3 Replies Latest reply on Mar 25, 2014 7:54 AM by Bill Robinson

    NSH console, AD-Kerberos profile, nexec no longer working

      Hi all

       

      I configured a AD-Kerberos authenticationProfile for a NSH console. Blcred works correctly, either SRP or AD-Kerberos (this means that I can get credentials), but I can't run nexec anymore:

       

      nexec -e
      nexec: No host to execute the command on
      
      
      

       

      nexec xxx ls
      nexec: Error accessing host xxx: No authorization to access host
      
      
      

       

      both with SRP and Kerberos profile. The Kerberos ticket is gotten via /usr/bin/kinit. Host xxx can be accessed via BL GUI (Logged agains the AppServer with SRP)

       

      How may I solve this issue?

       

      Thanks for your time

       

      Edit:

       

      rscd.log of the machine running the nexec

       

      3d5807ec13bab7f3a168 0000000005 03/25/14 12:50:33.004 WARN     rscd -  xx.xx.xx.xx 11270 0/0 (root): nexec: Host not authorized
      
      a0350b4617795431dd2b 0000000006 03/25/14 12:50:33.006 INFO     rscd -  hostname 11271 -1/-1 (Not_available): (Not_available): FIPS already enabled
      

       

      xx.xx.xx.xx is the ip of the machine which is running the nexec and hostname the hostname of the same machine

        • 1. Re: NSH console, AD-Kerberos profile, nexec no longer working
          Bill Robinson

          nexec -e requires you to cd to a target server first.  did you do that ?

           

          for the other error - is your nsh client configured to use a nsh proxy?  if not, then the creds you established w/ blcred aren't being used when talking to the target server.  configure your nsh client to use a nsh proxy.

          1 of 1 people found this helpful
          • 2. Re: Re: NSH console, AD-Kerberos profile, nexec no longer working

            Hi Bill:

             

            Thanks for your time.

             

            For the first error:

             

             

            cd //xxx.xxx.xxxx.xxx
            cd: no authorization to access host: //xxx.xxx.xxx.xx
            
            
            

             

            In case this helps, the credentials are gotten with this profile:

             

              <ServiceProfile>
                <Name>KERBEROS_TEST</Name>
                <ServiceURL>service:authsvc.bladelogic:blauth://xxx.xxx.xxx.:9840</ServiceURL>
                <AuthenticationType>AD_KERBEROS</AuthenticationType>
              </ServiceProfile>
            </ServiceProfiles>
            
            
            

             

            the profile is like this

             

            blcred cred -list
            
            
            Username:         xxxxx@MYDOMAIN.com
            Authentication:   AD/Kerberos Single Sign-On
            Issuing Service:  service:authsvc.bladelogic:blauth://xxx.xxx.xxxx:9840
            Expiration Time:  Tue Mar 25 23:13:19 CET 2014
            Maximum Lifetime: Tue Mar 25 23:13:19 CET 2014
            Client address:   xxx.xxx.xxxx.xxx
            Authorized Roles:
                BLAdmins_ATF
            
            
            Destination URLs:
                service:appsvc.bladelogic:blsess://xxx.xxx.xxx.xxx:9841
                service:proxysvc.bladelogic:blsess://xxx.xxx.xxx.xxx:9942
            
            

             

            and secure looks like this

             

            rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:
            default:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:
            
            
            

             

            The nsh proxy part, I need to configure the client to use the nsh proxy, I'm reading the documentation about that.

            • 3. Re: NSH console, AD-Kerberos profile, nexec no longer working
              Bill Robinson

              Yeah – you need to configure the nsh proxy.