1 2 Previous Next 25 Replies Latest reply on Oct 6, 2008 8:51 AM by Sean Marshall

    AD Sync users script issues

      We recently switched from a Windows app server to a Linux app server and in the process upgraded the user sync script. The new version seems to be running, but not making the modifications we are getting a "grep: unknown devices method error"

       

      Any ideas?

        • 1. Re: AD Sync users script issues

          Not sure what this means without troubleshooting on the appserver directly and seeing the logs. This is an error from grep itself. Something in the way it's being invoked is not working.

           

          My guess is the grep is coming from the roles.txt file where you constructed the regular expression to extract users from groups. If you run the construct manually on the NSH commandline do you get any errors?

          • 2. Re: AD Sync users script issues

            Job Name,Sync Users from Active Directory - Run at 08/06/2008 03:00:11

            Start Time,08/06/2008 03:00:11

            End Time,08/06/2008 03:00:44

            Status,Completed with Errors

             

            Participant,Type,Date,Message

            Run at 08/06/2008 03:00:11,Info,08/06/2008 03:00:12,Started running the job 'Sync Users from Active Directory' on application server 'monswn01p.was.int.imf.org'(8)

            WDCSBN03P,Info,08/06/2008 03:00:28,##################################

            WDCSBN03P,Info,08/06/2008 03:00:29,# Directory Sync Script

            WDCSBN03P,Info,08/06/2008 03:00:29,"# BladeLogic, Inc."

            WDCSBN03P,Info,08/06/2008 03:00:29,# Wed Aug 6 03:00:28 EDT 2008

            WDCSBN03P,Info,08/06/2008 03:00:29,##################################

            WDCSBN03P,Info,08/06/2008 03:00:29,Running Script:

            WDCSBN03P,Info,08/06/2008 03:00:29,----


            WDCSBN03P,Info,08/06/2008 03:00:29,INFO: Using roles found in //monswn05p/D/Program Files/BladeLogic/OM/share/sensors/extended_objects/roles.txt.

            WDCSBN03P,Info,08/06/2008 03:00:29,"INFO: Using SPN: , keytab: , krb5.conf:"

            WDCSBN03P,Info,08/06/2008 03:00:29,INFO: Initialize BLCLI

            WDCSBN03P,Error,08/06/2008 03:00:42,//@/usr/nsh/tmp/scripts/job_16393/script163941923.1_ad_sync_users.nsh:441: no such file or directory: /usr/nsh/sbin/grep

            WDCSBN03P,Info,08/06/2008 03:00:42,Pruning Users from RBAC:

            WDCSBN03P,Info,08/06/2008 03:00:43,###################################

            WDCSBN03P,Error,08/06/2008 03:00:43,Command execution failed. com.bladelogic.cli.factory.CommandNotFoundException: Name space : RBACUser has no commands by name : findAll

            WDCSBN03P,Info,08/06/2008 03:00:43,ERROR: All LDAP Queries returned NULL

            WDCSBN03P,Error,08/06/2008 03:00:43,Cannot store a failed command result

            WDCSBN03P,Info,08/06/2008 03:00:43,ERROR: Exiting...

            WDCSBN03P,Info,08/06/2008 03:00:43,Exit Code 1

            Run at 08/06/2008 03:00:11,Info,08/06/2008 03:00:47,The job 'Sync Users from Active Directory' has failed

            • 3. Re: AD Sync users script issues
              Bill Robinson

              there's 2 problems:

               

              WDCSBN03P,Error,08/06/2008 03:00:42,//@/usr/nsh/tmp/scripts/job_16393/script163941923.1_ad_sync_users.nsh:441: no such file or directory: /usr/nsh/sbin/grep

               

              Is the the 2.9.5 version of the script from the kb? also, what's in your roles.txt file ?

               

               

              WDCSBN03P,Error,08/06/2008 03:00:43,Command execution failed. com.bladelogic.cli.factory.CommandNotFoundException: Name space : RBACUser has no commands by name : findAll

               

              I don't see in the 2.9.5 script where this command would be getting called from..

              • 4. Re: AD Sync users script issues

                Ok, ignore my last post... that was running the old script.

