Skip to Content
Information
Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Creating the blclient_krb5.conf file

Use this procedure to create the blclient_krb5.conf file. This file provides necessary Kerberos configuration information.

To create the blclient_krb5.conf file

  1. Create a text file like the following: 


    [libdefaults]
          ticket_lifetime = 6000
          default_realm = <CLIENT_DOMAIN>

    [realms]
          <CLIENT_DOMAIN> = {
            kdc = <CLIENT_DOMAIN_KDC>:88
          }

          <SERVICE_PRINCIPAL_DOMAIN> = {
            kdc = <SERVICE_PRINCIPAL_DOMAIN_KDC>:88
          }

          <PARENT_DOMAIN> = {
            kdc = <PARENT_DOMAIN_KDC>:88
          }

    [domain_realm]
          .<CLIENT_DOMAIN> = <CLIENT_REALM>
          .<SERVICE_PRINCIPAL_DOMAIN> = <SERVICE_PRINCIPAL_REALM>
          .<PARENT_DOMAIN> = <PARENT_REALM>

     In this text file:
    <CLIENT_DOMAIN> is the realm containing the user's workstation, where the BMC Server Automation client is running. For example:
    SUB1.DEV.MYCOMPANY.COM
    <CLIENT_DOMAIN_KDC> is the host name where the Active Directory server is running in your client's realm. For example:
    kdc.SUB1.DEV.MYCOMPANY.COM
    This is the value you obtained when you ran the nslookup command, as described in Locating-the-Active-Directory-KDC-for-the-client-s-domain.
    <SERVICE_PRINCIPAL_DOMAIN> is the realm where the keytab file was created. For example:
    SUB2.DEV.MYCOMPANY.COM
    <SERVICE_PRINCIPAL_DOMAIN_KDC> is the host name where the Active Directory server is running in the realm where the keytab file was created. For example:
    kdc.SUB2.DEV.MYCOMPANY.COM
    This is the value you obtained when you ran the nslookup command, as described in Locating-the-Active-Directory-KDC-for-the-service-principal-s-domain.
    In the "domain_realm" section, <SERVICE_PRINCIPAL_DOMAIN> provides DNS names. A period before a DNS name indicates you are mapping every system with a DNS name ending with that value to a corresponding Kerberos realm. For example: 


    .sub1.dev.mycompany.com = SUB1.DEV.MYCOMPANY.COM
    .sub2.dev.mycompany.com = SUB2.DEV.MYCOMPANY.COM
    .dev.mycompany.com      = DEV.MYCOMPANY.COM
  2. Do one of the following:
    • (UNIX) Save the file to the /NSH/br directory with the name blclient_krb5.conf.
      For example, if BMC Server Automation is installed in the default location, the file should be located as follows:
      /opt/bmc/bladelogic/NSH/br/blclient_krb5.conf

    • (Windows) Save the file to the \NSH\br directory with the name blclient_krb5.conf.
      For example, if BMC Server Automation is installed in the default location, the file should be located as follows:
      C:\Program Files\BMC Software\BladeLogic\NSH\br\blclient_krb5.conf
      If there is no direct trust between the two child domains, you must add additional domains to the [realms] section of the blclient_krb5.conf file. These additional domains specify the explicit path you must traverse from the first child domain, up the tree to the root domain and back down to the other child domain. For example, using the examples in Sample domain structure, assume that there is no direct trust between the child domains SUB1.DEV.MYCOMPANY.COM and SUB2.DEV.MYCOMPANY.COM. In this case, the [realms] section would look something like this: 


      [realms]

              SUB1.DEV.MYCOMPANY.COM = {
                kdc = kdc.SUB1.DEV.MYCOMPANY.COM:88
              }

              DEV.MYCOMPANY.COM = {
                kdc = kdc.DEV.MYCOMPANY.COM:88
              }

              SUB2.DEV.MYCOMPANY.COM = {
                kdc = kdc.SUB2.DEV.MYCOMPANY.COM:88
              }

Where to go from here

See Updating-the-config-properties-file.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Server Automation 8.3