How to backup NICI 2.7.x and 2.6.x

  • 3890146
  • 08-Oct-2007
  • 26-Apr-2012

Environment

NICI 2.6.x
NICI 2.7.x
Novell Modular Authentication Service version 2.3
Novell Modular Authentication Service version 3.x
Novell eDirectory 8.7.3 and 8.8 for All Platforms
SUSE LINUX Enterprise Server 9
Microsoft Windows Server
Novell NetWare 6.5
Novell NetWare 6.0
Novell NetWare 5.1

Situation

How to backup NICI 2.7.x and 2.6.x

Additional Information

Backing Up NICI

NICI stores keys and user data in the file system and in system and user-specific directories and files. The NICI installation program protects these directories and files by setting the proper permissions on them using the mechanism provided by the operating system. Uninstalling NICI from the system does not remove the system or user directories and files; therefore, the only reason to restore these files to a previous state is to recover from a catastrophic system failure or a human error. Also, overwriting an existing set of NICI user directories and files may break an existing application.

Backing up and restoring NICI requires two things:
1. Backing up and restoring directories and files.
2. Backing up and restoring specific user rights on those directories and files.

The exact sequence of events required is platform dependent.
When you backup and restore NICI, it is critical that you maintain the exact permissions on the directories and files. NICI's operation and the security it provides depends on these permissions being set properly.

Typical commercial backup software should preserve permissions on the NICI system and user directories and files. You should check your commercial backup software to see if it does the job before doing a custom backup of NICI.

You should always backup the existing NICI directory structure and its contents, if any, before doing a restore. If you lose the machine key, it is unrecoverable. Since the user data and keys could be encrypted using the machine key, losing it would result in a permanent loss of user data.

To do a restore of NICI only, you must understand which specific files must be restored. During restoration, it is important that the correct access rights be restored for the correct owner. On Unix and Windows systems, the name of the user-specific directory reflects the ID of the owner, but on both systems the owner ID may change between the time of the backup and the time of the restore. It is important for security reasons that you know which account is being restored and that you assign the directory name and access rights accordingly. The mere existence of a user account on the system with the same ID as what was backed up does not mean that the current account is the actual owner of the information being restored.
Linux/Unix (*nix) Systems

In NICI versions prior to 2.6.5, the /var/novell/nici directory contains all the system and user directories and files.

In versions 2.7.0 and later, /var/novell/nici is a symbolic link to the directory /var/opt/novell/nici, which contains all the files in it.

You can check the version of NICI in the /etc/nici.cfg file.

Performing a Backup

The following directories/files should be backed up. As mentioned earlier, preserve the rights on all the directories and files.

Table 1 For NICI versions prior to 2.7.0

Directory/File Name Type of file and special instructions

/etc/nici.cfg Configuration file
/usr/lib/libccs2.so This is a symbolic link to the actual library in /usr/lib/.
/usr/lib/libccs2.so.* The NICI library, the version of the library completes the name.
/var/novell/nici This directory contains all the system keys, user directories and files/keys, and the programs used to initialize NICI.

Table 2 For NICI versions 2.7.0 and later

Directory/File Name Type of file and special instructions

/etc/nici.cfg This is a symbolic link to the config file /etc/opt/novell/nici.cfg
/etc/opt/novell/nici.cfg Configuration file
/usr/lib/libccs2.so This is a symbolic link to the actual library in /opt/novell/lib/.
/opt/novell/lib/libccs2.so.* The NICI library, the version of the library completes the name.
/var/novell/nici This is a symbolic link to the directory /var/opt/novell/nici
/var/opt/novell/nici This contains all the system keys, user directories and files/keys, and the programs used to initialize NICI.

Restoring NICI

To restore the NICI configuration files, first determine whether NICI is already installed on the box by searching for the /etc/nici.cfg file or link.

1. Determine if NICI is already installed on the server by searching for the /etc/nici.cfg file or link.

1a. (Conditional) If NICI is already installed on the system, take a backup of the existing set up as outlined in "Performing a Backup” on page 26 and proceed with Step 2.

1b. (Conditional) If NICI is not installed on the system, proceed with Step 3.

2. Uninstall NICI and remove the /var/novell/nici or /var/opt/novell/nici directory structure. This is to make sure that the existing system keys do not conflict with the restored set.