                 

                The new script give me this....

                server.domain.org,Info,08/25/2008 14:23:52,INFO: Using roles found in /usr/nsh/share/sensors/extended_objects/roles.txt.

                server.domain.org,Info,08/25/2008 14:23:52,"INFO: Using SPN: blappsvc/server@DOMAIN.ORG, keytab: /usr/nsh/br/blappsvc.keytab, krb5.conf: /usr/nsh/br/blappserv_krb5.conf"

                server.domain.org,Info,08/25/2008 14:24:00,true

                server.domain.org,Info,08/25/2008 14:24:00,INFO: Initialize BLCLI

                server.domain.org,Error,08/25/2008 14:24:01,grep: unknown devices method

                server.domain.org,Info,08/25/2008 14:24:01,Pruning Users from RBAC:

                 

                see the grep: unknown devices method error......

                 

                the ROLES.TXT file contains entries like the following.....

                 

                SuperUSERldapsearch -Hldap://dc1.domain.org -Y GSSAPI -b "ou=BLADM,dc=domain,dc=org" -LLL "cn=SuperUSER" | grep member | awk -FCN= '{print $2}' | awk -F,OU= '{print $1}' | awk -F' ' '{print $NF}'@DOMAIN.ORG

                • 5. Re: AD Sync users script issues

                  Did you try running greps manually on the app server? You need to create your own custom roles.txt that will fit the environment you are in.

                  • 6. Re: AD Sync users script issues

                    If I run the command manually on the app server

                     

                    SuperUSERldapsearch -Hldap://dc1.domain.org -Y GSSAPI -b "ou=Admins,dc=domain,dc=org" -LLL "cn=SuperUSER" | grep member | awk -FCN= '{print $2}' | awk -F,OU= '{print $1}' | awk -F' ' '{print $NF}'@DOMAIN.ORG

                     

                    I get...

                     

                    awk: cmd. line:1: {print $NF}+@DOMAIN.ORG

                    awk: cmd. line:1: ^ invalid char '@' in expression

                    • 7. Re: AD Sync users script issues
                      Bill Robinson

                      just run:

                       

                      ldapsearch -Hldap://dc1.domain.org -Y GSSAPI -b "ou=Admins,dc=domain,dc=org" -LLL "cn=SuperUSER" | grep member | awk -FCN= '{print $2}' | awk -F,OU= '{print $1}' | awk -F' ' '{print $NF}'

                      • 8. Re: AD Sync users script issues

                        I would start by running just the ldapsearch command. Without the grep, awk, etc. Essentially validate that ldapsearch is connecting to AD and pulling the details for the SuperUSER domain group.

                         

                        After you validate that you actually get results, start adding greps and awk to filter the output until you are left with just the username.

                         

                        The grep and awk statements are almost never the same at every customer because the output returns slightly different based on how AD is configured. Therefore, there is a chance the statements in the sample file will not return correctly in your case.

                         

                        If ldapsearch does work post the output and I will help you with the grep statements.

                        • 9. Re: AD Sync users script issues

                          If I run that the command works fine..... but I do not know what to modify in the script to get it working.

                          • 10. Re: AD Sync users script issues
                            Bill Robinson

                            when you say it works fine, what does it return - and what command did you run -the ldapsearch by itself or the ldapsearch piped to the text parsing?

                             

                            is it returning the user accounts that need to get added?

                            • 11. Re: AD Sync users script issues

                              Runs fine means it returns the following with no errors

                               

                              SASL/GSSAPI authentication started

                              SASL username: user@DOMAIN.ORG

                              SASL SSF: 56

                              SASL installing layers

                              SuperUser1

                              SuperUser2

                              SuperUser3

                              • 12. Re: AD Sync users script issues
                                Bill Robinson

                                and that's w/ the grep/awk stuff piped in ?

                                • 13. Re: AD Sync users script issues

                                  This is what I ran

                                   

                                  ldapsearch -Hldap://DC.domain.org -Y GSSAPI -b "ou=Admins,dc=domain,dc=org" -LLL "cn=SuperUSER" | grep member | awk -FCN= '{print $2}' | awk -F,OU= '{print $1}' | awk -F' ' '{print $NF}'

                                   

                                  it returned what was in my previous post

                                  • 14. Re: AD Sync users script issues
                                    Bill Robinson

                                    hmm - the server.domain.org that this is running - is that the linux appserver or the domain controller ?

                                    1 2 Previous Next