I am planning to setup Clearcase for version control in our project, but I am new to Clearcase and has few very basic questions about it.
Some background: we are using Windows platform
Is it possible to install Clearcase server (the VOBS server) in Windows XP?
How do Clearcase authenticate user? Can I logon to my Clearcase client with local account instead of domains account?
Yes, you can. See this "System Requirement" page for ClearCase 7.1.x: Windows Xp (SP2 and SP3) is still supported.
ClearCase will use the login of your current session as credential, and whatever group you will have declared in the CLEARCASE_PRIMARY_GROUP environment variable:
See the "about CLEARCASE_PRIMARY_GROUP variable" technote (if not set, your group will default to "Domain Users").
See this technote for more about permission for a Windows environment with ClearCase object: the creds.exe utility is useful to check one's credential as detected and used by ClearCase.
Possible if you expect users to log on locally...if your going for an enterprise setup,
you should explore the server & domain setup such that you can take advantage of ClearCase's
distributed architecture and all the benefits...having said that :)
Yes its possible (maybe you want to test/experiment/toy with it..)
you will need to create:
clearcase_albd account (clearcase system account)
A ClearCase local group (clearcase_albd as member)
A clearusr local group (normal user group)
During install you will be asked for these values...
Note post install ClearCase doctor will nag you with the fact that its not on a domain...can ignore
But it will work.
Good luck
Jim2
Related
I am a Caché admin so I have have all access to the system managment portal. I would like to use Caché studio but my login doesn't seem to be setup properly for that. I am new to Caché, only been using it for 2 months now, I am learning the Jargon. So things may be flying over my head as I sift through manuals.
Is it possible for me to create the credentials in the system management portal so that I may access Caché Studio?
I'm using Caché 2010.2 and I have Caché Studio and Terminal installed.
From my research, I have gathered:
To log in to Studio, you need to use a user who holds the following privileges: %Development:Use and %Service_Object:Use
My system management portal (SMP) Id has %all privileges and I added in those 2 privledges for the heck of it to no avail.
You can only connect to a namespace that you have R/W permission to in the default database.
Our database is used by one application. I already have R/W for the application database. When I open up Studio, the only namespace that I see is: CACHE (localhost(1972)). I assume that it's the whole system database. I then granted my Id R/W access to it to no avail. Also everything is happening locally, I am doing all of this on the db server.
I tried the default logins (leaving Username and Password blank) and the default system login, to no avail.
I am the only one at my organization administering this database.
I would like to gain access to our own Caché studio.
Try this:
Caché cube -> Preferred server -> Add/Edit
Add the server with the System Management Portal (SMP) here. Give it any name, copy the IP.
Set ports to 1972(1973), 23, 57772(57773), authentication to password, everything else blank.
If I'm right, you have the SMP address in browser's bookmarks, not the Caché cube. When you do this, you should be able to open Studio from Caché cube and SMP or Terminal, too.
If the ports differ, try to find the right ports in the SMP. The portal changed a lot, so I can't really say where you should look for it, I have Ensemble 2012 on my work PC.
Predefined User Accounts
use
login: _SYSTEM
pass: SYS
I believe you are trying to connect to a wrong server. localhost:1972 is your local computer. To add a new server to that list, go to cache cube -> Remote access -> add/delete... and add your real server.
Or, just press "connect..." button in that Studio dialogue and enter server info there.
click in the bottom of windows bar next to hour. And then you will see Studio in the context menu
welcome !
I have found an answer (there may be more).
I had no Caché studio and terminal access because these services in the System Management Portal (SMP) under "Home>Security Management>Services" were set to delegated only: %Service_Bindings and %Service_Console. %Service_Bindings is the service that controlled access to caché studio. My caché admin account is not a delegated account. The default account _SYSTEM is not enabled (Home>Security Management>Users). I have tried enabling the account but something in the background seems to lock it after I do that - I have yet to find out what that is (new to Caché). It's probably not a good idea to have the default account enabled anyways.
Now, after editing the definition for service %Service_Bindings to allow a password authentication method, I can now use my Caché admin credentials to get into Caché Studio.
