| Author |
Message
|
| k_anand2585 |
 Posted: Wed Jan 04, 2012 11:29 pm Post subject: |
 |
|
Acolyte
Joined: 03 Nov 2011
Posts: 50
|
Thats strange but if the ssytem person removes domain admin it does not work we again get authorisation errors.
We are still working on it may be we ahve found a temporary solution ,just trying to isolate the issue. |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Jan 05, 2012 1:28 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| k_anand2585 wrote: |
Thats strange but if the ssytem person removes domain admin it does not work we again get authorisation errors.
We are still working on it may be we ahve found a temporary solution ,just trying to isolate the issue. |
You need a local group, which should contain the domain user, and to set the necessary authorisations for that local group - bread-and-butter (or auths 101 if you prefer) MQ admin.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| k_anand2585 |
| Posted: Thu Jan 05, 2012 6:47 am Post subject: |
|
|
Acolyte
Joined: 03 Nov 2011
Posts: 50
|
Surprisingly when the System admin removed Domin admin from the list of previages we again see the authorisation errors 2035.
We still are researching on the issue like need to find permanent solution, logically that does not sound to be permanent solution of adding domain admin.
Anyways i have worked with weblogic JMS and Jboss but truely MQ i am loving it , really good. |
|
| Back to top |
|
|
| JasonE |
| Posted: Thu Jan 05, 2012 7:04 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
| Does the domain id have query group membership (delegate) user rights? |
|
| Back to top |
|
|
| k_anand2585 |
| Posted: Mon Jan 09, 2012 1:30 am Post subject: |
|
|
Acolyte
Joined: 03 Nov 2011
Posts: 50
|
Hi Jason,
The group is mqc configured at domain controller and the group is assigned to domain_mqc
For user concerned, this is the configuration at Domain controller.
user mqc_tasco assign it to
Domain admins
Domain mqc
Domain users
mqc
Same user is created at client machine and assigned to mqm group
Than MQ previlages are been assigned to Qmanager ,queue,channels |
|
| Back to top |
|
|
| JasonE |
| Posted: Mon Jan 09, 2012 1:50 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jan 09, 2012 10:34 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| k_anand2585 wrote: |
| ...Same user is created at client machine and assigned to mqm group... |
A local user, i.e. NOT domain? If so, why?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| k_anand2585 |
| Posted: Mon Jan 09, 2012 10:56 pm Post subject: |
|
|
Acolyte
Joined: 03 Nov 2011
Posts: 50
|
Hi jason ,
I did checked regarding Read Group Membership Read Group MembershipSAM which are allowed.
Logically you are right any mq client should not have domain admin rights.
System admin is taking care of thi issue now.
I did not understood exerk question. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jan 10, 2012 1:19 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| k_anand2585 wrote: |
| ...I did not understood exerk question. |
You stated in a previous post:
"...For user concerned, this is the configuration at Domain controller.
user mqc_tasco assign it to
Domain admins
Domain mqc
Domain users
mqc..."
And in the same post:
"...Same user is created at client machine and assigned to mqm group..."
The above two statements imply that you have:
1. Created a domain user named mqc_tasco, and
2. Created a local user named mqc_tasco on the client computer.
Is that more understandable?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| k_anand2585 |
| Posted: Tue Jan 10, 2012 1:43 am Post subject: |
|
|
Acolyte
Joined: 03 Nov 2011
Posts: 50
|
yes you are right..
Your understanding is correct same local user is created at client machine which is at different geographical location.
At client machine
User :mqc_tasco assigned to mqm
Group:mqm |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jan 10, 2012 1:48 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Again, why?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| k_anand2585 |
| Posted: Tue Jan 10, 2012 2:02 am Post subject: |
|
|
Acolyte
Joined: 03 Nov 2011
Posts: 50
|
Yes let me explain you this !!!
We ahd tried the same configuration on 2 physical machines connected in LAN without domain controller that time on client machine we created a user and assigne to mqm group.
The same user was created on the machine hosting MQ server assigned to mqm group at that time we did face authorisation error 2035 but after giving previalges at MQ level like Qmanager,queue,channels everything worked.
Now the same environment we created in UAT but this time domain controlelr was there as aprt of project so we went this configuration.
As i am new to MQ and from background of weblogic application server ,if my appoach is wrong to handle the issue , please let us know , your suggestion will really appreciated. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jan 10, 2012 2:15 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
For your UAT set-up, for your client, you need:
1. A domain group, e.g. tasco_clients;
2. A domain user, i.e. mqc_tasco, within the above group;
3. On the WMQ server, create a local group, e.g. tasco_local;
4. Add the domain user, i.e. mqc_tasco, to the above group;
5. Set the relevant authorities on the queue manager for the local group tasco_local.
The above presupposes that you are running the MQSeriesService on the WMQ server under a domain user.
NOTE: the domain group is a useful way of containing any client user IDs, but strictly speaking isn't absolutely necessary.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| k_anand2585 |
| Posted: Tue Jan 10, 2012 5:16 am Post subject: |
|
|
Acolyte
Joined: 03 Nov 2011
Posts: 50
|
Hi Exerk,
Wonderfully explained really appreciated.
The tasco_client group on client machine ,whether it has to be under mqm group or not required.
Other than that i got your point regardign running a user under domain previlages.
I will try out few thing by removing everything ,domain admin ,domain user and according to ur design ,it shud work. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jan 10, 2012 12:40 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20763
Location: LI,NY
|
| k_anand2585 wrote: |
Hi Exerk,
Wonderfully explained really appreciated.
The tasco_client group on client machine ,whether it has to be under mqm group or not required.
Other than that i got your point regarding running a user under domain privileges.
I will try out few thing by removing everything ,domain admin ,domain user and according to our design ,it should work. |
You don't want ANYBODY that is not mqadmin in the mqm group anywhere.
Make sure you give connect and inquire to the qmgr object ... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
