| Author |
Message
|
| Duke |
 Posted: Fri Mar 31, 2006 2:05 am Post subject: ConfigMgr V6 domain awareness bug? |
 |
|
Apprentice
Joined: 09 Mar 2004
Posts: 49
Location: Belgium
|
Hi,
I have encountered a problem with the configuration manager V6 when it is running under a domain account.
Here is my configuration:
Windows Server 2003
WBIMB V6
WMQ 5.3 CSD11
I have created the configuration manager issuing the command "mqsicreateconfigmgr ConfigMgr -i technp\MQSI005X -a xxx -q SDTW0016"
The command complete successfully.
When I start the service, there are no error in the event viewer.
The account technp\MQSI005X and the user fbbenp\x09521 and resnp\x09521 and part of the following groups:
mqm
mqbrkrs
Administrators
I cannot connect with my toolkit to the configmgr.
I have try to issue the command "mqsilistaclentry ConfigMgr" I have the following error:
*******************************
**************************************
Trace remove for lisibility... I can add it again if necessary.
_________________
Pierre Richelle
Engineer
IBM Certified MQSeries Developper V5.3
IBM Certified WMQ Administration V6
Last edited by Duke on Sun Apr 02, 2006 11:30 pm; edited 2 times in total |
|
| Back to top |
|
 |
| wschutz |
| Posted: Fri Mar 31, 2006 3:16 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
|
| Back to top |
|
|
| Duke |
| Posted: Fri Mar 31, 2006 5:36 am Post subject: |
|
|
Apprentice
Joined: 09 Mar 2004
Posts: 49
Location: Belgium
|
I have go through the thread.
And I have made some tests... same result:
for mqsicreateaclentry and mqsilistaclentry.
I still have to test to execute the command with the account of the service.
But I have no access to the password right now :'(
******************************
D:\Data\Se-k-MQServer-MQSY\Exits>mqsicreateaclentry ConfigMgr -a -u X09521 -x f
-p
BIP1047E: The operation could not be completed by the Configuration Manager.
blablabla 
******************************
C:\WINDOWS\system32>mqsilistaclentry ConfigMgr -p
BIP1047E: The operation could not be completed by the Configuration Manager.
The utility did not receive an expected message from the Configuration Manager w
ithin a reasonable amount of time. The cause is described as: 'hasBeenUpdatedByC
onfigManager timed out'
Blabla
_________________
Pierre Richelle
Engineer
IBM Certified MQSeries Developper V5.3
IBM Certified WMQ Administration V6 |
|
| Back to top |
|
|
| mqmatt |
| Posted: Fri Mar 31, 2006 6:41 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
From the trace, it just looks like the CM is saying that the user X09521 (or any of the groups of which it is a member) does not have any ACL entries created - and hence, is not authorised to access the CM.
What userid are you using to run the mqsicreateaclentry command? You need to run this command using the service userid - not as the user you're trying to give authority to (because obviously, it won't have the authority!)
-Matt |
|
| Back to top |
|
|
| Duke |
| Posted: Sun Apr 02, 2006 11:57 pm Post subject: |
|
|
Apprentice
Joined: 09 Mar 2004
Posts: 49
Location: Belgium
|
I have create a new service under the user resnp\u64366 and it will run under the user fbbenp\x09521.
mqsicreateconfigmgr CFGDTST -i fbbenp\x09521 -a xxx -q MQMDTST
The user u64366 is in the local group Administrators, mqbrkrs and mqm.
And I am not able to see the acl with the user u64366.
When I issue the command mqsilistaclentry under the user x09521, I have the following:
*********************
C:\Profiles\X09521>mqsilistaclentry CFGDTST
BIP1778I: u64366-USER-F - ConfigManagerProxy - ConfigManagerProxy
BIP1778I: x09521-USER-F -ConfigManagerProxy - ConfigManagerProxy
BIP8071I: Successful command completion.
