IBM Support

Recovering ClearCase functionality after users and groups moved to a new domain

Question & Answer


Question

How to recover IBM® Rational® ClearCase® functionality when users and groups have been moved to another Microsoft® Windows® Domain?

Answer

Overview

This technote helps to address a situation whereby users and groups have been moved to a new Windows domain, which had a negative impact to the ClearCase objects associated with their original domain accounts.

As a result of the change, ClearCase objects such as VOB storage, View storage, elements, and metadata will all need to be reprotected so that their ownership properly reflects the SIDs of the users and groups in the new domain.

Legend

In the text below these references are used:

  • "clearcase group" = ClearCase administrators group that is used by your site.
  • "clearcase_albd" = ClearCase service account used by your site.
  • "vobadmin" = User account that has ClearCase administrator privileges.
  • "ccusers" = ClearCase users non-admin group

  1. Verify that the clearcase_albd account, the ClearCase administrator account, Users group and the ClearCase administrators group are correctly setup in the NEW_DOMAIN. Make sure you can successfully login to the NEW_DOMAIN as the clearcase_albd user and make note of the password for that user which will be required in later steps.

    Important: The user accounts should have their primary group set to the ClearCase users group (which is not the ClearCase administrators group).

    Refer to the Privileged users and groups section of the IBM Rational ClearCase Administrator's Guide for additional information about these users and groups.

  2. Add the clearcase_albd user and any ClearCase administrator user accounts to the NEW_DOMAIN\clearcase group (which is the ClearCase administrators group).

    Refer to technote 1146253 "About ClearCase privileged users on Windows" for supplemental information about these accounts that have ClearCase administrative privileges.

  3. On EVERY Windows ClearCase client that has the ability to create local views and vobs (as noted in ClearCase Doctor), you must edit the Windows Service named Atria Location Broker. On the 'log on' tab for this service, you will need to change the old clearcase_albd user to the NEW Domain and NEW clearcase_albd user with it's valid password. This change requires local administrator privileges.

    From the Windows Control Panel:
    1. Open  > Administrative Tools > Services
    2. Double-click the Atria Location Broker service
    3. Select the Log On tab
    4. Update the Logon account information:

      The account should be Domain qualified (NEW_DOMAIN\clearcase_albd) and the correct user password must be entered and confirmed for the clearcase_albd.



  4. On EVERY Windows ClearCase client AND server machine, you must edit the ClearCaseGroupName registry key to identify the new Domain qualified clearcase group in the new domain (NEW_DOMAIN\clearcase).

    CAUTION: The following directions require you to edit the registry using the Windows Registry Editor. However, editing the Windows Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Use Registry Editor at your own risk. Before proceeding review the Microsoft article, 256986 - Description of the Microsoft Windows Registry.

    The ClearCaseGroupName registry key is located under:
    HKEY_LOCAL_MACHINE\Software\Atria\ClearCase\CurrentVersion

    The registry key is created automatically for ClearCase and is used to specify the name of the privileged group used by ClearCase, such as: ClearCaseGroupName: REG_SZ : NEW_DOMAIN\clearcase


    Note: For Windows 64-bit hosts (supported with ClearCase 7.0 or later) the ClearCaseGroupName registry key is located under:

    HKEY_LOCAL_MACHINE\Software\WOW6432Node\Atria\ClearCase\CurrentVersion

  5. If moving VOBs from one Windows VOB server to another Windows VOB server along with the domain change, you must ignore Steps 6 through 12, and instead, follow the steps under Moving a VOB to a different Domain in IBM Rational ClearCase Administrator's Guide.

  6. Log in as a ClearCase administrator on the VOB server and run the command 'cleartool protectvob' on every VOB to change to the new domain user and group owner. Answer "y" (yes) to both questions you are prompted with.

    Example:

    In this example, the "vobadmin" ClearCase admin account is being used and the ClearCase user's group "ccusers" is that users primary group. The command will look like the following for a VOB called Ghost:
    "cleartool protectvob -chown vobadmin -chgrp ccusers \\ccserver\ccstg_d\VOBs\Ghost.vbs"

    Verify the change with a describe of the VOB:
    "cleartool describe -l vob:\Ghost"

  7. On the VOB server, stop the ClearCase services in the ClearCase Control panel:



  8. Run fix_prot to fix the protections on the VOB storage directory.

    Note: Steps 9 through 12 below are further explained in the IBM Rational ClearCase Administrator's Guide underFixing Protection Problems; refer to the manual for any examples or additional information.

    cc-home-dir\etc\utils> fix_prot -r -root -chown vobadmin -chgrp ccusers \\ccserver\ccstg_d\VOBs\Ghost.vbs

    Refer to:
    • Technote 1142606 About fix_prot for supplemental information about using the fix_prot command.
    • Technote 1143292 About ClearCase permissions on Windows for additional permissions requirements.

