Solved: Automate Administrators creation on R80.10 SMS

Juan_Carlos · ‎2018-08-20

Hello,

I need to find a way to automate Administrators creation with RADIUS authentication on several Security Sanagement Servers. I don't want the RADIUS administrator to connect on each Security Management Server to creates the Administrators (he is not allowed to do that). I have tried to use the API but unfortunately I got the following message telling me it's not supported :

[sms]# mgmt_cli --port <PORT> -u <USER> -p <PASSWORD> add administrator name "<NAME>" authentication-method "radius" radius-server "<RADIUS_SERVER>"
code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

Executed command failed. Changes are discarded.
[sms]#

Any idea/trick that I could use to achieve what I want to do?

Thanks

PhoneBoy · ‎2018-08-21

You just need to add:

domain "System Data"

To your command.

View solution in original post

Marco_Valenti · ‎2018-08-21

As the command say this syntax should be used for multi domain env , if you have a smart center you probably need to fix the syntax of this command seems that a permission profile is missing too

Those are example from the api reference

add-administrator

Command

add administrator name "admin" password "secret" must-change-password false email "admin@gmail.com" phone-number "1800-800-800" authentication-method "INTERNAL_PASSWORD" permissions-profile "read write all" --format json  • "--format json" is optional. By default the output is presented in plain text.  • This command is available using the SmartConsole CLI only on a Multi Domain environment and when logged into the MDS domain.

add-administrator (domain super user) in MDM

Command

add administrator name "super_admin" password "aaaa" must-change-password false email "admin@gmail.com" phone-number "1800-800-800" authentication-method "INTERNAL_PASSWORD" multi-domain-profile "domain super user" --format json  • "--format json" is optional. By default the output is presented in plain text.  • This command is available using the SmartConsole CLI only on a Multi Domain environment and when logged into the MDS domain.

Juan_Carlos · ‎2018-08-21

Hello Marco,

Thanks for your quick reply.

I'm not sure I understand what you mean. Even if specifying a permission profile, the examples from the API reference guide says that this "is available using the SmartConsole CLI only on a Multi Domain environment". So it won't work on a SMS

Did I miss something?

Marco_Valenti · ‎2018-08-21

Indeed I have missed that part too early morning here so seems that is not supported on a sms sorry for that

Juan_Carlos · ‎2018-08-21

No problem

PhoneBoy · ‎2018-08-21

You just need to add:

domain "System Data"

To your command.

View solution in original post

Juan_Carlos · ‎2018-08-22

Hi Dameon,

It's working, thanks for your help

Marco_Valenti · ‎2018-08-22

a true jedi master advice

weaamna · ‎2019-03-17

--domain 'System Data'

Václav_Brožík · ‎2019-06-26

For me domain "System Data" does not help. I have tested it in R80.10 and R80.20. The API also do not show me any domains:

> show administrators domain "System Data"

code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."


> show administrators --domain "System Data"

code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."


> show domains

objects: []
total: 0

Paul_Hagyard · ‎2019-11-28

I am guessing the SmartConsole CLI is logged in to a specific domain - and does not let you specify the domain. This is a real pain if you're using a Check Point cloud SmartCenter (e.g. Endpoint Security cloud) as I don't think you can get OS CLI access (they wouldn't want you to...).