vob_sidwalk,
vob_siddump
Reads or changes security
identifiers in a schema version 54 VOB database
SYNOPSIS
- Read
or change security identifiers in a VOB database:
- vob_sidwalk [ –p·rofile profile-path ] | [ –s·idhistory ]
- [ –u·nknown ]
[ –m·ap mapfile-path ]
[ –l·og logfile-path ]
[ –e·xecute ] [ –delete·_groups ]
[ -raw·_sid ] vob-tag
SIDfile-path
- Recover
VOB storage directory protections:
- vob_sidwalk –recover·_filesystem vob-tag SIDfile-path
- Read
security identifiers in a VOB database:
- vob_siddump [ –p·rofile profile-path ] | [ –s·idhistory ]
- [ –u·nknown ] [ -raw·_sid ]
[ –m·ap mapfile-path ]
[ –l·og logfile-path ] vob-tag
SIDfile-path
DESCRIPTION
vob_sidwalk and vob_siddump are
administrative utilities that can be used to read or change security identifiers
(Windows SIDs or UNIX UIDs and GIDs) stored in VOB databases that are formatted
with schema version 54. vob_sidwalk is installed only on
hosts that are configured to support local VOBs and views and to support VOB
schema version 54. vob_siddump is installed on all hosts.
The programs are typically needed for
these tasks:
- Moving
a VOB from one Windows domain to another Windows domain
- Migrating
a Windows NT domain to an Active Directory domain
- Moving
a VOB from a Windows host to a UNIX host or vice versa
vob_siddump is a read-only
version of vob_sidwalk. It can be executed on the VOB server
or any client to list the security principal (user and group) names and SIDs
stored in a VOB.
vob_sidwalk has all
of the capabilities of vob_siddump and can also change
SIDs in the VOB database. In addition, vob_sidwalk can
be executed with the -recover_filesystem option to reset
the protections on a VOB storage directory so that they are consistent with
the SID of the VOB's owner and group.
RESTRICTIONS
vob_siddump has no
restrictions. vob_sidwalk has the following restrictions:
Identities
You must have
one of the following identities:
- VOB
owner
- root (UNIX)
- Member
of the ClearCase administrators group (ClearCase on Windows)
- Local
administrator of the ClearCase LT server (ClearCase LT on Windows)
Locks
An error occurs if
the VOB is locked.
Other
You must enter this
command on the VOB server host.
OPTIONS AND ARGUMENTS
Read or Map SIDs
- Default
- None. These options are allowed with
both vob_sidwalk and vob_siddump.
- –s·idhistory
- Generate a SID file of historical SID
information stored in the VOB database. Write the current name and SID for
each account to the new-name and new-SID fields
of SIDfile-path and write the historical name and
SID to the old-name and old-SID fields.
If either command is invoked without this option, it writes the current name
and SID for each account to the old-name and old-SID fields
of SIDfile-path, and the new-name field
is always IGNORE.
- –u·nknown
- Map SIDs that cannot be resolved to an
account in the domain. Any user SID that cannot be resolved is mapped to the
SID of the VOB owner. Any group SID that cannot be resolved is mapped to the
SID of the VOB's primary group. The mappings are written to the SID file.
- –p·rofile profile-path
- Write a list of all SIDs found in the
VOB along with the database identifiers that describe objects owned by each
SID. The list is written to the file in profile-path.
Each line of the file has the format
metatype,dbid,user-name,user-SID,group-name,group-SID,mode,container...
where each field has the form:
This option can generate a large file
in profile-path and consume significant resources
on the VOB server host. This option cannot be used with any other option.
- –m·ap mapfile-path
- Force remapping of all SIDs in a VOB
database as specified in the mapping file at mapfile-path.
Details about the SID remappings for the VOB at vob-tag are
written to SIDfile-path.
The mapping file contains one or more
lines in the format
old-name,type,old-SID,new-name,type,new-SID
where each field has the form
You can use a SID file from a previous
run of vob_sidwalk or vob_siddump as
the basis of the mapping file. If you need to change the existing mapping
(to reassign ownership of objects), edit the file to make any of the following
changes:
- –raw·_sid
- Write SIDs in raw (unformatted) style.
Use this option when generating a SID file on Windows in preparation for moving
a VOB from Windows to UNIX.
Update SIDs
- Default
- Only read or map SIDs. Do not change
anything in the VOB database unless the -execute option is
present. These options are not allowed with vob_siddump.
- –e·xecute
- Modify SIDs stored in the VOB database.
Unless the -execute option is used, vob_sidwalk logs,
in the SID file, the changes that would have been made but does not actually
change anything in a VOB database.
- –delete·_groups
- Remove any historical SIDs found in the
group list of an identity-preserving replica. Historical SIDs are always removed
from the group list of a non-replicated VOB or a non-identity-preserving replica.
The Administrator's Guide provides details about how to use this
option.
Logging
- Default
- No logging.
- –l·og logfile-path
- Write a log of SID reassignments. Each
line of the file at logfile-path has the format
metatype,dbid,container,old-SID,reserved,new-SID
where each field has the form:
Fixing Storage Directory Protections
- Default
- Does not change protections.
- –recover·_filesystem
- Fix protections on VOB storage directory.
This option is not supported with vob_siddump. With vob_sidwalk,
it cannot be used with any other option.
VOB Tag
- Default
- None.
- vob-tag
- The VOB on which to operate.
SID File
- Default
- None.
- SIDfile-path
- A pathname at which the command should
write the SID file. An error is returned if SIDfile-path exists
or is not specified. Each line of the SID file has the format:
old-name,type,old-SID,new-name,type,new-SID,count
where each field has the form:
You can use the SID file as the mapping
file when running either command with the -map option.
EXAMPLES
The Administrator's Guide includes
detailed procedures for using vob_sidwalk and vob_siddump. We recommend that you read them before
using either of these programs.
SEE ALSO
Administrator's Guide