If you have access to the appserver.log file. Can you let us know the error for permission denied?
If not, can you let us know which permissions are granted to the role that you are pushing the ACLs from?
Check exports file is properly set ?
This is what i have in exports file:
# NSH-only ACLs
Let me know if they are correct or not
I am new to BL i am not aware of appserver.log file, can you tell me where is that located? appserver.log and rscd.log both are same??
I am trying to execute this BL job using BLadmin role.
try user=root instead of map=root in the exports file.
Also, it looks like ACLs are already pushed on the agent, as the users file entries are populated.
You can try clearing the users file before re-attempt ACL Push, just to confirm if things work fine.
Appserver logs and RSCD logs are different.
appserver.log file is usually on the following location on the appserver machine:
windows machines: C:\Program Files\BMC Software\BladeLogic\version\NSH\br\appserver.log
Unix platforms: /opt/bmc/BladeLogic/version/NSH/br/appserver.log
And RSCD logs are usually in:
Windows machines : C:\Program Files\BMC Software\BladeLogic\version\RSCD\rscd.log
Unix Platforms : /opt/bmc/BladeLogic/version/RSCD/rscd.log
These are the default paths.
It seems the problem with permissions.
would you please share the contents of users.local file and As anurag asked, appserver.log & rscd.log.
You are using BLAdmins Role then its not the problem of authorizations.
still confirm that it has the ACL push authorization.
exports, users & user:role (BLAdmin:BLAdmins), all are correct. It will be easier to find out the cause if you provide logs & exact error.
In your environment, looks like ACL's are alreday pushed. But in general, ACL Push will succeed, even if ACL's are already pushed.
please run the acl push job that is causing a problem and then get the /opt/bmc/bladelogic/NSH/log/rscd.log file and attach it to this thread.
Did this get resolved?
Please share the solution with the community, and if any of the previous posters provided a helpful or correct reply, please mark it accordingly.
This is for the benefit of everyone that uses the forums
Thanks & Regards,
Jim (Forum Admin)
1 of 1 people found this helpful
Prateek, since you say you are a new BSA user, let me simplify the common security files used by the Agents.
exports - this allows you to limit which servers are allowed to communicate with the Agent. The default is (* rw) which means allow connections from all servers (*) and give them read/write (rw) permissions. If you want to only allow connections from an application server(s) you can add (appservername rw). You can also give read only permission (ro) at this level and give read/write permissions in another security file. You can also map to a user here, but I don't recommend it unless you're installing content. Our instructions sometimes recommend you set exports to (* rw,user=localAdminAccount) to install content, but then remove that permission afterwards.
users.local - this allows you to map Roles and Users to a local administrator account. The syntax is usually (Role:User rw,map=localAdminAccount). As a best practice you want to have a BLAdmins Role entry in case you make a mistake pushing ACLs. I usually add (BLAdmins:* rw,map=localAdminAccount) as a default. That way anyone in the BLAdmins group can access the server if ACLs are incorrect. On the File Server only you also want to add (System:System rw,map=localAdminAccount).
users - this file gets populated when you run an ACL job.
Even I am facing the same error
rscd log says
BladeLogicRSCD@BBSA->Anonymous:PrivilegeMapped (BLAdmins:BLAdmin): CM: > [Client] Pushing of AgentACL to BBSA succeeded
Check your ' users' file and check what permissions your ID is mapped to. In case this is wrong, please delete the users entry and push agent ACL again from console.
right - what's happening here is that the bladelogic role:user of BLAdmins:BLAdmin is connecting to the target for the acl push. to write the acl files, this connection needs to be mapped to a local user w/ write rights on the acl files. as you can see in the agent log, BLAdmins:BLAdmin is being mapped to 'anonymous' which probably does not have the ability to write to the files. now - it should not say the attempt was a success so that's probably a defect if the acls were not written. so you need to map BLAdmins:BLAdmin to an account that can write the files - like 'Administrator' (or root on a unix system).
also - is this a domain controller or standalone/member server?