  9. On the VOB server, re-start the ClearCase services in the ClearCase Control panel:



  10. Run the scrubber utility to remove cleartext containers that don't need to be reprotected.
    Example:
    scrubber -e -k cltxt \\ccserver\ccstg_d\VOBs\Ghost.vbs

  11. Reprotect ALL elements and metadata for each of the VOBs. You will do this by running the vob_sidwalk command. Be sure to read and understand the reference manual page for vob_sidwalk before completing. (From command line you can bring up the reference manual page by typing 'cleartool man vob_sidwalk')

    Example:

    In the following scenario we are reassigning ownership to the VOB owner and group that were set in Step 6 above.

    To reassign ownership of all objects in the VOB to the new SIDs of the VOB owner and group, use a command like the following:

    vob_sidwalk -unknown -execute vob-tag SIDfile-path

    When invoked with the -unknown and -execute options, vob_sidwalk maps unresolvable user SIDs to the SID of the VOB owner and maps unresolvable group SIDs to the SID of the VOB’s group.

    The SIDfile-path is the location to create the vob_sidwalk file.

    Make sure you first read and understand the reference manual page for vob_sidwalk before proceeding with running this command.

    Note: If you are running vob_sidwalk against a VOB that is a ClearCase MultiSite replica sibling, the changes are not propagated to other siblings in the replica family. Refer to technote 11944774 (About vob_sidwalk changes and propagation between MultiSite replicas) for further details.

  12. Run the checkvob utility to fix storage pool protections if the checkvob report any problems with protections.

    cleartool checkvob -protections -pool \\ccserver\ccstg_d\VOBs\Ghost.vbs
    cleartool checkvob -force -fix -protections -pool \\ccserver\ccstg_d\VOBs\Ghost.vbs

  13. On EVERY Windows ClearCase client AND server machine that has a CLEARCASE_PRIMARY_GROUP user environment variable setting change the value to the new domain's ClearCase users group (such as, ccusers in this example). If the CLEARCASE_PRIMARY_GROUP user environment variable does not exist and the group is not currently set as the Windows user's primary group, then you MUST create it exactly as shown here (all capital letters with underscores between them). The variable should be Domain qualified as NEW_DOMAIN\ccusers.

    To view or change environment variables:
    1. Right-click My Computer, and then click Properties.

    2. Click the Advanced tab.

    3. Click Environment Variables.

    4. Click one the following options, for a user variable:
      • Click New to add a new variable name and value.
      • Click an existing variable, and then click Edit to change its name or value.
      • Click an existing variable, and then click Delete to remove it.On Windows 2000

  14. ALL views owned by the users or groups that moved to the new domain will need to be reprotected following the steps below for each view:
    1. Log in as the ClearCase admin user from the view host.

    2. Take ownership (using standard Windows functionality) of the groups.sd and identity.sd files within the view storage directory for each view (such as, myview.vws), and move these 2 files to a temporary directory.

    3. Stop the ClearCase services in the ClearCase Control Panel as noted in step 7 above.

    4. Run the fix_prot command as following, which is similar to step 9 above except this occurrence is against a view storage:

      fix_prot -r -root -chown <viewowner> -chgrp <viewgroup> <unc-path-to-view>

      This will recreate the identity.sd file and groups.sd file and re-establish protections on the view. After this is successful, you can delete the OLD identity.sd file and groups.sd files that were previously moved to a temporary location.

    5. Start the ClearCase services in the ClearCase Control Panel. Refer to technote 1143292 About ClearCase permissions on Windows for additional permission requirements.

  15. Test ClearCase functionality to ensure that all operations and access has been restored.

[{"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Documentation","Platform":[{"code":"PF033","label":"Windows"}],"Version":"2003.06.00;2003.06.16;7.0;7.0.1;7.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018

UID

swg21150345

Page Feedback