1 2 3 Previous Next 42 Replies Latest reply on May 25, 2010 7:33 AM by Bill Robinson

    CM  host access

    Bill Bruncati

      Have the following /usr/lib/rsc/users.local files on the targets servers.


      RBACAdmins:RBACAdmin    rw,map=root
      BLAdmins:BLAdmin    rw,map=root
      BLAdmins:wb238w    rw,map=root
      BLAdmins:*    rw,map=root
      Control_Role:*  rw,map=root
      system:system    rw,map=root
      root    rw,map=root


      I have Configuration Manager ( CM) running on my laptop.  My Appserver is Solaris 10  running BL 7.6


      I log into CM as  wb238w, therefore,  when I access a target via my CM GUI, I should be mapped to root, correct ?


      I've proved this to myself by going into a target and  opening   root owned  (  r--------   ) owned  files. I was also  able

      to manually edit ( via the GUI ) the /usr/lib/rsc/users.local file.


      However, when I created a Deploy File job to copy a new users.local file to a target, I get:


      cd:  no authorization to access host

      // [hostname]


      Or, when I try to look at /usr/lib/rsc/rscd.log  via CM I get "Permission Denied" .


      Since my user id is tied to the BLAdmins role which inturn has root equivlency , shouldn't  I be able to do these things ?



        • 1. Re: CM  host access
          Bill Robinson

          Can you get to the rscd.log on the target another way (eg ssh)?  look in the log and it should tell you what user you are coming across when you get denied.

          • 2. Re: CM  host access
            Saurabh Kashikar

            You might also want to check your users.local file.. I think your job must have succeded half way and it should have over written users.local

            • 3. Re: CM  host access
              Bill Bruncati



              I only have access via BL.


              But , it gets stranger, I couldn't do things via CM but can via NSH.


              HOSTA is my Appserver running NSH. I was able to cp HOSTB's file to HOSTC.


              root@HOSTA $PWD: cp //HOSTB/usr/lib/rsc/users.local   //HOSTC/usr/lib/rsc/      - this worked



              root@HOST $PWD: cd //HOSTC/usr/nsh/log
              root@HOSTA $PWD: ls -l
              //.bladelogic grants non-owner access.
              total 41
              -rw-r--r--   1 root     root         5866 May 18 16:44 rscd.log
              -rw-r--r--   1 root     root         4633 May 01 06:41 rscd.log1
              -rw-r--r--   1 root     root         7936 Apr 01 19:17 rscd.log2
              -rw-r--r--   1 root     root         1451 Feb 26 20:37 rscd.log3


              root@HOSTA $PWD: pwd


              root@HOSTA $PWD: tail rscd.log    -  Don't know why I can't do this.
              //.bladelogic grants non-owner access.
              tail: rscd.log: Permission denied





              • 4. Re: CM  host access
                Fred Breton

                The right way to check the account you're maped to is to right click on the server from the UI and run the custom command Agent Information, you will then get a result as:


                HostnameAgent ReleaseO.S.PermissionsSecurityHostIDProcessorsLicenses
                BL-RHWWW8.0.0.380Linux 2.6.9-34.EL0/0 (root/root)Protocol=5 Encryption=TLS17F01001Licensed for NSH/CM


                In field permission you can see what is your mapping.


                The way BL is mapping a user to a local user is to first look in users.local files, if it finds a line that could resolve the Role:User then the mapping is done, else it will look in users file.


                Hope this help.



                • 5. Re: CM  host access

                  What does the permissions tab of that server object in CM look like.

                  • 6. Re: CM  host access
                    Fred Breton

                    As told in my previous post, the right way to check the mapping is to use agentinfo so from NSH on your appserv you'll get the mapping to hosta running:

                    agentinfo hosta


                    By the way, this is the mapping between the account you're log on the application server and the hosta and as your users file is not ending by nouser the result you'll get will be nobody:nobody.



                    • 7. Re: CM  host access
                      Bill Bruncati

                      Have some more clues. Tried the "agentinfo" via the GUI , but get nothing.


                      Tried via NSH and get :


                      root@HOSTA $PWD: agentinfo HOSTC
                      //.bladelogic grants non-owner access.
                        Agent Release   :
                        Hostname        : HOSTC
                        Operating System: SunOS 5.10
                        User Permissions: 0/0 (root/root)
                        Security        : Protocol=5, Encryption=TLS1
                        Host ID         : 83FBCE5A
                        # of Processors : 4
                        License Status  : Licensed for NSH/CM
                      root@cmsfaal1 $PWD:


                      Then I tried Adam's suggestion of checking the Server's permissions tab.  But "agentinfo" is there for the BLAdmin role

                      so not sure why "agentinfo" doesn't work from the GUI.

