| Author |
Message
|
| murdeep |
 Posted: Tue Jan 10, 2012 10:42 am Post subject: Userid and SIDs on Windows |
 |
|
Master
Joined: 03 Nov 2004
Posts: 211
|
WMQ V7.0.1.6
WMB V6.1.0.9
W2K 5.2 SP2
Been tinkering with COA and COD report messages. Have RTM'd but haven't found any doc on the following.
I'm hitting the old COD report message going to SDLQ. So I used WMB to set the MQMD.UserIdentifier and have come across something that I cannot figure out.
I use amqsput to put message to my flow input queue. Here's what it looks like on the flow input queue:
| Code: |
AMQSBCG0 - starts here
**********************
MQOPEN - 'TEST.IN'
MQGET of message number 1
****Message descriptor****
StrucId : 'MD ' Version : 2
Report : 0 MsgType : 8
Expiry : -1 Feedback : 0
Encoding : 546 CodedCharSetId : 437
Format : 'MQSTR '
Priority : 0 Persistence : 0
MsgId : X'414D512051534853425430312020202024EC094F217E6E1B'
CorrelId : X'000000000000000000000000000000000000000000000000'
BackoutCount : 0
ReplyToQ : ' '
ReplyToQMgr : 'QSHSBT01 '
** Identity Context
UserIdentifier : 'user '
AccountingToken :
X'16010515000000AB2BE9904788DC8456B5CD209B86030000000000000000000B'
ApplIdentityData : ' '
** Origin Context
PutApplType : '11'
PutApplName : 'WebSphere MQ\bin\amqsput.exe'
PutDate : '20120110' PutTime : '18181907'
ApplOriginData : ' '
GroupId : X'000000000000000000000000000000000000000000000000'
MsgSeqNumber : '1'
Offset : '0'
MsgFlags : '0'
OriginalLength : '-1'
**** Message ****
length - 31 bytes
00000000: 5465 7374 206D 6573 7361 6765 2031 2E31 'Test message 1.1'
00000010: 3120 2D20 746F 2051 5348 5342 5430 32 '1 - to QSHSBT02 ' |
The flow then tweaks the userId to newuser and enables MQRC_COA and MQRO_COD this is how the message looks on the output queue after exiting the flow:
| Code: |
AMQSBCG0 - starts here
**********************
MQOPEN - 'TEST.OUT'
MQGET of message number 1
****Message descriptor****
StrucId : 'MD ' Version : 2
Report : 2304 MsgType : 8
Expiry : -1 Feedback : 0
Encoding : 546 CodedCharSetId : 437
Format : 'MQSTR '
Priority : 0 Persistence : 0
MsgId : X'414D512051534853425430312020202024EC094F217E6E1B'
CorrelId : X'000000000000000000000000000000000000000000000000'
BackoutCount : 0
ReplyToQ : 'LOG.REPORT.MESSAGES.IN '
ReplyToQMgr : 'QSHSBT01 '
** Identity Context
UserIdentifier : 'newuser '
AccountingToken :
X'16010515000000AB2BE9904788DC8456B5CD209B86030000000000000000000B'
ApplIdentityData : ' '
** Origin Context
PutApplType : '11'
PutApplName : 'NODET01:routeToDestination '
PutDate : '20120110' PutTime : '18181907'
ApplOriginData : '6109'
GroupId : X'000000000000000000000000000000000000000000000000'
MsgSeqNumber : '1'
Offset : '0'
MsgFlags : '0'
OriginalLength : '-1'
**** Message ****
length - 31 bytes
00000000: 5465 7374 206D 6573 7361 6765 2031 2E31 'Test message 1.1'
00000010: 3120 2D20 746F 2051 5348 5342 5430 32 '1 - to QSHSBT02 ' |
At this point I have a COA on my LOG.REPORT.MESSAGES.IN.
| Code: |
AMQSBCG0 - starts here
**********************
MQOPEN - 'LOG.REPORT.MESSAGES.IN'
MQGET of message number 1
****Message descriptor****
StrucId : 'MD ' Version : 2
Report : 0 MsgType : 4
Expiry : -1 Feedback : 259
Encoding : 546 CodedCharSetId : 437
Format : 'MQSTR '
Priority : 0 Persistence : 0
MsgId : X'414D5120515348534254303220202020329EEA4E2C8E4891'
CorrelId : X'414D512051534853425430312020202024EC094F217E6E1B'
BackoutCount : 0
ReplyToQ : ' '
ReplyToQMgr : 'QSHSBT02 '
** Identity Context
UserIdentifier : 'newuser '
AccountingToken :
X'16010515000000AB2BE9904788DC8456B5CD209B86030000000000000000000B'
ApplIdentityData : ' '
** Origin Context
PutApplType : '7'
PutApplName : 'QSHSBT02 '
PutDate : '20120110' PutTime : '18212457'
ApplOriginData : ' '
GroupId : X'000000000000000000000000000000000000000000000000'
MsgSeqNumber : '1'
Offset : '0'
MsgFlags : '0'
OriginalLength : '-1'
**** Message ****
length - 0 bytes
00000000: ' ' |
Now I use amqsget to get the message and generate the COD. The message is consumed and the COD ends up on the SDLQ. The following event is written to the W2K appl event log:
| Code: |
Authorization failed as the SID 'S-1-5-21-2431200171-2229045319-550352214-231067' does not match the entity 'newuser'.
