| Author |
Message
|
| salem.muribi |
 Posted: Mon Jan 11, 2010 9:37 am Post subject: User in mqm group getting 2035 |
 |
|
Novice
Joined: 05 Sep 2008
Posts: 14
Location: Chicago
|
I'm not sure there is an easy answer to this but perhpas someone will have a good idea on how to diagnose this issue further.
I've noticed that occassionally after a security refresh (WMQ 6.0.24 Linux), there is one member of the mqm group that no longer has access. This is almost at random, so far i can not see any pattern in how this is done.
We are using openLDAP 2.2 for all accounts/groups (including mqm) on Red Hat 4.6.
Even stranger is that this particular userid that is a member of mqm behaves differently on two different queue managers (each on a different server..) One one queue manager it connects but fails on opening a queue while on another qm it fails on the connect...
There are other principals in the mqm group that are not having any issues....
dspmqaut results for the principal are consistent with the failures. Shows authorization for the mqm group but not the principal that is in the group. |
|
| Back to top |
|
 |
| mvic |
| Posted: Mon Jan 11, 2010 11:52 am Post subject: Re: User in mqm group getting 2035 |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| salem.muribi wrote: |
| dspmqaut results for the principal are consistent with the failures. Shows authorization for the mqm group but not the principal that is in the group. |
This is an important point.
It suggests that, at the time the queue manager was building its knowledge of what groups that user is in, your OS (via whatever means, LDAP or otherwise) gave a list of groups for that user that did not include "mqm".
If you run "REFRESH SECURITY" again, does the problem go away? |
|
| Back to top |
|
|
| salem.muribi |
| Posted: Mon Jan 11, 2010 12:49 pm Post subject: |
|
|
Novice
Joined: 05 Sep 2008
Posts: 14
Location: Chicago
|
So i've been able to recreate the issue on a test server and it seems as though this is intermittent. Roughly every other refresh security results in this userid not being permissioned appropriately.
I have heard from IBM that there is a potential fix to this in 6.0.2.9/7.0.1.1
http://www-01.ibm.com/support/docview.wss?uid=swg1IZ56282
Still confirming that this is the bug but will follow-up when we hear back from L3 on the trace. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Mon Jan 11, 2010 3:19 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
apparently it is not so blatantly that mqm overrules every rule apparently even some rules (bugs!) apply to mqm.
looking forward to your findings.
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| zonko |
| Posted: Mon Jan 11, 2010 10:46 pm Post subject: |
|
|
Voyager
Joined: 04 Nov 2009
Posts: 78
|
I do not agree that the APAR referred to above is a bug in WMQ. It is actually a bug in the OS/LDAP layer supplying the group membership names to the qmgr.
The APAR attempts to alleviatre this situation such that when it gets an ERANGE error returned (an undocumented error) it retries. However, if the underlying auth mechanism persists in returning this error then there is nothing WMQ can do.
I suggest that you implement the workround in the APAR, and report the bug to the OS supplier, if there is one. |
|
| Back to top |
|
|
| mvic |
| Posted: Tue Jan 12, 2010 5:08 am Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| zonko wrote: |
| I suggest that you implement the workround in the APAR, and report the bug to the OS supplier, if there is one. |
If the OP gets the fix from IBM and it makes the system work, then job done. Nothing more to do. Why open a ticket with the OS when your system is working? |
|
| Back to top |
|
|
| salem.muribi |
| Posted: Tue Jan 12, 2010 7:33 am Post subject: |
|
|
Novice
Joined: 05 Sep 2008
Posts: 14
Location: Chicago
|
It's my opinion that wmq should be able to handle the ERANGE error and recover as opposed to a complete system breakdown that could be caused if say the mqm userid no longer has access to certain objects (which has happened). WMQ is not an industry standard because it is the fastest form of messaging but far and wide considered the most stable.
I didn't see the ERANGE exception in my traces but did see some timeouts during the getgrent functions. Still waiting to see what L3 comes back with. |
|
| Back to top |
|
|
| salem.muribi |
| Posted: Fri Feb 05, 2010 6:35 am Post subject: |
|
|
Novice
Joined: 05 Sep 2008
Posts: 14
Location: Chicago
|
|
| Back to top |
|
|
|
|
