Reads or changes security identifiers in a schema version 54 VOB database
Product | Command Type |
---|---|
ClearCase | administrative command |
ClearCase LT | administrative command |
Platform |
---|
UNIX |
Windows |
Read or change security identifiers in a VOB database:
Recover VOB storage directory protections:
Read security identifiers in a VOB database:
vob_sidwalk and vob_siddump are administrative utilities that can be used to read or change security identifiers (Windows SIDs or UNIX UIDs and GIDs) stored in VOB databases that are formatted with schema version 54. vob_sidwalk is installed only on hosts that are configured to support local VOBs and views and to support VOB schema version 54. vob_siddump is installed on all hosts.
The programs are typically needed for these tasks:
Moving a VOB from one Windows domain to another Windows domain
Migrating a Windows NT domain to an Active Directory domain
Moving a VOB from a Windows host to a UNIX host or vice versa
vob_siddump is a read-only version of vob_sidwalk. It can be executed on the VOB server or any client to list the security principal (user and group) names and SIDs stored in a VOB.
vob_sidwalk has all of the capabilities of vob_siddump and can also change SIDs in the VOB database. In addition, vob_sidwalk can be executed with the -recover_filesystem option to reset the protections on a VOB storage directory so that they are consistent with the SID of the VOB's owner and group.
vob_siddump has no restrictions. vob_sidwalk has the following restrictions:
Identities: You must have one of the following identities:
VOB owner
root (UNIX)
Member of the ClearCase administrators group (ClearCase on Windows)
Local administrator of the ClearCase LT server (ClearCase LT on Windows)
Locks: An error occurs if the VOB is locked.
Other: You must enter this command on the VOB server host.
READ OR MAP SIDS Default: None. These options are allowed with both vob_sidwalk and vob_siddump.
where each field has the form:
metatype | The VOB metatype name, or one of the special names ROOT, TREE, or FILE for file system objects that have no dbid (database identifier) |
dbid | Database identifier for this VOB object |
user-name | User name of the object's owner |
user-SID | String representation of user SID |
group-name | Group name of the object's group |
group-SID | String representation of group SID |
mode | The object's access mode |
container... | Pathname of the object's container file, if applicable |
old-name,type,old-SID,new-name,type,new-SID
where each field has the form:
old-name | domain-name\account-name |
new-name | One of domain-name\account-name, IGNORE, DELETE |
type | One of USER, GROUP, GLOBALGROUP, LOCALGROUPONDC, LOCALGROUP |
old-SID, new-SID | String representation of SID |
| No changes are made to this SID. |
| The SID is changed to the SID of VOB owner or, if it is a group SID, the SID of the VOB's primary group. |
| Ownership of objects owned by the user or group named in old-name is reassigned to the user or group named in new-name. |
| Ownership of objects owned by the user or group named in old-SID is reassigned to the user or group named in new-SID (type fields must match). |
UPDATE SIDS Default: Only read or map SIDs. Do not change anything in the VOB database unless the -execute option is present. These options are not allowed with vob_siddump.
where each field has the form:
metatype | The VOB meta-type name, or one of the special names ROOT, TREE, or FILE for file system objects that have no dbid (database identifier) |
dbid | Database identifier for this VOB object |
container | Pathname of the object's container file, if applicable |
old-SID | String representation of old SID |
reserved | Reserved for future use |
new-SID | String representation of new SID |
FIXING STORAGE DIRECTORY PROTECTIONS Default: Does not change protections.
where each field has the form:
old-name | domain-name\account-name |
new-name | One of domain-name\account-name, DELETE |
type | One of USER, GROUP, GLOBALGROUP, LOCALGROUPONDC, LOCALGROUP |
old-SID, new-SID | String representation of SID |
count | Number of objects with this owner |
The Administrator's Guide includes detailed procedures for using vob_sidwalk and vob_siddump. We recommend that you read them before using either of these programs.
Generate a SID file showing the old and new SIDs of security principals after a domain migration, but do not change any SIDs.
vob_sidwalk -sidhistory vob-tag SIDfile-path
Replace the historical SIDs stored in the VOB database with new ones that resolve to the appropriate security principals in the Active Directory domain.
vob_sidwalk -sidhistory -execute vob-tag SIDfile-path
Reassign ownership of objects in the VOB by mapping all existing SIDs to the new SIDs of the VOB owner and group.
vob_sidwalk -unknown -execute vob-tag SIDfile-path
NOTE: If you are using UCM, you may not want to reassign ownership with -unknown. Reassigning an open activity to the VOB owner will make it unusable by its creator (unless it was created by the VOB owner).
Recover the ACLs on the VOB storage directory and container files, and also correct the SIDs for the VOB's supplementary group list.
vob_sidwalk -recover_filesystem vob-tag SIDfile-path
Feedback on the documentation in this site? We welcome any comments!
Copyright © 2001 by Rational Software Corporation. All rights reserved. |