5 Replies Latest reply on Sep 21, 2009 10:10 AM by Bill Robinson

    permissions inconsistency

    Matt Kreger

      When I nsh to a server from my App Server I get mapped to Anonymous, but when I do so from my workstation I get mapped to the local admin user.  I'm using NSH proxy, so in both cases, the connection to the managed server is from the app server.

       

      Also, when I start nsh on the app server, I don't get prompted for a role.

       

      Agentinfo from app server:

       

      [root@emda-nbp-uea21 br]# ./blcred cred -acquire -profile defaultProfile
      username: adminmkreger
      password:
      Authentication succeeded: acquired session credential
      [root@emda-nbp-uea21 br]# nsh
      emda-nbp-uea21# agentinfo emda-nbp-uea26
      emda-nbp-uea26:
        Agent Release   : 7.6.0.132
        Hostname        : EMDA-NBP-UEA26
        Operating System: WindowsNT 5.2
        User Permissions: BladeLogicRSCD@EMDA-NBP-UEA26->Anonymous:PrivilegeMapped (Identity via trust)
        Security        : Protocol=5, Encryption=TLS1
        Host ID         : 50C6E5A2
        # of Processors : 1
        License Status  : Licensed for NSH/CM - Expires Thu Oct 01 08:21:56 2009
      emda-nbp-uea21#

      From my workstation:

       

      C:\>blcred cred -acquire -profile defaultProfile
      username: adminmkreger
      password:
      Authentication succeeded: acquired session credential

      C:\>nsh
      Pick Role:
      1. GlobalReportAdmins
      2. RBACAdmins
      3. BLAdmins
      3
      MKREGER-1% agentinfo emda-nbp-uea26
      emda-nbp-uea26:
        Agent Release   : 7.6.0.132
        Hostname        : EMDA-NBP-UEA26
        Operating System: WindowsNT 5.2
        User Permissions: BladeLogicRSCD@EMDA-NBP-UEA26->Administrator@EMDA-NBP-UEA26:PrivilegeMapped (Identity via trust)
        Security        : Protocol=5, Encryption=TLS1
        Host ID         : 50C6E5A2
        # of Processors : 1
        License Status  : Licensed for NSH/CM - Expires Thu Oct 01 08:21:56 2009

      The host in this example has the following config file entries (20.5.205.22 is the app server - using nsh proxy):

       

      MKREGER-1% cd //emda-nbp-uea26/WINDOWS/rsc
      emda-nbp-uea26% cat exports
      #
      #  Copyright (c) 2001-2009 BladeLogic, Inc.
      #       -- All Rights Reserved --
      #
      #  This file is read by the "rscd" to determine permissions for the given host.
      #
      # Please read the BladeLogicAdministration.pdf or "exports" man page for details
      # on how to use this file.
      #

      20.5.205.22   rw
      emda-nbp-uea26% cat users
      #
      #  Copyright (c) 2001-2009 BladeLogic, Inc.
      #       -- All Rights Reserved --
      #
      # This file contains a list of user permission overrides. The permissions
      # defined in this file will override any associated permissions defined in the
      # "exports" file.
      #
      # Please read the BladeLogicAdministration.pdf or "users" man page for details
      # on how to use this file.
      #
      emda-nbp-uea26% cat users.local
      #
      #  Copyright (c) 2001-2009 BladeLogic, Inc.
      #       -- All Rights Reserved --
      #
      # This file contains a list of user permission overrides. The permissions
      # defined in this file will override any associated permissions defined in the
      # "exports" or "users" file.
      #
      # Please read the BladeLogicAdministration.pdf for details on how to use this
      # file.
      #
      BLAdmins:*      rw,map=Administrator
      emda-nbp-uea26%

        • 1. Re: permissions inconsistency
          Bill Robinson

          when you run nsh from the commandline w/o the configuration for a proxy, there are no bladelogic credentials established.

           

          from the appserver, you should launch nsh from a 'nsh here' custom command window (which picks up bladelogic creds), or setup a mapping on your target systems for the OS user you are logged into the appserver as.  (eg mkreger rw,map=guardian in the users.local file)

           

          you can't configure nsh on the appserver to use a nsh proxy.

          • 2. Re: permissions inconsistency
            Matt Kreger

            I changed users.local to * rw,map=Administrator and it still maps me to Anonymous

            • 3. Re: permissions inconsistency
              Matt Kreger

              BTW - the nsh from here thing does work, but I can't do it this way on an ongoing basis.  I need to be able to do it from SSH.  I have to log in locally to the app server to run bllic to license agents and I can't rely on having console access (or take all that extra time to launch the gui just to get back to a command line).

               

              Thanks,

              Matt

              • 4. Re: permissions inconsistency
                young so

                The best practices to lic agent is to schedule job or run against target from the console.  You should't have to logon to the application server to license the agent on the application server.  It should be schedule has maintenance task because of the fact you want things automated.  Thus, every time un-lic agent comes online, the the schedule job or run against target should take care of your issue with lic the server.

                • 5. Re: permissions inconsistency
                  Bill Robinson

                  the users and users.local files take the format:

                   

                  <user> perm,options

                  so like

                  BLAdmins:BLAdmin rw,map=root

                   

                  The 1st entry has to be a user or role:user

                   

                  The exports file takes a host as the 1st entry - so you can do:

                   

                  * rw,user=root

                  or

                  <appserver> rw,user=root

                   

                  This will work assuming there is not a 'nouser' entry in the users file.

                   

                  But you should schedule this as a job and run this against either all servers or all unlicensed servers.