What are you trying to import?
Sorry. My bad.
I am trying to import an agent.
With What user you are tryign to import agent? Does that user has correct mapping on agent?
can you please also attach rscd.log file here?
See the rscd log file attached.
The main message I see are the following two lines:
08b9783d988dd6921de2 0000000033 07/11/13 09:55:16.171 ERROR rscd - RLM-BCCWDVAPP01 3460 SYSTEM (Not_available): (Not_available): User Impersonation Failed ; Error Location: RSCD_WinUser::initFromUsernameDomainW:LookupAccountNameW ; Error Message: No mapping between account names and security IDs was done. ; Auxiliary Error Message: Account: RLM-BCCWDVAPP01\BLADmin
b8b0f555494f8e9e0371 0000000034 07/11/13 09:55:16.186 WARN rscd - 10.193.56.141 3460 SYSTEM (BLAdmins:BLAdmin): CM: Impersonation failed
BLAdmin is mapped to an AP which is a domain user and is part of the local administrator group on target. It currently works on other servers.
rlm-bccwdvapp01.rscd.log 8.1 K
Follow the below steps and try to import. Sometimes, even if domain user is part of Administrator group, still you need add user into "log on as batch job" explicitly.
- Type in secpol.msc /s
- Select " Local Policies" in MSC snap in
- Select the "user Rights Assignment"
- Right Click on "Log on as batch job" and select the properties
- Click " Add user and Group" and include the relevent user (based on your log user is: RLM-BCCWDVAPP01\BLADmin)
- Try importing the server again
My domain user name is SYSDEV\BLADmin.
SYSDEV is the domain and BLADmin is the user name. This is already added in GPO policy for "Logon as a batch job"
In the log file, i see that it is trying to map the RLM-BCCWDVAPP01\BLADmin.
RLM-BCCWDVAPP01 is the host name. So, it is changing the domain SYSDEV to host name before impersonating.
This doesn't make any sense.
Then check your Automation Principal setting. Is it correctly mapping with domain?
if the agent is not registered w/ the appserver yet, you need to have the UPM mapping work until the appserver can identify the target os, then the AP will be used. otherwise it has no idea if it's unix or windows.
im currently having the same error Messages:
1. Login not allowed for user
2. impersonation failed
3. Impersonation Failed ; Error Location: WinAgent.cpp::impersonate_lsa ; Error Message: The operation completed successfully. ; Auxiliary Error Message: windows user privilege mapping disable
The scenario is the following:
I have two bladelogic environments and im trying to access the RSCD Agent on a Windows Server Domain Controller from both Environments.
Ive disabled the local user mapping because it is a Windows DC with the chapw -d command.
From the first Environment the access is working perfectly.
From the second Environment with the same Settings and properties (automation principal etc.) I get these error messages from above..
Im happy to hear any ideas about solving the problem.
when you communicate w/ the 2nd env, are you going through a nsh proxy ? and the AP that you 'map' to in the 2nd env, that is setup correctly ?
thanks for your fast reply.
I can say Yes to both of your questions.
Just some minutes ago we found a solution how we can contact the agent from the second environment successfully.
We enabled privilege mapping (chapw -e) from the first environment again on the target agent. Once connected from the second environment we can disable the mapping again and the connection is still possible from both environments.
Never had that experience that just adding a reg key with running chapw can cause such a behaviour.
Thanks and regards,
i'm not sure what you mean - it seems that you had UPM disabled and one of the environments was not talking through a nsh proxy so the AP was not picked up, and in that case nsh would try and use UPM which failed because it was disabled. if you use chapw to enable or disable UPM that is for the agent, regardless of where the nsh connection comes from.