ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » info for domain administrators

Post new topic  Reply to topic
 info for domain administrators « View previous topic :: View next topic » 
Author Message
ivanachukapawn
PostPosted: Mon Jul 05, 2010 4:49 am    Post subject: info for domain administrators Reply with quote

Knight

Joined: 27 Oct 2003
Posts: 561
In the MQ5.3 QB I find
Quote:
If any domain controller on your network is running on Windows 2000, that domain can be set up so that local user accounts do not have authority to query the group membership of its domain user accounts. Such a setup prevents WebSphere MQ from completing its check, and access fails. To resolve this, each installation of WebSphere MQ on the network must be configured to run its service under a domain user account that has the required authority. See the following section for instructions on creating a suitable domain account.

The phrase
Quote:
that domain can be set up so that local user accounts do not have authority to query the group membership of its domain user accounts
seems to indicate that local users can be configured to have the authority to query group membership of domain user accounts. Is this true?
Back to top
View user's profile Send private message
Vitor
PostPosted: Mon Jul 05, 2010 8:46 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
Not only is it true, but not doing such a thing can cause problems with domain users accessing WMQ resources, unless you've taken other steps to allow authentication of users within the NT domain.

Much discussion of this in here over the years.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
ivanachukapawn
PostPosted: Mon Jul 05, 2010 9:10 am    Post subject: Reply with quote

Knight

Joined: 27 Oct 2003
Posts: 561
The setup of the special domain mqm account is mandatory in the scenario where the local user does not have the authority to query a domain accounts group membership. Doesn't this imply that this is the normal scenario but it can be dealt with successfully by setting up a special domain mqm account?
Back to top
View user's profile Send private message
Vitor
PostPosted: Mon Jul 05, 2010 12:20 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
The running WMQ service needs some means of authenticating domain accounts. Using a domain user to run the service carries the risk that WMQ will start and attempt to use that id before Windoze has started the domain service and/or properly connected to the domain.

As I said, this and many other domain related issues have been discussed here.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » info for domain administrators
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.