| Author |
Message
|
| magellan94 |
 Posted: Wed Feb 01, 2006 11:56 am Post subject: Linux Windows Interop problem: AMQ8074 SID does not match |
 |
|
Newbie
Joined: 01 Feb 2006
Posts: 4
|
Hello,
I am experiencing an authorization problem when trying to communicate from a JMS application on RedHat Linux to a Windows Queue Manager. The queue manager rejects the connection with the following error message:
AMQ8074 Authorization failed as the SID '&3' does not match the entity '&4'.
How do I avoid this error?
The error makes sense. The user defined on the Linux box does not have the same SID as the user with the same name on the Windows box. Note that these are two different users with the same name. There is no shared directory (like Active Directory or OpenLDAP) used by both Windows and RedHat for authorization.
We were able to temporarily dodge the issue by using a server connection channel with wide-open security settings. This lax security isn't acceptable for the production deployment.
Is there any way to force the Linux JMS client app to connect to the Windows queue manager using the user SID from the Windows directory against which the QM does its authorization? Alternatively, is there any way to make MQ or the Windows directory match up the SID and recognize the Linux user as the same one defined on the Windows domain?
Thanks in advance for any advice. The solution will alleviate a big headache for me.
-Dave
Here's the error message shown by the JMS client app:
| Quote: |
MQJMS2013: invalid security authentication supplied for MQQueueManager
MQJMS2013: invalid security authentication supplied for MQQueueManager
|
This is the Event log error on the Windows Queue Manager host:
| Quote: |
Authorization failed as the SID 'S-1-5-21-1481256890-115492462-5522801-47229' does not match the entity 'myuser\mywindowsdomain'.
The Object Authority Manager received inconsistent data - the supplied SID does not match that of the supplied entity information.
Ensure that the application is supplying valid entity and SID information.
|
|
|
| Back to top |
|
 |
| mvic |
| Posted: Wed Feb 01, 2006 2:15 pm Post subject: Re: Linux Windows Interop problem: AMQ8074 SID does not matc |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| magellan94 wrote: |
| trying to communicate from a JMS application on RedHat Linux to a Windows Queue Manager. The queue manager rejects the connection |
What MQ version / fixpack is installed on both machines please? |
|
| Back to top |
|
|
| mvic |
| Posted: Wed Feb 01, 2006 2:22 pm Post subject: Re: Linux Windows Interop problem: AMQ8074 SID does not matc |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Feb 01, 2006 2:25 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
This looks to me like the authorization has been granted to user X
However since then, user X has been deleted and recreated.
Now the Sid of the user having the authorization does not match the Sid of the incoming user(=sid of recreated user).
Try following:
Delete all authorizations for the user. (-remove).
Check that the user no longer appears in your list (dmpmqaut)
Grant the authorizations again, refresh security and try anew.
Hope it helps
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| magellan94 |
| Posted: Wed Feb 01, 2006 4:22 pm Post subject: |
|
|
Newbie
Joined: 01 Feb 2006
Posts: 4
|
Thanks for the prompt replies. Here's some more info:
Queue Manager Version: WebSphere MQ v5.3, fix pack CSD10. We've already installed the fix pack level suggested by the MQ support site, so I think we're facing a different issue than the one described there. (Thanks for the pointer.)
The client is a pure Java JMS client using TCP/IP (MQJMS_TP_CLIENT_MQ_TCPIP). It's possible the jar files for the client came from a WSMQ v6 installation, but I doubt this would cause the error we're seeing.
The user wasn't deleted and recreated. There are two different users with the same user name. The first user is a simple user account on the RedHat box. The second user is defined on the Windows domain controller. I think the JMS client is grabbing the user SID locally from the RedHat directory, and passing it along to the QM on the Windows box. The QM then looks up the same username in the Windows domain and discovers that the SID given by the JMS client, which was found in the RedHat registry, doesn't match the SID in the Windows user registry. Can anybody confirm this diagnosis?
I think the only way to fix this problem is to make the QM and the JMS client both authenticate off the same (Windows) registry, but getting the client to make changes like this is time consuming and exhausts a great deal of goodwill. I don't want to recommend it unless somebody can confirm, "I encountered exactly the problem you describe, and configuring a shared directory solves it."
To add confusion: the Linux JMS client with problems is running on JBoss. The client has other Linux JMS client apps that don't have this problem, but they're deployed on WebSphere instead of JBoss. I wonder what trickery WebSphere uses under the covers to solve this problem? Maybe WebSphere uses MQJMS_TP_BINDINGS_MQ or MQJMS_TP_DIRECT_TCPIP instead of MQJMS_TP_CLIENT_MQ_TCPIP? Does anybody know the difference between MQJMS_TP_DIRECT_TCPIP and MQJMS_TP_CLIENT_MQ_TCPIP?
Thanks,
Dave |
|
| Back to top |
|
|
| magellan94 |
| Posted: Wed Feb 01, 2006 4:26 pm Post subject: |
|
|
Newbie
Joined: 01 Feb 2006
Posts: 4
|
I just realized that message sounds confusing because I'm using the term 'client' with two meanings:
'JMS client' = the MQ Java application
'the client' = A client/customer of the firm I work for. This customer is the one with the problematic MQ installation. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Feb 01, 2006 4:29 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Do you have a local user and a domain user with the same name ?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mvic |
| Posted: Wed Feb 01, 2006 4:48 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| magellan94 wrote: |
| The client is a pure Java JMS client using TCP/IP (MQJMS_TP_CLIENT_MQ_TCPIP). It's possible the jar files for the client came from a WSMQ v6 installation, but I doubt this would cause the error we're seeing. |
Pay close attention to what classes are being used on the client. v5.3 CSD12 (the latest) or v6 is best. Don't use CSD08 or CSD09 on the client - search the web or this forum for the reasons why. |
|
| Back to top |
|
|
| magellan94 |
| Posted: Thu Feb 02, 2006 1:14 am Post subject: |
|
|
Newbie
Joined: 01 Feb 2006
Posts: 4
|
Thanks for the continuing support...
I verified that the JMS code is using jar files from WSMQ v6.
Yes, there is a local user (on Linux) and a domain user (on Windows) with the same username.
Thanks, Dave |
|
| Back to top |
|
|
|
|