3. Restore the whole structure from the back up store depending on the version of NICI, remembering to restore the access rights.

It is recommended the administrator follows the above steps. But a knowledgeable operator may choose to restore individ.ual files or directories, possibly changing the names of the files or directories and assigning new access rights. This can be done if the nicifk and xmgrcfg.wks files haven’t changed from those on the backup store.

The following guidelines for each file/directory are recommended when restoring if NICI is installed on the box already:

File Name Procedure

xmgrcfg.nif Can be restored over an existing file.
xarchive.000 Can be restored over an existing file.

User specific directories and files Make sure that the user ID in the backup is the same as the user on the box. If the user directory already exists,
then it must be determined if the user wants to keep the current files or restore them to a previous state.
Normally, user configuration files should be restored as a group rather than individually. Be sure to restore
the user files under the correct user's user ID and to restore the rights on the user directory and contents.
For example, if BOB had user ID 1000 at the time of the backup but now has user ID 5000, then the files in the
backed up directory 1000 should be restored to .directory 5000, or BOB's UID must be changed back to 1000.
So, the restore process must not just blindly restore the user directories without input from the operator.
In either case, a backup of the existing NICI user directory needs to be done.

.
NetWare

For versions prior to NICI 2.x, the configuration files were kept in sys:\_NetWare and different procedures apply. These instructions are valid only for NICI versions 2.x or later.

Performing a Backup

Backup the sys:\system\NICI directory and any subdirectories along with access rights. There is only one user on NetWare, so the complication of backing up and restoring the user directories does not exist.

Restoring NICI

1. Determine if NICI is already installed on the server by searching for the sys:\system\nici\nici.cfg file.

1a. If NICI is not installed on the server, then just restore the sys:\system\NICI directory and its contents.

1b. If NICI is installed on the server, take a backup of the existing set up and remove NICI from the server. Copy the whole backup structure from the backup store to restore.

2. Selective restoration can be done only if the nicifk file hasn't changed from the one on the backup store. If it hasn't changed, you can restore whatever files in the sys:\system\NICI directory you chooses. Generally, the files should be restored as a group, but if you are knowledgeable, you may choose to restore only certain files or subdirectories.
Windows

Configuration information is kept in the system registry under key: HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI.

A second key will identify the version of NICI currently installed, for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI (Shared) U.S./Worldwide (128 bit)

Performing a Backup

1. Backup any registry information under HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI*

NOTE: NICI* indicates all registry keys which begin with NICI and that there may be more than one.

2. Backup the directory, including subdirectories, identified by HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI\ConfigDirectory.
As with the Unix systems, remember the access rights on that directory and all subdirectories. On Windows systems, if commercial software is used to do the backup, make sure the backup program itself runs as a system process. This will ensure that the program will be able to access all the directories and subdirectories.

Restoring NICI

1. If NICI is not installed restore all the registry information first. If NICI is installed remove NICI and overwrite the registry information from the backup store.

2. Restore the files and directories within HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI\ConfigDirectory as selected by the operator.

3. We recommend that all the files be restored as a group. But if you are knowledgeable, you may choose to restore individual entries. This can be done only if the nicifk and xmgrcfg.wks files did not change from the one on the backup store. If this is the case, be sure to adjust the access rights based on the new owner of the user configuration directories. The individual directories are named after the owner, but access rights are controlled by the SID. Just because a subdirectory is named BOB does not automatically mean that the current user BOB is the correct owner of the information being restored.

Special Cases for Windows

It is possible to configure the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI\UserDirectoryRoot to indicate that the user configuration files be placed in the user's personal configuration directory. In this case, you should be prepared to backup and restore the user information independently as part of normal backup and restore operations. If NICI has been configured in this manner, you should know about it and be prepared to do individual backups.

/This special case for the Windows user directory is enabled by creating the registry value EnableUserProfileDirectory rather than just pointing the directory path there. When the user profile directory is enabled, it may be that the directory is automatically deleted when Windows is configured to automatically create and delete user accounts. In this case, backup and restore is only necessary for those specific users who are permanent. The default path will be the Application Data\Novell\Nici directory branch of the user's directory in Documents and settings.

Formerly known as TID# 10098087

NOVL102503

Feedback service temporarily unavailable. For content questions or problems, please contact Support.