8 Replies Latest reply on Jun 16, 2011 9:06 AM by Amir Khamis

    automation principal for Windows user mapping

    Amir Khamis

      Hello,

      Currently I am supporting a customer that has an application which requires runningscripts via NSH (command line) on Windows servers.  Customer is usingusers and users.local config files to map to a local admin account on each Windowsserver.  Customer is limited since the application requires runningscripts that must run as a domain user.

      I believe I am on the right path; I do need some help in applying the final touches. Here is what I did:

      I followed the BMC BladeLogic Administration guide on page 132 (Setting upNetwork Shell Proxy Services for Windows user mapping).  Customer hasone application server only so I used "Application Servers defined asALL".  This was easy and workedfine.

      Using RBAC I created an automation principal that has my domain user as its principalid.

      Using RBAC I created a new role and under Agent ACL/Windows I utilized the sameAutomation Principal I created.

      The next step is to create a secure file. I am stuck with the secure file and what I need to have in it.   I like to get it working between my Linux BLappserver and a Windows server that I am testing with as a POC.  I created an entry like this and pasted theentry in the secure file on the Linux server (BL Server in my test case) andthe Windows server.  I utilized the hosttype entry in the secure file since default and rscd will not apply to me andleft them intact.

      blsrv:protocol=5:encryption=tls:appserver_protocol=ssoproxy:auth_profile=srp:auth_profiles_file=/opt/bmc/BladeLogic/version/NSH/br/authenticationProfiles.xml

      If I use NSH and connect to the windows server, I succeed.

      But I need to connect using the domain account and I thought I have to do somethinglike this:

      I create a new auth profile with type domainauth which I did and workedfine, I acquired credential to this profile which also succeeded, I set myseviceProfileName to it and roleName to the role I have created and belonged myuser to it and the one that utilizes the Automation Principal.  This did not work for me.

      To be honest, it is confusing a bit.

      Can you please help me understand this little better? And see where I wentwrong.

        • 1. automation principal for Windows user mapping
          Bill Robinson

          in blasadmin or the infrastructure manager ui you need to set the 'proxysvcport' to 9842 for your appserver instance and restart the appserver.  this enabled the nsh proxy. (make sure this is open through any firewall to the appserver).

           

          in the appserver's secure file you should then have only:

          rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:

          default:appserver_protocol=ssoproxy:protocol=5:tls_mode=encryption_only:encryption=tls:

           

          this configures the nsh client on the appserver to use the nsh proxy.

           

          now, when you run a job that requires nsh, it will try to use a nsh proxy, and then pickup the AP.  also make sure your users and users.local files do not have any mapping for the role w/ the AP.

          1 of 1 people found this helpful
          • 2. automation principal for Windows user mapping
            Amir Khamis

            Thanks Bill,

            this helps a lot.

            so I followed your steps and this is what I tried doing from the app server:

            I created an authprofile and called it domain:

            Name: domain

            Type: Domain Authentication

            URL: service:authsvc.bladelogic:blauth://appsrv:9840

             

            % blcred cred -acquire -profile domain

            username: myuser

            password:

            Authentication succeeded: acquired session credential

            tusk% blcli_setoption serviceProfileName domain

            tusk% blcli_setoption roleName automprin

            tusk% cd //testsrv

            SSO Error: No authentication profile has been successfully loaded. Single Sign-On connections require a valid authentication profile.

            cd: no such file or directory: //testsrv

             

            did I do something wrong? I think I have to use blcred so I can access the server.

            thanks

            • 3. automation principal for Windows user mapping
              Bill Robinson

              the blcli does not come into play here so you don't need to run that at all.

               

              the proxy setup for the appserver is a little different than how you would setup a normal nsh client.  if possible i would setup a client to use the nsh proxy - so put this in the secure file on your client system:

               

              default:protocol=5:encryption=tls:appserver_protocol=ssoproxy:auth_profile=srp:auth_profiles_file=/opt/bmc/BladeLogic/version/NSH/br/authenticationProfiles.xml

               

              and try to connect to the target server.

               

              or, i think you can set env variables like 'BL_AUTH_PROFILE_FILE' and 'BL_AUTH_PROFILE' since you aren't setting them in the appserver's secure file.

              1 of 1 people found this helpful
              • 4. Re: automation principal for Windows user mapping
                Amir Khamis

                Thanks Bill, I will try this mon and let you know.  Have a great weekend.

                 

                THIS MESSAGE IS INTENDED FOR THE USE OF THE PARTY TO WHOM IT IS ADDRESSED. IT MAY CONTAIN CONFIDENTIAL INFORMATION. IF YOU ARE NOT THE INTENDED RECIPIENT, ANY USE OF THIS COMMUNICATION IS PROHIBITED. IF YOU HAVE RECEIVED THIS COMMUNICATION IN ERROR, PLEASE NOTIFY THIS OFFICE IMMEDIATELY BY CALLING 616-574-3500, RETURNING THE MESSAGE, AND DELETING IT FROM YOUR RECORDS. THANK YOU.

                • 5. Re: automation principal for Windows user mapping
                  Amir Khamis

                  Bill,

                  It is working now.  I just had to use the blcred to create a profile for my BL domain account and then used blcred again to acquire the credentials for my user.  that will create C:\Users\username\AppData\Roaming\BladeLogic

                  and adds the bl_sesscc file.

                   

                  after I did that I updated the secure file exactly like you recommended and was able to connect to the agent with domain credentials.

                  I still have one final question and I am all set:

                  when connecting from a unix client with nsh and rcp installed I get prompted to choose the correct role.  so I am not yet in nsh, how do I deal with that?

                  and say I choose the role I then face another issue with BL_SRP_INFO.

                   

                  I like to be abel to run a script to do all of that silently if possible.  I knwo what I need to do to bypass acquiring the credentials using the keytab file.

                   

                  see this output I got:

                   

                  C:\Users\ami295\AppData\Roaming\BladeLogic

                  and added command bl_sesscc file which get created in the user home folder which

                   

                  root@srvname: /root >nsh

                  Pick Role:

                  1. automprin

                  2. BLAdmins

                  3. GlobalReportAdmins

                  4. RBACAdmins

                  1

                  BladeLogic: set BL_SRP_INFO to 0x480006 to reuse user credential and role selection.

                  • 6. Re: automation principal for Windows user mapping
                    Amir Khamis

                    Hey guys,

                    Please see my last post, I really need some help so I can script this.  is is possible to se this as environment variables somehow?

                    • 7. Re: automation principal for Windows user mapping
                      Bill Robinson

                      you can ignore the "BladeLogic: set BL_SRP_INFO to 0x52802c to reuse user credential and role selection" line.  for the role selection you can do:

                       

                      #export BL_RBAC_ROLE=<your role>

                      #nsh

                      • 8. Re: automation principal for Windows user mapping
                        Amir Khamis

                        Thanks for getting back Bill.  every NSH session spits out a diffirent BL_SRP_INFO! can I capture any hex value and use it in the script all the time using any user? I guess I don't understand yet why is this needed and why it is only applicable for UNIX and not windows.  I will try exporting the role and get back.

                        thank you so much for all the help on this.