1 2 Previous Next 28 Replies Latest reply on Dec 8, 2011 12:45 PM by Nick Sinclair

    Automation Principal issues

      Hello. I've read through some other questions on here about Automation Principals and have read through the BL User Guide, but I'm still having some issues.


      Here's a quick summary of the situation. We have an NSH proxy set up which is confirmed to work by one of our other admins, I've created an Automation Principal in BladeLogic associated to an AD user designated for this purpose and created a BL user for this AD user, I've created a role designated for Automation Principals, with fill authorizations and nsh commands, and assigned the BL user to it. If I try to nsh to a server using the Automation Principle I've created via a blcred impersonation I keep getting "(role:user@domain)nsh: Failed to map user to local user". I haven't made any changes to the exports, users, or users.local file as I don't believe these are used with Automation Principals.


      I'm not sure where the disconnect is. A few questions I did have which the documentation wasn't too specific on:


      For the Automation Principal, the "Principal ID" should be set as the AD user I want to impersonate, right? If so, do I need to include the @domain.com with it?

      For the role I created for Automation Principals, since I will be using this on Windows machines, is the only setting I need to configure is to set the "Automation Principal" on the Windows tab to the Automation Principal I created?

      For the BL user I created to associate with the AD user, all I should have to do is assign it to the role I created for Automation Principals, right?


      Please let me know any additional details I could provide, or if my explanation was too confusing. I'm pretty new to BladeLogic as a whole.

        • 1. Automation Principal issues
          Bill Robinson

          The Command Authorizations are setup such that if you add one of them, that is the only one allowed.  If you don't specify any Command Authorizations, you get all of them.  But i don't think that is your issue.



          can you run this nsh attempt again, and watch the rscd.log on the target?  and then paste in the connection attempt?  you may want to put the agent log in debug mode (the rscd logger in log4crc.txt)


          i believe w/ the AP you specify the user name and domain on separate lines.  if not, then the user@domain.com should work.

          • 2. Automation Principal issues

            The rscd.log gave:

            11/23/11 13:16:26.644 WARN     rscd - 2636 SYSTEM (automprin:blautomprinusr@domain.com): nsh: Failed to map user to local user


            I'll work on the debug mode next.

            • 3. Re: Automation Principal issues
              Bill Robinson

              Your target server is in the domain ?  you can login to that server w/ those creds?  the user in the AP has all the appropriate rights assigned in the Domain Policy ? (logon as batch job, I think a couple others)

              • 4. Automation Principal issues

                Correct, target server is in the same domain. The credentials are an administrator on the target server and can login without issue. I believe all rights should be covered by being in the administrators group.

                • 5. Re: Automation Principal issues

                  I wouldn’t be so sure about that last one Nick. The user rights assignment has nothing to do with permissions. Check that the policy has the user or the administrator group specified in “Allow logon as batch job”. In the target server’s security log, do you see type 4 logins being denied?

                  • 6. Automation Principal issues

                    Checking the "Logon as batch job" the Administrators group is listed as having this right.


                    Watching the security log while attempting nsh all I see are some successful Registry category events and successful "Other Object Access Events" which refer to PlugPlayManager.

                    • 7. Re: Automation Principal issues

                      How is your autoprin setup? I don’t think you can set it up as user@domain.com . I think you have to specify the domain in the domain field and only the user’s UPN(blautomprinusr) in the username field.

                      • 8. Automation Principal issues

                        I've been trying both ways just as a test. Currently I have just the UPN as the Principal ID (I've removed the @domain.com since my previous post) and have included the domain in the domain field.

                        • 9. Re: Automation Principal issues

                          Has the rscd log changed as well?

                          • 10. Automation Principal issues

                            It's logging the same thing. This makes me thing the user being listed in the rscd.log is the BL user and not the AD user - we have been setting up our BL user names as user@domain.com. If this is the case would it indicate I'm not hitting the nsh proxy?


                            The way I've been performing the nsh commands is by doing


                            %blcred authprofile -add -profile <profile name> -username <user name as configured in BL> -password <password>

                            %blcred cred -acquire -profile <profile name> -username <user anme as configured in BL> -password <password>

                            Authentication succeeded: acquired session credential

                            %cd //<target machine name>


                            After the first time I did the "blcred authprofile -add" command I get the option of which role I want to use when I start nsh, so I just select the one for the profile I created.

                            • 11. Re: Automation Principal issues

                              That doesn’t mean you are or aren’t using the proxy. Can you past the contents of your secure file into the body? If you fire up NSH without using blcred, does it give you a message about local usage only?

                              • 12. Re: Automation Principal issues
                                Bill Robinson

                                can you paste the log entry?  you should see a mapping of the from and to user in the log.


                                also - you may need to remove all mapping entries for your role from users and users.local on the target.

                                • 13. Automation Principal issues

                                  As soon as I launch nsh I'm prompted with the list of Roles to choose from between the Automation Principal role and the BLAdmin role. I do not get the local use only error.


                                  The secure file is below. PROD01 is the server I'm attempting NSH from.









                                  #PROD01:protocol=5:encryption=tls:appserver_protocol=ssoproxy:auth_profile=blserver:auth_profiles_file="C:\Program Files\BMC Software\BladeLogic\8.0\NSH\br\authenticationProfiles.xml"


                                  default:protocol=5:encryption=tls:appserver_protocol=ssoproxy:auth_profile=blserver:auth_profiles_file=/c/Program Files/BMC Software/BladeLogic/8.0/NSH/br/authenticationProfiles.xml



                                  • 14. Automation Principal issues

                                    Bill, with no entries in users or users.local for the Automation Principal user, I get the following log entry when I try to nsh:


                                    11/23/11 14:38:41.097 WARN     rscd - 2660 SYSTEM (automprin:blautomprinusr@domain.com): nsh: Failed to map user to local user

                                    1 2 Previous Next