I am attempting to use Automation Principals (AP) to map BSA users to Windows Domain Accounts, for the purposes of access control to RSCD agent endpoint servers. I do not believe I have configured my environment correctly, and am struggling to find the solution.
This is what I have in my environment:
1xConsole Server (ConServer)
1xApp Server - of type ALL (AppServer)
1xWindows Endpoint Server (WinServer)
I have configured the AppServer to also act as a NSH Proxy Server. My understanding is that AP only work if you are using a NSH Proxy Server. I have confirmed that the NSH Proxy Server is working correctly, as I have reviewed the AppServer appserver.log and can see specific entries in there of the type "[BLSSOPROXY] NSH Proxy Connection Created and Verified".
I have defined a new AP which specifies my Windows Domain user account ID, domain name, and passphrase. I have associated this with a Role, and within that Role I have defined : Agent ACL->Windows->Automation Principal->Map to-> and then specified the relevant AP .
I have added the Role to my own BSA user account.
My WinServer is configured as follows:
exports file: single line of the form <AppServer IP address> rw
(I am allowing connections from AppServer only, since my understanding is all connections will now be routed via the NSH Proxy Server).
users file: single line of the form "nouser"
users.local file: no entries
(I understand that when using AP the local users and users.local files are no longer used on the target server).
I now performed a test using an NSH command line.
I logged onto my ConServer.
Opened a command prompt.
Set my NSHDIR env variable (e.g. set NSHDIR=C:/Program Files/BMC Software/BladeLogic/NSH)
Run "nsh" to open an nsh session.
At the "Pick Role" prompt I selected the relevant Role (that is linked to the AP).
Ran "blcred cred -acquire" to acquire a session credential for this NSH command line session.
I received the "Authentication succeeded: acquired session credential" message.
I then ran the following command: agentinfo <WinServer IP>
I received the error "No authorisation to access host".
The rscd.log on WinServer shows:
SYSTEM (<role>:<user>): agentinfo: Failed to map user to local user
I am puzzled by this, as surely the AP should be used now? Shouldn't this be mapping my BSA user account to the Windows Domain user account, as specified in the AP? Could it be that the AP is not actually being used, in which case the access method is simply falling back to the users file - and because that contains only "nouser" it is denying my access?
As another test I removed the "nouser" entry from the users file, and re-ran the above test. This time the command completes successfully. However, note the following in the rscd.log:
BladeLogicRSCD@<WinServer>->Anonymous:PrivilegeMapped (<Role>:<user>): agentinfo: agentinfo
This indicates to me that my incoming connection was unable to be mapped to any user account on WinServer, and was thereby taken as anonymous. Because the "nouser" has been removed from the users file, this access is therefore granted. But, again, this appears to show that the AP was not used, as the Windows Domain user account was not used for the mapping.
Is my understanding of AP fundamentally wrong? Am I attempting to perform a task that isn't supported? Or have I missed a configuration step somewhere? I guess I could set the exports file on WinServer to also include user=<Windows Domain user account>, but wouldn't that negate the whole concept of using AP - as they are supposed to provide the mapping?