1 2 Previous Next 15 Replies Latest reply on Mar 3, 2010 10:01 AM by Bill Robinson

    Agent ACL push



      i just created a new virtual server (win 2k3 Server) and i just installed an agent in it.I have instaled BL and the version of agent it is the same. I just add the server and when i try to "Push Agent ACLs"  it is wrong and show "Permission  denied". The message it is the same for BLAdmin user and for Administrador.


      Any idea?


      The Agent ACL preview is showed:



      # BLAdmins ACLs
      BLAdmins:BLAdmin                rw,map=Administrador
      BLAdmins:Administrador          rw,map=Administrador

      # RL_Administrador ACLs
      RL_Administrador:Administrador  rw,map=Administrador

      # NSH-only ACLs
      BLAdmin                         rw,map=Administrador
      Administrador                   rw,map=Administrador



      I just updated permission "Server.*" for both user BLAdmin and Administrador.


      I am trying to understand the steps to register a new server:


      1. Register the server

      2. Updated Permision

      3. Push Agent ACLs


      Is it wrong?

        • 1. Re: Agent ACL push
          Umesh Rao

          What does the users.local and exports file say on the agent?


          If your users.local file doesn't have any values added to it and your users file has "no user" in it, then the box doesn't have any permission to push acls to it. The ACL preview is generated based on the roles you have added to the server object. It's not pushed until the job completes successfully, and to push the acls job, you need to make sure you have the initial acls setup correctly.

          • 2. Re: Agent ACL push
            Bill Robinson

            What's in the users.local file on the system?


            Try running the 'agentinfo' command against the server.

            • 3. Re: Agent ACL push




              #  Copyright (c) 2001-2009 BladeLogic, Inc.
              #       -- All Rights Reserved --
              # This file contains a list of user permission overrides. The permissions
              # defined in this file will override any associated permissions defined in the
              # "exports" or "users" file.
              # Please read the BladeLogicAdministration.pdf for details on how to use this
              # file.




              w2k3-Prueba3 WindowsNT 5.2 BladeLogicRSCD@W2K3-PRUEBA3->Anonymous:PrivilegeMapped (Identity via trust) Protocol=5 Encryption=TLS1 7C970765 1 Licensed for NSH/CM - Expires Thu Mar 11 23:47:29 2010

              • 4. Re: Agent ACL push
                Bill Robinson

                Your users.local file needs to have an entry like "BLAdmins:BLAdmin rw,map="

                • 5. Re: Agent ACL push
                  Umesh Rao

                  Try Adding the following into users.local


                  BLAdmins:*  rw,map=


                  Then push acls to the box.

                  • 6. Re: Agent ACL push

                    I just created the next row in the users.local file and the Agent ACL Push run without problem.  Later i deleted from users.local and all is running without problem.


                    RL_Administrador:Administrador  rw,map=Administrador


                    I cann't understand the reason. Any idea?



                    • 7. Re: Agent ACL push
                      Umesh Rao

                      Yes, because you didn't have anything mapped initially, therefore none of the BladeLogic roles could push anything to the server. Once you updated the users.local, you were able to push the acls out to the users file. Now the initial acl item is no longer needed, as you already have the Roles defined in the users file because of the push acls job.

                      • 8. Re: Agent ACL push

                        So, the correct way to work with a new server is:



                        1. Install the Agent

                        2. Change the users.local

                        3. Push the Agent ACL


                        In this moment, it is no longer need to update users.local, all is managemnet with the Agent ACL Push, correct?

                        • 9. Re: Agent ACL push
                          Umesh Rao

                          Yes, but you can do step 1 and 2 at the same time if you use the "Expert" option to install the agent. You can also create a silent installer that will do this for you. Check the BladeLogic Install Guide for detailed information on how you can achieve this.

                          • 10. Re: Agent ACL push
                            Bill Robinson

                            When you install the agent it should ask you for a role:user and local user map to put into the users.local file.  you need to do this in order to push acls.


                            you should leave this entry there in case you screw up the acl push at some point later in time.  the users.local file is an override to users and is not touched during the acl push. 


                            is 'RL_Administrator:Administrator' a bladelogic role and user? 


                            all of this should be detailed in the bladelogicadministration.pdf file.

                            • 11. Re: Agent ACL push

                              Yes 'RL_Administrator:Administrator' is a Role and a User maps with Administrator in the Window machines.

                              • 12. Re: Agent ACL push
                                Bill Robinson

                                Were you logged into bladelogic as 'Administrator' in the RL_Administrator role when you were trying to perform the acl push?

                                • 13. Re: Agent ACL push



                                  I had created a new user "Administrador" with the new Role RL_Administrator. This Role is identical to BLAdmin. At the begining i just created a new VM and then installed the agent but didn't modify the users.local.


                                  So with this user i probed to push Agent ACL and it didn't work.Then i modified the users.local login in the VM machine because from the bladelogic i hadn't enought rights.


                                  In this moment i just pushed the Agent ACL withouth problem.


                                  so i think that i need always to change the users.local, don't i?



                                  • 14. Re: Agent ACL push
                                    Bill Robinson

                                    Like someone mentioned before in this thread, when you install the agent you need to choose the 'expert' install and put in the role and user and local user when the installer prompts you, or after the install you need to manually modify the users.local file w/ a bladelogic user and role and user mapping that you want to give the initial permissions to.  this will let you push acls. 


                                    The agent install by default is locked down so you must open it up to allow management.

                                    1 2 Previous Next