I have issue a create acl entry:
C:\Profiles\X09521>mqsicreateaclentry CFGDTST -u u64366 -m resnp -p -x f
BIP8071I: Successful command completion.
C:\Profiles\X09521>mqsilistaclentry CFGDTST
BIP1778I: u64366-USER-F-ConfigManagerProxy-ConfigManagerProxy
BIP1778I: x09521-USER-F-ConfigManagerProxy - ConfigManagerProxy
BIP1778I: resnp\u64366-USER-F-ConfigManagerProxy- ConfigManagerProxy
BIP8071I: Successful command completion.
**************************
But under the user resnp\u64366 I still not be able to issue the command mqsilistaclentry has given here after.
HOWEVER, using the toolkit, I am able to access the broker topology using this user !!.
***********************
C:\Profiles\u64366>mqsilistaclentry CFGDTST
BIP1046E: Unable to connect with the Configuration Manager's queue manager (MQMDTST).
The utility encountered a problem while attempting to connect to the Configuration Manager's queue manager to put a message to its request queue.
Ensure that the correct connection parameters have been supplied to the utility.
Also ensure that the Configuration Manager's queue manager is running and that the current user is able to put messages to its SYSTEM.BROKER.CONFIG.QUEUE. If this error text includes an MQ reason code, look up the meaning behind the error
in the Application Programming Reference guide and proceed as appropriate.
BIP8071I: Successful command completion.
**************************
I have test with a local user wbib001d to list the acl entry:
***********************************************
C:\WINDOWS\system32>mqsilistaclentry CFGDTST
BIP1047E: The operation could not be completed by the Configuration Manager.
The utility did not receive an expected message from the Configuration Manager within a reasonable amount of time. The cause is described as: 'hasBeenUpdatedByConfigManager timed out'
Ensure that the Configuration Manager is running and that the correct connection parameters have been supplied to the utility. Use the -w flag to increase the amount of time to wait for responses.
BIP8071I: Successful command completion.
*******************************************
I have created a new acl entry for a local user wbib001d.
*************
D:\Data\Se-k-MQServer-MQSY\Exits>mqsicreateaclentry CFGDTST -u wbib001d -a -p -x f
BIP8071I: Successful command completion.
*************
I am then able to list the acl under the user wbib001d !
It seems that the utility has some problems to work with user defined into a domain!
Is there anybody that can let me know how I can setup my environment in order to be able to issue the command mqsilistaclentry from another user (than the service user id) defined into a trusted domain?
_________________
Pierre Richelle
Engineer
IBM Certified MQSeries Developper V5.3
IBM Certified WMQ Administration V6
Last edited by Duke on Mon Apr 03, 2006 4:40 am; edited 2 times in total |
|
| Back to top |
|
|
| venusboy |
| Posted: Tue May 09, 2006 10:24 am Post subject: |
|
|
Acolyte
Joined: 11 Jun 2002
Posts: 51
|
| Use the -n flag to specifiy the connection file. This will then perform a remote connection and the domain user-id will correctly be resolved. |
|
| Back to top |
|
|
| venusboy |
| Posted: Wed May 10, 2006 2:27 am Post subject: |
|
|
Acolyte
Joined: 11 Jun 2002
Posts: 51
|
Finally set-up my development machine and was able to debug the mqsilistaclentry commands.
In version 6.0.0.1 IBM have forgot to ship the ToolingLogonInfo.dll that is required for LogonInfo.dll. If you have downloaded the latest toolkit then this can be found in the E:\IBM\MessageBrokersToolkit\6.0\evtoolkit\eclipse\plugins directory. Then just copy the ToolingLogonInfo.dll to your bin directory and then it correctly using domain/user.
Well done IBM! |
|
| Back to top |
|
|
| mqmatt |
| Posted: Wed May 10, 2006 8:03 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
Aye, thank you 
Please raise a PMR. |
|
| Back to top |
|
|
|
|
