • Replace the historical SIDs stored in the VOB database with new ones that resolve to the appropriate security principals in the Active Directory domain.

    vob_sidwalk -sidhistory -execute vob-tag SIDfile-path

  • Reassign ownership of objects in the VOB by mapping all existing SIDs to the new SIDs of the VOB owner and group.

    vob_sidwalk -unknown -execute vob SIDfile-path

    Note: If you are using UCM, you may not want to reassign ownership with -unknown. Reassigning an open activity to the VOB owner will make it unusable by its creator (unless it was created by the VOB owner).

  • Recover the ACLs on the VOB storage directory and container files, and also correct the SIDs for the VOB's supplementary group list.

    vob_sidwalk -recover_filesystem vob-tag SIDfile-path

SEE ALSO

Administrator's Guide



Copyright© 2003 Rational Software. All Rights Reserved.