vob_sidwalk, vob_siddump

Reads or changes security identifiers in a schema version 54 VOB database

APPLICABILITY


Product
Command Type

ClearCase


administrative command


ClearCase LT


administrative command


Platform

UNIX


Windows

SYNOPSIS

vob_sidwalk [ -p·rofile profile-path ] | [ -s·idhistory ] [ -u·nknown ]

[ -m·ap mapfile-path ] [ -l·og logfile-path ] [ -e·xecute ] [ -delete·_groups ] [ -raw·_sid ]
vob-tag SIDfile-path
vob_sidwalk -recover·_filesystem vob-tag SIDfile-path
vob_siddump [ -p·rofile profile-path ] | [ -s·idhistory ] [ -u·nknown ] [ -raw·_sid ]

[ -m·ap mapfile-path ] [ -l·og logfile-path ] vob-tag SIDfile-path

DESCRIPTION

vob_sidwalk and vob_siddump are administrative utilities that can be used to read or change security identifiers (Windows SIDs or UNIX UIDs and GIDs) stored in VOB databases that are formatted with schema version 54. vob_sidwalk is installed only on hosts that are configured to support local VOBs and views and to support VOB schema version 54. vob_siddump is installed on all hosts.

The programs are typically needed for these tasks:

vob_siddump is a read-only version of vob_sidwalk. It can be executed on the VOB server or any client to list the security principal (user and group) names and SIDs stored in a VOB.

vob_sidwalk has all of the capabilities of vob_siddump and can also change SIDs in the VOB database. In addition, vob_sidwalk can be executed with the -recover_filesystem option to reset the protections on a VOB storage directory so that they are consistent with the SID of the VOB's owner and group.

RESTRICTIONS

vob_siddump has no restrictions. vob_sidwalk has the following restrictions:

Identities: You must have one of the following identities:

Locks: An error occurs if the VOB is locked.

Other: You must enter this command on the VOB server host.

OPTIONS AND ARGUMENTS

READ OR MAP SIDS Default: None. These options are allowed with both vob_sidwalk and vob_siddump.

-s·idhistory

Generate a SID file of historical SID information stored in the VOB database. Write the current name and SID for each account to the new-name and new-SID fields of SIDfile-path and write the historical name and SID to the old-name and old-SID fields. If either command is invoked without this option, it writes the current name and SID for each account to the old-name and old-SID fields of SIDfile-path, and the new-name field is always IGNORE.
-u·nknown

Map SIDs that cannot be resolved to an account in the domain. Any user SID that cannot be resolved is mapped to the SID of the VOB owner. Any group SID that cannot be resolved is mapped to the SID of the VOB's primary group. The mappings are written to the SID file.
-p·rofile profile-path

Write a list of all SIDs found in the VOB along with the database identifiers that describe objects owned by each SID. The list is written to the file in profile-path. Each line of the file has the format
metatype,dbid,user-name,user-SID,group-name,group-SID,mode,container...

where each field has the form:

metatype

The VOB metatype name, or one of the special names ROOT, TREE, or FILE for file system objects that have no dbid (database identifier)

dbid

Database identifier for this VOB object

user-name

User name of the object's owner

user-SID

String representation of user SID

group-name

Group name of the object's group

group-SID

String representation of group SID

mode

The object's access mode

container...

Pathname of the object's container file, if applicable

This option can generate a large file in profile-path and consume significant resources on the VOB server host. This option cannot be used with any other option.
-m·ap mapfile-path

Force remapping of all SIDs in a VOB database as specified in the mapping file at mapfile-path. Details about the SID remappings for the VOB at vob-tag are written to SIDfile-path.
The mapping file contains one or more lines in the following format.

old-name,type,old-SID,new-name,type,new-SID

where each field has the form:

old-name

domain-name\account-name

new-name

One of domain-name\account-name, IGNORE, DELETE

type

One of USER, GROUP, GLOBALGROUP, LOCALGROUPONDC, LOCALGROUP

old-SID, new-SID

String representation of SID

You can use a SID file from a previous run of vob_sidwalk or vob_siddump as the basis of the mapping file. If you need to change the existing mapping (to reassign ownership of objects), edit the file to make any of the following changes:
  • Change the new-name field to IGNORE

No changes are made to this SID.

  • Change the new-name field to DELETE

The SID is changed to the SID of VOB owner or, if it is a group SID, the SID of the VOB's primary group.

  • Change the new-name field to the name of a user or group and remove the new-SID and second type fields.

Ownership of objects owned by the user or group named in old-name is reassigned to the user or group named in new-name.

  • Specify a different SID in the new-SID-string field.

Ownership of objects owned by the user or group named in old-SID is reassigned to the user or group named in new-SID (type fields must match).

-raw·_sid

Write SIDs in raw (unformatted) style. Use this option when generating a SID file on Windows in preparation for moving a VOB from Windows to UNIX.

UPDATE SIDS Default: Only read or map SIDs. Do not change anything in the VOB database unless the -execute option is present. These options are not allowed with vob_siddump.

-e·xecute

Modify SIDs stored in the VOB database. Unless the -execute option is used, vob_sidwalk logs, in the SID file, the changes that would have been made but does not actually change anything in a VOB database.
-delete·_groups

Remove any historical SIDs found in the group list of an identity-preserving replica. Historical SIDs are always removed from the group list of a non-replicated VOB or a non-identity-preserving replica. The Administrator's Guide provides details about how to use this option.

LOGGING Default: No logging.

-l·og logfile-path

Write a log of SID reassignments. Each line of the file at logfile-path has the format
metatype,dbid,container,old-SID,reserved,new-SID

where each field has the form:

metatype

The VOB meta-type name, or one of the special names ROOT, TREE, or FILE for file system objects that have no dbid (database identifier)

dbid

Database identifier for this VOB object

container

Pathname of the object's container file, if applicable

old-SID

String representation of old SID

reserved

Reserved for future use

new-SID

String representation of new SID

FIXING STORAGE DIRECTORY PROTECTIONS Default: Does not change protections.

-recover·_filesystem

Fix protections on VOB storage directory. This option is not supported with vob_siddump. With vob_sidwalk, it cannot be used with any other option.

VOB-TAG Default: none

vob-tag

The VOB on which to operate.

SID FILE Default: none

SIDfile-path

A pathname at which the command should write the SID file. An error is returned if SIDfile-path exists or is not specified. Each line of the SID file has the format:
old-name,type,old-SID,new-name,type,new-SID,count

where each field has the form:

old-name

domain-name\account-name

new-name

One of domain-name\account-name, DELETE

type

One of USER, GROUP, GLOBALGROUP, LOCALGROUPONDC, LOCALGROUP

old-SID, new-SID

String representation of SID

count

Number of objects with this owner

You can use the SID file as the mapping file when running either command with the -map option.

EXAMPLES

The Administrator's Guide includes detailed procedures for using vob_sidwalk and vob_siddump. We recommend that you read them before using either of these programs.

SEE ALSO

Administrator's Guide



Feedback on the documentation in this site? We welcome any comments!
Copyright © 2001 by Rational Software Corporation. All rights reserved.