Are the using agents using centrify or something similar?
I've not heard of Centrify?
We only have one agent on a test Solaris box at the moment, currently mapped to root, but that won't be allowed going forward.
How are the unix systems talking to the domain ?
Kerberos authenticating against the domain.
We haven’t tested that. you could try it – I’d set it up the same way as windows (if you can) and see what happens.
I would have tried that but I'm not even sure how to set it up? Using Automation Principles for Windows, but you can't select an AP when setting up Unix user mapping in the roles?
Any ideas anyone?
Just to be clear.
Currently your Unix server authenticates a user against your AD correct?
If so does this mean that a user logs in as themselves and then su's or sudo's to a generic application user that has permissions to execute/access those files they need to?
The short answer is create a generic user (if you don't have one already) and then map that to a specific role on the roles 'Agent ACL' tab in RBAC.
We took it one step further and created a new Server Property called DEV_LOGIN_ACCOUNT and mapped this to one of our developer roles.
This enabled us to allow for historical servers that had different application users (they now use a generic one).
This also means that any NSH session that this role starts maps to this user.
Yes, the Unix servers authenticate against an AD. However, I think the AD domain roles actually contain Unix attributes so they don’t have to sudo....
You say create a generic user, do you mean a local or domain account? Because unfortunately we HAVE to use a domain account.
If the account shows up as local on the box (even if it’s a domain acct), then you shouldn’t need the AP. I think as long as pam sees the acct it should work. I think this would be similar to mapping to a NIS acct. I forget though if we can do that or not.
Would an AD domain account show up as a local account on the box? Unfortunately I don’t have permissions to check!
You can map a role to any valid username, i.e. if the user can log into the server using that username then you can map to it.
There is no requirement that the user should be a "local" user.
However I don't think you can map a user to a username, RBAC mapping is Role to username.
This means that you'd need a Domain Username created that had the correct permissions on the server and map a role to this domain user.
In our environment all Dev's use there AD username and password to access our unix servers and then they 'su' to the application user to perform any work.
So when we installed bladelogic, we created a Developer Role that mapped to the application role.
Same steps involved to deploy except step 1. changed from "log into server using AD user and su to app user" to "log into BladeLogic using AD user/Developer Role and run job (executes as appuser).
Hope this helps.
It depends how the Kerberos works. If I run a getentpwd (something like that) call it needs to return the user you are mapping to. If it does, we should be able to map to it, if it doesn’t than I don’t think we can. probably easier to just try it and see.
Right, I've just found out that there are NO local users on the solaris servers. I have a domain account with Unix attributes which will enable me to access Unix servers.
Can I just put BLAdmins:BLAdmin rw,map=domainuser and it should work? (and mapt to domainuser in the role)