                      • 8. Re: CM  host access
                        Bill Robinson

                        does the exports file on the target only allow connections from the appserver?

                        • 9. Re: CM  host access
                          Bill Bruncati



                          No, I use the standard exports file.


                          *          ro



                          • 10. Re: CM  host access
                            Bill Robinson

                            Oh, so for the log tail issue, you need to use 'bllogman' and not the normal 'tail'.  You can do something like:



                            Bllogman tail -f ///usr/nsh/log/rscd.log


                            From w/ in nsh. 


                            So you copied a file around but you still don't have access via the 'nsh here' or 'agentinfo' custom commands, and you get an error w/ your deploy job, even though you're in BLAdmins and appear to have access to the server (both directly on the agent and via the server object acls in the gui)?

                            • 11. Re: CM  host access
                              Bill Bruncati

                              Doesn't work.


                              root@cmsfaal1 $PWD: cd //CSVRTVCSCRI02
                              root@cmsfaal1 $PWD: Bllogman tail -f ///usr/nsh/log/rscd.log
                              nsh: command not found: Bllogman



                              To verify the concept.


                              From my laptop, I cannot ping nor NSH  the target server.


                              However, from my laptop, I log into CM  and can browse the server with no problems.

                              So I must be connecting  to the target via my Appserver  ( cmsfaal1 ) .  Is that correct ?


                              Now,  from within CM  ( as a user with Role of BLAdmin rw,map=root ) I can look at root files ( for ex /etc/shadow ) and I can expand

                              /usr/nsh/log . But when I try to open rscd.log from within CM, I get   " //HOSTC/usr/nsh/log/rscd.log: Permission Denied"


                              When I try to look at rscd.log from within NSH directly from my Appserver, I get the same error.






                              • 12. Re: CM  host access
                                Bill Robinson

                                You need to include the hostname in the path you send to bllogman (and it's a lowercase b, outlook auto cap'd it), so:


                                bllogman tail -f ///usr/nsh/log/rscd.log



                                So I think the problem is that the appserver can get to the target, but your laptop can't.  when you run the 'nsh here' or the other custom commands, they are using the nsh binary on your laptop, they are not running 'from' the appserver host.  So we need to setup the NSH Proxy on the appserver and configure your client install on your laptop w/ the proxy configuration.


                                Same applies in the live browse of the rscd.log.  because this is logging all access via blade, if you try an access it using normal commands (cp, cat, less, tail, etc) you end up in a loop of logging that will never end.  So you have to use bllogman for this task.  We can create a custom command for bllogman, once we get your nsh working.

                                1 of 1 people found this helpful
                                • 13. Re: CM  host access
                                  Fred Breton

                                  it's bllogman.


                                  By the way, when you run a custom command from the UI, you need that the host from where you're running the UI be able to resolve the name of the target based on  the name displayed inside the UI. If this is not the case so you won't be able to run custom commands which are local.

                                  When you're browsing a server from the UI or lauching a job to some target all access to the targets are done by the application server, so the name resolution is done by the application server.


                                  About your issue, could you provide the exports, users and users.local file you've on the application server and on the target for which you've problems.


                                  You can also find description of the grant access methodology to BL Agent inside the BMC BladeLogic Administration guide from page 171.



                                  • 14. Re: CM  host access
                                    Bill Bruncati

                                    Much better. If there's a typo to make today, I've made it.



                                    root@cmsfaal1 $PWD: bllogman tail -f //CSVRTVCSCRI02/usr/nsh/log/rscd.log
                                    //.bladelogic grants non-owner access.
                                    05/18/10 19:09:07.839 INFO     rscd - 27707 0/0 (root): agentinfo: agentinfo -D //CSVRTVCSCRI02/usr/nsh/log CSVRTVCSCRI01 CSVRTVCSCRI02
                                    05/18/10 19:29:18.493 INFO     rscd - 28504 0/0 (root): nsh: /opt/nsh/bin/nsh
                                    05/18/10 19:29:18.692 INFO     rscd - 28505 0/0 (root): logman: bllogman tail -f //CSVRTVCSCRI02/usr/nsh/log/rscd.log


                                    As for proxy, that makes sense.   I can't use NSH proxy .


                                    I can only use CM to access the servers.


                                    Are you saying that my CM can do things to the  target server because it's automatically going

                                    through my Appserver ?


                                    But , when I try to use NSH from my laptop or NSH from with CM running on my laptop,  I won't be

                                    able to access the target ?




                                    1 2 3 Previous Next