NSR peer information resources contain the public keys for remote hosts used during RPCSEC_GSS authentication (nsrauth). When these resources get out of date, for example when a client regenerates its nsrauth keys by deleting its /nsr directory, GSS authentication will fail and a message similar to the following will be reported in the server's daemon log:
saturn.emc.com nsrexecd GSS critical An authentication request from mars.emc.com was denied. The 'NSR peer information' provided did not match the one stored by saturn.emc.com. To accept this request, delete the 'NSR peer information' resource with the following attributes from saturn.emc.com's NSRLA database: name: mars.emc.com; NW instance ID: 6fe7a9ed-00000004-d2685c01-56ba7471-00010c00-6c9ab329; peer hostname: mars.emc.com
To list the number of mismatched NSR peer information resources, run the following command on the NetWorker server:
# nsradmin -p nsrexec -C "NSR peer information"
To attempt to correct NSR peer information resource mismatches, run the following command on the NetWorker server:
# nsradmin -p nsrexec -C -y "NSR peer information"
Warning: This operation can compromise the security of a NetWorker server. If a malicious host could be installed on the server s network with the same name and IP address of an existing client, clearing the NSR peer information resource for the host on the server may erroneously delete the legitimate one, allowing the malicious client to replace the legitimate certificate with its own certificate, thereby allowing it to impersonate the legitimate client. For this to occur, the legitimate client must be powered off while the malicious client exists on the server s network. The customer should be made aware of this risk prior to executing the procedure.
Example output:
# nsradmin -p nsrexec -C "NSR peer information"
Validate "NSR peer information" resources
Synopsis: For each NSR peer information resource in saturn.emc.com's NSRLA database, verify the 'NW instance ID' and 'certificate' attributes match those found in the peer's NSRLA resource.
Peer 1 of 2
Hostname: mars.emc.com
Instance ID: 7dda5dc7-00000004-e064f199-56a140c6-00010c00-6c9ab329
* The "NSR peer information" resource for mars.emc.com in saturn.lss.emc.com's NSRLA database is out of date. The "NW instance ID" attribute does not match the one stored in mars.emc.com's NSRLA resource. To correct the problem, delete the NSR peer information resource for mars.emc.com in saturn.emc.com's NSRLA database.
Matching certificates: No
Peer 2 of 2
Hostname: jupiter.emc.com
Instance ID: 3900ad0a-00000004-f05b6935-56aba1de-00010c00-b6e8a329
Matching certificates: Yes
Summary:
NSR peer information resources checked: 2
RAP connect errors: 0
RAP query errors: 0
Resource mismatches: 1
Resources corrected: 0
Peers with mismatched certificates/instance IDs: mars.emc.com
Total errors: 1
NetWorker: How to use nsradmin -C resource validation
The nsradmin -C and -y options were introduced in the following NetWorker versions:
EMC NetWorker 8.2.1.2
EMC NetWorker 8.1.3
EMC NetWorker 8.0.4.4
Command | Availability |
---|---|
nsradmin -C "type: NSR client" | 8.2.1, 8.2.0.3, 8.1.2, 8.0.4.2 and later |
nsradmin -p nsrexecd -C "type: NSR peer information" | 8.2.1, 8.2.0.3, 8.1.2, 8.0.4.2 and later |
nsradmin -C "type: NSR usergroup" | 8.2.1, 8.2.0.4, 8.1.2.2, 8.0.4.4 and later |
nsradmin -C "type: NSR storage node" | 8.2.2 and later |
auto-correction using -y | 8.2.1.2, 8.1.3, 8.0.4.4 and later |
Visual mode on Windows | 8.2.2, 9.1 and later |