| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| AMQ4036 and AMQ7047 after Active Directory migration |
« View previous topic :: View next topic » |
| Author |
Message
|
| DimitriM |
 Posted: Tue Jun 04, 2002 12:47 am Post subject: AMQ4036 and AMQ7047 after Active Directory migration |
 |
|
Newbie
Joined: 04 Jun 2002
Posts: 3
|
Hi,
Last week we migrated to a Win2K Active Directory env. Our NT domain accounts were automatically migrated to the new AD ones. That's when the problems started...
Before that I was running MQ 5.1 without any problems, but as soon as the migration was completed I could no longer get access to my existing (and new) queues.
I can create/stop/start any QMs, but as soon as I actually try to connect to it in order to get access to the queues via MQExplorer, I get the following error message:
---------------------------
IBM MQSeries
---------------------------
Access not authorized. You are not authorized to perform this operation. (AMQ4036)
---------------------------
OK
---------------------------
I managed to workaround the problem by manually adding all authorization rights to the qmgr and all the underlying queues.
When I say all queues, I am also talking about the default hidden system queues.
Now when I create a new qmgr I still have to manually set all the proper rights.
Note that the problem does NOT occur with any of the local accounts, not even with the original NT Domain account (which is kept up and running during the migration phase).
MyAccount@MyAD is part of the Administrators and mqm groups. I also managed to reproduce the problem with other AD accounts.
I suspected an installation issue, so I uninstalled everything and installed the 5.2 we have.
I thought that if I am going reinstall it, I might as well install the latest one.
But then another problem popped up... now I even cannot manually set my authorities.
D:\Program Files>setmqaut -m QMDEMO -t qmgr -p MyAccount@MyAD +all
AMQ7047: An unexpected error was encountered by a command.
All local users (who are part of the mqm or administrator groups) still work fine.
Any help is appreciated.
Thanks,
Dimitri |
|
| Back to top |
|
 |
| DimitriM |
| Posted: Tue Jun 04, 2002 11:37 pm Post subject: Update - solved AMQ7047 |
|
|
Newbie
Joined: 04 Jun 2002
Posts: 3
|
OK, I managed to solve the AMQ7047 problem.
First stop the MQSeries service through the Windows CPL and then verify that your QM is running via the MQExplorer.
When you then run the required setmqaut cmds, it works!
Does somebody know why the MQSeries\bin\AMQSVC.EXE apparently affects setmqaut? The strange thing however about this, is that the AMQ7047 only popped up with the accounts (defined as principal) that were part of the Active Directory. All setmqaut cmds with a local account as the principal were working fine.
Also the AMQ4036 is still there. All the Active Directory accounts are not getting the proper default authority settings, despite the fact that they do have the local Administrator/mqm group membership.
I also read something about the fact that the MQSeries V5.2 security model does not support either nested local groups, or multiple nesting of global and universal groups. Is this statement still correct (even if you apply the latest APAR)?
If it is correct, I still don't understand how you can bypass this by shutting down the MQSeries\bin\AMQSVC.EXE service and manually setting the authorities with setmqaut...
Cheers,
Dimitri |
|
| Back to top |
|
|
| DimitriM |
| Posted: Wed Jun 05, 2002 1:40 am Post subject: Correction - AMQ7047 |
|
|
Newbie
Joined: 04 Jun 2002
Posts: 3
|
Correction, the AMQ7047 shows up again as soon I got connected to the AD. When I go offline, the problem disappears.
So I guess that if you're not connected, MQ uses the local copy of the AD account and that's not a problem.
But as soon as you connect to the network, it tries to validate not the local copy but the account on the AD...
So the info in previous msg is still valid, at least from a disconnected point of view (I was working from home last night, not connected to the VPN).
Dimitri |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
