| Author |
Message
|
| Picard |
 Posted: Tue Jan 16, 2007 12:26 am Post subject: Yet another variation of AMQ2035 |
 |
|
Novice
Joined: 07 Dec 2006
Posts: 13
|
Ok, I guess everyone is sick and tired of 2035 related question, but here is another one for you 
My setup:
2 computers.
Comp1 runs NT4 (dont laugh) with MQServer 5.3.
Comp2 runs w2k3 and has a MQ client and an inhouse developed .NET application to put messages on MQ.
I would like for the client to be able to put/get messages from a queue on Comp1.
I've added a Server Connection on the server and tried with blank MCA and mqm.
The problem is that Comp1 is on a domain and Comp2 isn't (and can't be). So when I try and put stuff on the queue it always says that user COMP2\user isn't allowed to do that, and I can't add (or atleast dont know howto) COMP2\user as a user in Comp1.
And since I can't add that user in Comp1, I can't give him permissions to put messages on the queue.
So my question is if there's an easy way around this without forcing Comp2 into a domain (which really isn't feasible at this point). |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Jan 16, 2007 12:33 am Post subject: Re: Yet another variation of AMQ2035 |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Picard wrote: |
I've added a Server Connection on the server and tried with blank MCA and mqm.
|
I think mqm is not the best idea, as it will allow anyone connected via the channel to administer the queue manager, but an MCA user id with limited authorities is probably the way to go. What happened why you tried mqm in the MCA user? Still 2035?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Picard |
| Posted: Tue Jan 16, 2007 1:26 am Post subject: |
|
|
Novice
Joined: 07 Dec 2006
Posts: 13
|
Yes still get 2035 even when I put mqm as MCA on the Server Connection.
That is because it keeps sending COMP2\username as the user, and I can't add COMP2\username as a user in Comp1 (atleast that I know of)  |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 16, 2007 1:39 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Picard wrote: |
Yes still get 2035 even when I put mqm as MCA on the Server Connection.
That is because it keeps sending COMP2\username as the user, and I can't add COMP2\username as a user in Comp1 (atleast that I know of) |
In theory at least, setting an MCA User causes that user to be used for MQ authentication rather than the passed in user - that's sort of the point of the field, and why using mqm is such a bad idea. Anything passed down a channel with mqm (like PCF commands to set up new channels or delete queues) runs with mqm authority. The point of the field is to avoid the need to set up local ids.
Check the channel settings & consider enabling security events. Something odd is happening in your set up.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 16, 2007 1:41 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Also what CSD level of 5.3 are you using?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jan 16, 2007 2:15 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Am I being thicker than a rice pudding here? By 'mqm' do you mean MUSR_MQADMIN? Are you using 'mqm' genericaly to describe the admin account name appropriate to the platform?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 16, 2007 2:18 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| exerk wrote: |
| Are you using 'mqm' genericaly to describe the admin account name appropriate to the platform? |
I certainly think that's an unwarrented assumption I'm making 
Picard - try defining (as I suggested previously) a local user on Comp1 with authorities on the queues you want to use, put that in the MCA user and try it again.
It's always the assumptions... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Picard |
| Posted: Tue Jan 16, 2007 3:19 am Post subject: administrator |
|
|
Novice
Joined: 07 Dec 2006
Posts: 13
|
I've tried that. I've also enabled Authority Events and this is what I see if I run the mqput command from Comp2 with the default user that is logged on (ie Administrator)
Authorization failed because the SID for entity 'administrato' cannot be obtained.
The Object Authority Manager was unable to obtain a SID for the specified entity.
Ensure that the entity is valid, and that all necessary domain controllers are available.
This I can understand as Administrator has 13 characters, and only 12 is allowed. I can see how this might be a problem.
But if I create a user called 'mqtest' on both Comp1 and Comp2, and run the mqput-command with that user on Comp2, I get this instead:
Entity 'mqtest' has insufficient authority to access object 'Comp1'.
The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: connect.
Ensure that the correct level of authority has been set for this entity against the required object, or ensure that the entity is a member of a privileged group.
Ok, fair enough. I give mqtest +put authority on the queue called 'temp' (which is the name of the queue I'm trying to put stuff into), but I still get 2035!
So why on earth won't it
1) Accept that I've put 'mqm' on the MCA on the Server Connection?
2) Allow me to put stuff on the queue when I've added a user that exist on both systems with the proper capabilities?
Weird |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 16, 2007 3:24 am Post subject: Re: administrator |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Picard wrote: |
Entity 'mqtest' has insufficient authority to access object 'Comp1'.
The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: connect.
Ensure that the correct level of authority has been set for this entity against the required object, or ensure that the entity is a member of a privileged group.
Ok, fair enough. I give mqtest +put authority on the queue called 'temp' (which is the name of the queue I'm trying to put stuff into), but I still get 2035!
|
So why is it "weird" that when the user doesn't have connect permission, adding "put" doesn't fix it?? 
Try adding "connect" permission and retry..... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Picard |
| Posted: Tue Jan 16, 2007 3:26 am Post subject: |
|
|
Novice
Joined: 07 Dec 2006
Posts: 13
|
| Well I've tried '+all' and I still get the same error. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 16, 2007 3:27 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Picard wrote: |
| Well I've tried '+all' and I still get the same error. |
Against the queue, or the queue manager? "Connect" is a queue manager permission, not a queue one.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 16, 2007 3:28 am Post subject: Re: administrator |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Picard wrote: |
So why on earth won't it
1) Accept that I've put 'mqm' on the MCA on the Server Connection?
|
What is PUTAUT set to on the channel?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 16, 2007 3:34 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| exerk wrote: |
| Am I being thicker than a rice pudding here? By 'mqm' do you mean MUSR_MQADMIN? Are you using 'mqm' genericaly to describe the admin account name appropriate to the platform? |
This is also a valid point - "mqm" as a MCA user won't work on a Windows machine unless it's been deliberately added & authorised. So just putting mqm in MCA user will still give a 2035, just for a different reason... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jan 16, 2007 3:51 am Post subject: Re: administrator |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Picard wrote: |
...Authorization failed because the SID for entity 'administrato' cannot be obtained...
This I can understand as Administrator has 13 characters, and only 12 is allowed. I can see how this might be a problem. |
Not knowing your exact setup but according to our Win Admins...
The SID for the 'Administrator' account being passed from the W23K machine will NOT match the SID of the 'Administrator' account on the NT machine, hence the error
I think you'll find the name is truncated in the output print but still resolves to the account.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Picard |
| Posted: Tue Jan 16, 2007 3:53 am Post subject: |
|
|
Novice
Joined: 07 Dec 2006
Posts: 13
|
PUTAUT isn't set at all, and I must admit I'm not entirely sure how to do so.
It's grayed out when I look at the svrconn through MQ Explorer and I can't see where in mqsc I'm suppose to see it. |
|
| Back to top |
|
|
|
|