To edit service defintions through the SMP, follow these menu breadcrumbs: "Home>Security Management>Services" then click on the service that you wish to edit. In Caché 2010.2, there's 3 authentication methods that you can use for each serivce: unauthenticated, password, delegated.
If anyone has a better solution please inform!
Sorry for my English. When installed, the program asks for a password, write to the SYS. Then you can go without a shed under the account "Admin"
I've generated an AD-LDS instance on a Windows Server 2008 R2 and successfully connected to it via ADSI Edit on a windows 7 machine (both computers are situated on the same domain).
My goal is to create a lightweight .NET program that will be run by all domain users and determine whether a specific user can or cannot perform a certain action (roles & groups).
So far i've managed to write most of it, but i'm now facing a small security issue: althought no credentials are required when running from the server itself, when running from another user (in the same domain, ofcourse), LDS connection requires the instance's administrator credentials - and i'm not too keen to leave this kind of thing lie around in my code.
I've search the web quite a lot for a way to bypass that (Active Directory binding? / SimpleBinding?), but all solutions i found involved SSL and certificate installations.
Is there a simple way for a user in the domain to connect the LDS instance without exposing his/the server's credentials?
Thanks.
Have you looked at permissions in the instance itself? There are groups you can add principals to. It sounds like you're running the code locally as the user that installed LDS which by default gets all sorts of perms, but other users were not granted enough rights (secure by default and all that).
I am having trouble shutting down a local oracle database. I've googled the problem, and the SYSTEM user I am using is in the ora_dba domain, and I also noticed that I need the sqlnet.ora in my ORACLE_HOME/network/admin folder, but I do not have a network/admin folder in my oracle home. All I have is a middleware folder. I am installing all of this to be able to publish a BPEL process to a local weblogic instance, and this has taken me a little over two days just trying to get this all set up. I am starting to get a bit frustrated lol. Here's the error I am getting below:
In order to startup/shutdown the oracle instance you need extended privileges - Oracle database SYS privileges.
As soon as your Windows user DOMAIN\user has been granted group 'ora_dba', you are authorized on the OS-level to log into the database as user SYS.
C:\>sqlplus / as sysdba
SQL>show user
SQL>USER is "SYS"
SQL>shutdown immediate
I have a legacy USB device driver which reads and writes data from and to the Windows registry to HKEY_LOCAL_MACHINE/SOFTWARE/COMPANY/PRODUCT.
I am not able to change this so I need a workaround because I noticed that on Windows Vista and Windows 7 with UAC enabled the function that performs the write returns an error. My guess is that is simply has no access rights.
My current workaround is to launch my application with administrative privileges but as you might guess this is not a very nice solution. Since the registry is accessed when the USB device is initialized when the application starts I also cannot simply request a relaunch.
I know that I can give access rights to certain folders on the system with cacls from my installer (which runs with administrative privileges) but is there something similar I can do to grant this to this specific registry entry? (I would like both grant and revoke commands.)
Giving non-admin users write permissions to HKLM should be avoided. If you still need to do it, however, you could use SetACL to set/remove permissions. SetACL is available as a standalone command-line executable and as a COM object.
I'm running an IIS 7 Website with an AppPool of Integrated Pipeline Mode.
The AppPools does NOT run under NetworkService, etc.. identity (by purpose), but uses its own AppPool Identitiy (IIS AppPool\MyAppPool).
This is a so called service account or virtual account.
(a user account, which is not a full account...)
I'd like to give this service account (IIS AppPool\MyAppPool) permissions to connect to my SQL Server 2008 Express (running in Mixed Auth. Mode).
While SQL Server can add any normal user account, the IIS AppPool\MyAppPool virtual account cannot be added to the valid logons (SQL Server says, that the account cannot be found).
Is there any trick, anything I need to enable to make the virtual accounts work?
(the w3wp.exe process runs under this identity according to taskmgr, but I cannot use the account in NTFS security either...)
Thanks for your help!
