| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| How do I create a Principal on unix? |
« View previous topic :: View next topic » |
| Author |
Message
|
| LouML |
 Posted: Fri Sep 28, 2007 4:44 am Post subject: How do I create a Principal on unix? |
 |
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
Another newbie question here.
I have a Windows user running MQ Explorer. He is trying to connect to an MQ 5.3.12 server running on Solaris 9.
The first error he received was AMQ4043 (Queue Manager not available for connection.). I saw that there was no SYSTEM.ADMIN.SVRCONN channel, so I created it.
Now he receives error AMQ4036 (Access not authorized). I tried to use setmqaut to give him authorization but received error AMQ7026 (A principal or group name was invalid.). I do not see his userid in either /etc/passwd or /etc/group.
However, he said it works on another server, and I do not see his userid in either /etc/passwd or /etc/group on that server either. The SYSTEM.ADMIN.SVRCONN channel on this server is identical to the one I created on the original server.
Though I've been thrust into the Unix world, my background is Compaq NSK (Tandem). We had an altmquser command for MQ on NSK to create a Principal and Group. I see that there is no such equivilant for unix.
How do I create a Principal on unix? Is it created automatically when the sysadmin adds a userid?
Any ideas would be greatly apprciated. |
|
| Back to top |
|
 |
| atheek |
| Posted: Fri Sep 28, 2007 5:08 am Post subject: |
|
|
Partisan
Joined: 01 Jun 2006
Posts: 327
Location: Sydney
|
AFAIK, the new principal is created when your sysadmin adds a new user. The reason for not seeing the user in the original server may be that you are using nis or nis+ mechanism. If so you wont see the user in /etc/passwd.
just try this for a start if you are using nis:
ypcat group|grep <username>
More Info is available http://www.cs.gsu.edu/nisar/csc3320fl02/nis/
so to create the missing principal better ask your sysadmin to add a new user
Regards,
Atheek |
|
| Back to top |
|
|
| LouML |
| Posted: Fri Sep 28, 2007 6:03 am Post subject: |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
| atheek wrote: |
AFAIK, the new principal is created when your sysadmin adds a new user. The reason for not seeing the user in the original server may be that you are using nis or nis+ mechanism. If so you wont see the user in /etc/passwd.
just try this for a start if you are using nis:
ypcat group|grep <username>
More Info is available http://www.cs.gsu.edu/nisar/csc3320fl02/nis/
so to create the missing principal better ask your sysadmin to add a new user
Regards,
Atheek |
I don't see the user using the ypcat group | grep <username> on either server. |
|
| Back to top |
|
|
| LouML |
| Posted: Fri Sep 28, 2007 7:34 am Post subject: |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
Well, I found out why it works on one server and not the other. The previous admin disabled OAM.
When I do a ps -ef | grep -i AMQZFUMA on the server that works, I don't see the process, but when I do it on the server that he can't access, I see it running. (By the way, the server where it's disabled is a development machine)
I guess one of two things can happen:
1 - He has to get a proper id created on the server and then I can grant him access using setmqaut
2 - I can add 'mqm' to the MCAUSER of the SYSTEM.ADMIN.SVRCONN channel.
I should add that this access is supposedly only temporary, while someone he works with is on vacation (but that remains to be seen). |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Sep 28, 2007 7:38 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| LouML wrote: |
| The previous admin disabled OAM. |
 
Third option is best choice. Create a generic user and group, for the role that this user will be acting in. Grant it priviledges using setmqaut, and then set that on MCAUSer.
NEVER EVER EVER set MCAUser to mqm. EVEN on Development.
You compromise every MQ queue manager that can be reached by the network.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Sep 28, 2007 8:04 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
And remember that on Unix setmqaut never grants permission to the user. Permissions are always granted to the group. If a user was mentioned in the command, the permissions are granted to the user's primary group. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