The Object Authority Manager received inconsistent data - the supplied SID does not match that of the supplied entity information.
Ensure that the application is supplying valid entity and SID information. |
Now here's where I am perplexed the SID above ending 231067 belongs to "user". So my question is how does WMQ know about this SID since the MQMD.UserIdentifier of the message as it sits on queue after COA but before COD is clearly "newuser"? |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Tue Jan 10, 2012 1:39 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
COA report messages are sent by the receiving end MCA when it (the MCA) successfully MQPUTs the message to the destination queue. COD messages are sent by the qmgr when a consuming app MQGETs the message from the destination queue.
Search here for COA and COD. There has been much discussion on the relative value of COA and COD.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| murdeep |
| Posted: Tue Jan 10, 2012 2:13 pm Post subject: |
|
|
Master
Joined: 03 Nov 2004
Posts: 211
|
| bruce2359 wrote: |
COA report messages are sent by the receiving end MCA when it (the MCA) successfully MQPUTs the message to the destination queue. COD messages are sent by the qmgr when a consuming app MQGETs the message from the destination queue.
Search here for COA and COD. There has been much discussion on the relative value of COA and COD. |
Well aware of when and by whom COA and COD messages are sent. That is not what my post is asking. But thanks for responding. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jan 10, 2012 2:15 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| MQMD.UserIdentifier is not usually relevant to MQ authority issues. |
|
| Back to top |
|
|
| murdeep |
| Posted: Tue Jan 10, 2012 2:51 pm Post subject: |
|
|
Master
Joined: 03 Nov 2004
Posts: 211
|
| mqjeff wrote: |
| MQMD.UserIdentifier is not usually relevant to MQ authority issues. |
Ok, but in this case isn't the MQMD.UserIdentifier checked to see if it is authorized to PUT the COD to the MQMD.ReplyToQMgr/Queue (in this case the SCTQ to QSHSBT01)?
Regardless, WMQ is doing a security check and is complaining that the SID (which belongs to user) doesn't match the entity newuser. How would it know this if it only is using the MQMD.UserIdentifier=newuser? Shouldn't WMQ only be concerned with the SID for newuser? Why is it complaining about the SID that belongs to user when that id is not in the MQMD.UserIdentifier field? This is what is perplexing. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Jan 10, 2012 3:40 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Code: |
Authorization failed as the SID 'S-1-5-21-2431200171-2229045319-550352214-231067' does not match the entity 'newuser'.
The Object Authority Manager received inconsistent data - the supplied SID does not match that of the supplied entity information.
Ensure that the application is supplying valid entity and SID information. |
WMQ passes to OAM both sid and userid from the mqmd. OAM, not WMQ, is complaining that the userid and sid of the userid do not match.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jan 10, 2012 3:51 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Let me guess. "newuser" is not a domain user and has a different sid on this box than on the box it was set on the message.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| murdeep |
| Posted: Tue Jan 10, 2012 3:56 pm Post subject: |
|
|
Master
Joined: 03 Nov 2004
Posts: 211
|
| bruce2359 wrote: |
| Code: |
Authorization failed as the SID 'S-1-5-21-2431200171-2229045319-550352214-231067' does not match the entity 'newuser'.
The Object Authority Manager received inconsistent data - the supplied SID does not match that of the supplied entity information.
Ensure that the application is supplying valid entity and SID information. |
WMQ passes to OAM both sid and userid from the mqmd. OAM, not WMQ, is complaining that the userid and sid of the userid do not match. |
Yes, I just discovered that.
Appears that WMQ uses the AccountingToken to map the SID. I NULL the MQMD.AccoutingToken in my flow when I change the UserIdentifier and no longer receive the AMQ8074 (the event that complains about the SID and entity). |
|
| Back to top |
|
|
| murdeep |
| Posted: Tue Jan 10, 2012 3:59 pm Post subject: |
|
|
Master
Joined: 03 Nov 2004
Posts: 211
|
| fjb_saper wrote: |
Let me guess. "newuser" is not a domain user and has a different sid on this box than on the box it was set on the message.
Have fun |
Both user and newuser are in the same domain. See my post above regarding MQMD.AccountingToken. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Jan 10, 2012 3:59 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
|
| Back to top |
|
|
| murdeep |
| Posted: Tue Jan 10, 2012 4:03 pm Post subject: |
|
|
Master
Joined: 03 Nov 2004
Posts: 211
|
From the APR:
| Quote: |
On Windows, the accounting information is set to a Windows security identifier (SID) in a compressed format. The SID uniquely identifies the user identifier stored in the UserIdentifier field. When the SID is stored in the AccountingToken field, the 6-byte Identifier Authority (located in the third and subsequent bytes of the SID) is omitted. For example, if the Windows SID is 28 bytes long, 22 bytes of SID information are stored in the AccountingToken field.
|
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=%2Fcom.ibm.mq.csqzak.doc%2Ffr13060_.htm |
|
| Back to top |
|
|
|
|