The "IIS APPPOOL\AppPoolName" will work, but as mentioned previously, it does not appear to be a valid AD name so when you search for it in the "Select User or Group" dialog box, it won't show up (actually, it will find it, but it will think its an actual system account, and it will try to treat it as such...which won't work, and will give you the error message about it not being found).
How I've gotten it to work is:
In SQL Server Management Studio, look for the Security folder (the security folder at the same level as the Databases, Server Objects, etc. folders...not the security folder within each individual database)
Right click logins and select "New Login"
In the Login name field, type IIS APPPOOL\YourAppPoolName - do not click search
Fill whatever other values you like (i.e., authentication type, default database, etc.)
Click OK
As long as the AppPool name actually exists, the login should now be created.
CREATE LOGIN [IIS APPPOOL\MyAppPool] FROM WINDOWS;
CREATE USER MyAppPoolUser FOR LOGIN [IIS APPPOOL\MyAppPool];
You can solve like this,
Open "Applications Pools",
You should right click that you have choosed application pool. Then choose
"Advanced Settings".
Click three point on the Identity tab then you should choose "LocalSystem" from field of "Built-in-account"
If you do this way, you don't need to create a user in database.
If you're going across machines, you either need to be using NETWORK SERVICE, LOCAL SYSTEM, a domain account, or a SQL 2008 R2 (if you have it) Managed Service Account (which is my preference if you had such an infrastructure). You can not use an account which is not visible to the Active Directory domain.
As a side note processes that uses virtual accounts (NT Service\MyService and IIS AppPool\MyAppPool) are still running under the "NETWORK SERVICE" account as this post suggests http://www.adopenstatic.com/cs/blogs/ken/archive/2008/01/29/15759.aspx. The only difference is that these processes are members of the "NT Service\MyService" or "IIS AppPool\MyAppPool" groups (as these are actually groups and not users). This is also the reason why the processes authenticate at the network as the machine the same way NETWORK SERVICE account does.
The way to secure access is not to depend upon this accounts not having NETWORK SERVICE privileges but to grant more permissions specifically to "NT Service\MyService" or "IIS AppPool\MyAppPool" and to remove permissions for "Users" if necessary.
If anyone has more accurate or contradictional information please post.
Look at: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
USE master
GO
sp_grantlogin 'IIS APPPOOL\<AppPoolName>'
USE <yourdb>
GO
sp_grantdbaccess 'IIS APPPOOL\<AppPoolName>', '<AppPoolName>'
sp_addrolemember 'aspnet_Membership_FullAccess', '<AppPoolName>'
sp_addrolemember 'aspnet_Roles_FullAccess', '<AppPoolName>'
This may be what you are looking for...
http://technet.microsoft.com/en-us/library/cc730708%28WS.10%29.aspx
I would also advise longer term to consider a limited rights domain user, what you are trying works fine in a silo machine scenario but you are going to have to make changes if you move to another machine for the DB server.
I figured it out through trial and error... the real chink in the armor was a little known setting in IIS in the Configuration Editor for the website in
Section: system.webServer/security/authentication/windowsAuthentication
From: ApplicationHost.config <locationpath='ServerName/SiteName' />
called useAppPoolCredentials (which is set to False by default. Set this to True and life becomes great again!!! Hope this saves pain for the next guy....
In my case the problem was that I started to create an MVC Alloy sample project from scratch in using Visual Studio/Episerver extension and it worked fine when executed using local Visual studio iis express.
However by default it points the sql database to LocalDB and when I deployed the site to local IIS it started giving errors some of the initial errors I resolved by:
1.adding the local site url binding to C:/Windows/System32/drivers/etc/hosts
2. Then by editing the application.config found the file location by right clicking on IIS express in botton right corner of the screen when running site using Visual studio and added binding there for local iis url.
3. Finally I was stuck with "unable to access database errors" for which I created a blank new DB in Sql express and changed connection string in web config to point to my new DB and then in package manager console (using Visual Studio) executed Episerver DB commands like -
1. initialize-epidatabase
2. update-epidatabase
3. Convert-EPiDatabaseToUtc
For the ApplicationPoolIdentity, add a login/user in MSSQL as IIS_IUSRS which is corresponding to the default pool.