| Author |
Message
|
| sabu21s |
 Posted: Wed Dec 10, 2003 11:41 am Post subject: Permission error |
 |
|
Apprentice
Joined: 01 Oct 2003
Posts: 27
Location: Atlanta
|
Hi ,
I have installed Mqseries 5.1 on a windows Server in a domain. When I create the Queue manager and then try connecting it gives me AMQ4036 error and when i check the even Viewer this is the Message:
Description:
Access was denied when attempting to retrieve group membership information for user 'exbatl@crossmark'.
MQSeries, running with the authority of user 'musr_mqadmin@athens', was unable to retrieve group membership information for the specified user.
Ensure Active Directory access permissions allow user 'musr_mqadmin@athens' to read group memberships for user 'exbatl@crossmark'. To retrieve group membership information for a domain user, MQSeries must run with the authority of a domain user.
Now since this Server is a local server withing the domain, I went to the PDC and gave al the permission, but still I am having this same error.
Any help or suggestions would be apreciated.
Thanks
Sabu S  |
|
| Back to top |
|
 |
| JasonE |
| Posted: Wed Dec 10, 2003 2:42 pm Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Look in the 5.3 manuals (or 5.2.1) about delegate authority, they should be online somewhere. The problem is the created userid is not known to the domain controller, and hence due to a change in the default rights in win2k active directory, MQ cannot query group memberships unless explicitly authorized.
Summary: Define a domain userid, put it in a domain globsal group "Domain MQM", and ensure Domain MQM is added to the local mqm group. Give that Domain MQM group delegate authority on the PDC, and then configure MQ to run under that userid (dcomcnfg, identity tab for MQ)
However the fact you are installing a NEW 5.1 server makes me shiver - it went out of support years ago! |
|
| Back to top |
|
|
| sabu21s |
| Posted: Wed Dec 10, 2003 3:29 pm Post subject: |
|
|
Apprentice
Joined: 01 Oct 2003
Posts: 27
Location: Atlanta
|
Hey Jason,
I tried what you said but still it give me that same error that I am not authorized.. I did the delegate part from this link..
http://www-3.ibm.com/software/integration/mqfamily/support/faqs/w2k.html#w2kfaq1
OR
To use the Active Directory Wizard to allow 'Domain mqm' group members to read group membership information of an arbitrary user:
In Active Directory Users and Computers, select the domain name, eg mqdev.hursley.ibm.com, and press the right mouse button.
Select "Delegate Control ...", then press [Next].
Select Groups and Users (press [Add], highlight "Domain mqm" and press [Add]), press [OK].
Highlight the Domain mqm selection and press [Next].
Check the "Create a custom task to delegate" and press [Next].
Check "Only the following objects in the folder" and then search down under object types for "User objects" (It is alphabetical, so just go to the last one).
Check User Objects and press [Next].
Check "Property-specific" and then check search down (these are sorted alphabetically on the second word) to:
Read Group Membership
Read groupMembershipSAM
Check both of these, then press [Next].
Press [Finish].
Thanks
Sabu |
|
| Back to top |
|
|
| JasonE |
| Posted: Thu Dec 11, 2003 2:09 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Just to confirm, did you do the following?
Created a domain userid
Put domain userid in 'Domain mqm'
Ensure 'Domain mqm' is in the local mqm group on the server in question
Configure MQ to run under that Domain userid (dcomcnfg)
Restart the machine?
Whats the error message look like now? |
|
| Back to top |
|
|
| sabu21s |
| Posted: Thu Dec 11, 2003 7:27 am Post subject: Got it .. thanks |
|
|
Apprentice
Joined: 01 Oct 2003
Posts: 27
Location: Atlanta
|
Hey Jason,
Thanks a lot for your help. I did as you said and the other thing what I did was, went into the local server and did the following
right-click on My Computer and select Manage. Expand
Local Users and Groups, then click on Users and there I made sure the domain user is added. Then I did the Dcomcnfg and did some changes on the MQ tab.
Thanks
Sabu21s |
|
| Back to top |
|
|
| JasonE |
| Posted: Thu Dec 11, 2003 8:06 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
...and does it work now?  |
|
| Back to top |
|
|
| sabu21s |
| Posted: Thu Dec 11, 2003 8:43 am Post subject: Yes it does.... |
|
|
Apprentice
Joined: 01 Oct 2003
Posts: 27
Location: Atlanta
|
Yes.. Works great.... 
I have seen a lot of FAQ on this topic, and I wish this would be helpful for the other folks who may face this same problem. Title should be " Permissions/Auth issues on a Server within a domain on WIN2k"
Thanks again
Sabu |
|
| Back to top |
|
|
| JasonE |
| Posted: Thu Dec 11, 2003 10:11 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
You should try working in MQ service
The documentation for this was in the 5.2.1 quick beginnings as an appendix and moved into the main docs for 5.3, but I do agree it isnt clear.
FYI The domain id issue is required for domains using active directory which was not migrated from an NT 4 domain. |
|
| Back to top |
|
|
|
|
