1 2 Previous Next 19 Replies Latest reply on Feb 27, 2015 8:43 AM by Benjamin Hawkins

    NSH Script (Type 3) UID

    Benjamin Hawkins



      I'm trying to configure some NSH script jobs (Type 3) native run so that we can run some scripts through into an AWS CLI configuration.


      I've managed to get the AWS CLI configured on BSA and accessible via an NSH shell without needing to nexec into an cmd layer.


      When running manually from my NHS shell I have the UID of my own user as shown by the id command. (Everything works fine under this shell)


      However when I then create a NSH script job it fails. When I run the id command as part of this it show the UID as the hostname of the server not my user.


      Is their a way to force a NSH Script to execute under the current users UID?




        • 1. Re: NSH Script (Type 3) UID
          Bill Robinson

          can you show your script or a snippet of it that's doing the id check ?

          • 2. Re: NSH Script (Type 3) UID
            Benjamin Hawkins

            When running the script from within the BSA Script Job:


            Info20-Feb-2015 17:53:49c:\>aws ec2 describe-regions --output table
            Info20-Feb-2015 17:53:49uid=400(BMCTSPR11$) gid=401(mkpasswd)
            Info20-Feb-2015 17:53:49c:\>id


            When manually running the script from my NSH session:


            BMCTSPR11% id

            uid=400(bhawkins) gid=401(mkpasswd)


            I'm not sure if I'm just not choosing the right script type for what I'm trying to do.

            • 3. Re: NSH Script (Type 3) UID
              Bill Robinson

              id is not a windows native command so do you have cygwin or nsh installed on the target ?

              • 4. Re: NSH Script (Type 3) UID
                Benjamin Hawkins

                We have the agent and the BSA console installed on the server.


                We use the TS boxes as break outs for engineers and dev's to run against cli's.


                We have Navisec and PowerCLI running and working fine, jus the AWS one is giving us issues and all I can see that is different is the UID as the AWS CLI is a bit more sensitive.

                • 5. Re: NSH Script (Type 3) UID
                  Benjamin Hawkins

                  Is there a way to allow the script to pick up the native BSA users NSH UID for access?

                  • 6. Re: NSH Script (Type 3) UID
                    Bill Robinson

                    this is likely due to how the user impersonation works in windows.  when you run things under the context of the rscd you inherit the profile of the localsystem user (rscd starts as localsystem and drops to bladelogicrscd) and then the rights of the mapped user (but not the profile/env) are assigned to the process.  so things like APPDATA, USERPROFILE, etc will be what you'd expect for localsystem, not the mapped user.  i forget if this is different if you use an Automation Principal since that doesn't use the user impersonation feature of windows.

                    1 of 1 people found this helpful
                    • 7. Re: NSH Script (Type 3) UID
                      Benjamin Hawkins

                      Is there any way around this without using AP's?


                      Is there a way to map to a certain environment and account on running a script or is it possible to call a job from within Bladelogic manually from within a NSH shell?


                      If you can call a job would it use the properties of the current NSH shell?

                      • 8. Re: NSH Script (Type 3) UID
                        Bill Robinson

                        I don’t believe there is a way around this behaviour.  Why do you need to get the current user id ?

                        • 9. Re: NSH Script (Type 3) UID
                          Benjamin Hawkins

                          Due to how the AWS CLI works with it's authorisations being in the users environment table, I need the particular script jobs to run as the users NSH shell environment not the localsystem.


                          If not is it possible to change the localsystem environment via NSH?

                          • 10. Re: NSH Script (Type 3) UID
                            Bill Robinson

                            ?if it's just going off of the username or other variable you should be able to set that before you make the call to the aws cli.

                            • 11. Re: NSH Script (Type 3) UID
                              Benjamin Hawkins

                              It needs to run off their logon shell, as it will be configured to the individual IAM credentials of that session.


                              So currently the flow of the process i need to create is:


                              1) The user logs into BladeLogic and runs an NSH shell with AWS Configure to enter their IAM credentials. (These are then stored permanently)

                              2) After this the user can log into an NSH shell session and run commands directly against AWS (Working after adding the correct environment variables etc..). We then need the user to be able to create a Script job in the depot, create a job and run it mapped to their own login session not as localsystem.


                              What's the best way to alter a script within Bladelogic to run under a different user and what would be the best type of script job to run it as?


                              If this can't be done, is it possible that they could create a manifest saved on the local server and call it via their NSH shell session? (as I presume this would then use the current session variables)

                              • 12. Re: NSH Script (Type 3) UID
                                Benjamin Hawkins

                                So i've now got this working within BSA where BSA will run the script against the correct session using a none NSH script.


                                Is it possible to add parameters to Type 3 scripts so that they can be passed through when ran?

                                • 13. Re: NSH Script (Type 3) UID
                                  Bill Robinson

                                  yeah - you should be able to, your script just needs to handle the inputs.


                                  what did you end up doing ?

                                  • 14. Re: NSH Script (Type 3) UID
                                    Benjamin Hawkins

                                    So we ended up writing a script that we one time run against any server we've built to act as an AWS Command Interpreter that changes the system environment variables of %userprofile% or /c/windows/system32/config/systemprofile and also the cygwin shell for the same user.


                                    We added in a service account for the AWS and added the config and credentials to the localsystem user profile using the script above. This way any user that runs a script against AWS in the console GUI will go in via the service account but will be tracked via the audit log on the job. We also added in the proxy settings for http to the localsystem so we could make it more controllable.


                                    We also added the "aws" command to the NSH Commands in RBAC so that users can call direct into AWS without needing to use nexec or move to a local shell.


                                    Is there any documentation on Type3 NSH scripts or any posts that you know of around using Parameters from the Console GUI to pass through to a Type 3 Script? I've tried using the usual $, $1, $2 etc.. but it doesn't seem to pass through correctly. Not sure if this is just calling them wrongly however.

                                    1 2 Previous Next