| Author |
Message
|
| pintrader |
 Posted: Thu May 29, 2014 9:49 pm Post subject: setmqaut - invalid group |
 |
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri May 30, 2014 4:58 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
try -g "domain\group" or -g "group@domain"
Make sure your group name is not longer than 12 bytes.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| pintrader |
| Posted: Fri May 30, 2014 3:51 pm Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| fjb_saper wrote: |
try -g "domain\group" or -g "group@domain"
Make sure your group name is not longer than 12 bytes.
Have fun :innocent: |
thanks. will try with the double quotes on. |
|
| Back to top |
|
|
| longnguk |
| Posted: Fri May 30, 2014 4:41 pm Post subject: |
|
|
Novice
Joined: 16 Aug 2006
Posts: 19
Location: Phoenix
|
You will need to update the qm.ini file to include support for Domain groups
| Code: |
Security:
GroupModel=GlobalGroups
|
By default the support is not enabled hence the error message! |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat May 31, 2014 3:17 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| longnguk wrote: |
You will need to update the qm.ini file to include support for Domain groups
| Code: |
Security:
GroupModel=GlobalGroups
|
By default the support is not enabled hence the error message! |
Not quite. This depends on the permissions of the service user.
The security stanza referenced above will allow you to supply the group name without any reference to the default domain.
However when you explicitly reference the domain the security stanza should not be needed.
What will be needed is the ability for the service user to read group membership in the referenced domain...
And yes the group name cannot exceed 12 bytes or it will get truncated creating a "no match" or group name invalid condition.
Note my reference to 12 bytes and not 12 chars as some chars may translate into multiple bytes in UTF-8 ...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| longnguk |
| Posted: Sat May 31, 2014 10:01 am Post subject: |
|
|
Novice
Joined: 16 Aug 2006
Posts: 19
Location: Phoenix
|
| fjb_saper wrote: |
...However when you explicitly reference the domain the security stanza should not be needed.
Have fun |
In my experience, the Security stanza is needed just as the documentation indicates
| Quote: |
GroupModel=GlobalGroups
This attribute determines whether the OAM checks global groups when determining the group membership of a user on Windows.
The default is not to check global groups. |
In other word, OAM would only check local groups for the named Domain group and since it cann't find it hence the error AMQ7026.
If you have time to perform a quick test on your theory of not having the Security stanza and enlighten me. Am I missing something, perhaps? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat May 31, 2014 3:02 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
We usually add the global group into the corresponding local group as well...
Should be relatively easy to check...
One of the side effects of the global group stanza is to not have to specify the (default) domain when running the setmqaut command.
If you omit the domain and the group does not exist as a local group you get an error message if the GlobalGroups is not set.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| pintrader |
| Posted: Sun Jun 01, 2014 6:33 pm Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
thanks for all your help and suggestion. i currently still do not have access to the server to test your suggestions but i do remember the last i did also tried using mQ explorer (in addition to command line setmqaut) to give group permissions (using Object authorities) but also could not create the permission.
I will try all your suggestions once i get access.
thanks again |
|
| Back to top |
|
|
| pintrader |
| Posted: Sun Jun 01, 2014 6:39 pm Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| fjb_saper wrote: |
What will be needed is the ability for the service user to read group membership in the referenced domain...
And yes the group name cannot exceed 12 bytes or it will get truncated creating a "no match" or group name invalid condition.
|
hi, are you referring to this doc: http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/index.jsp?topic=%2Fcom.ibm.mq.ins.doc%2Fq008840_.htm, where need to give Domain mqm the "Read group membership" and "Read groupMembershipSAM" permission?. Yes, i did follow the instructions to give Domain mqm these rights. Also my group is only 5 characters => MYVCS |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jun 02, 2014 5:07 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
That's exactly what I was referring to. Now make sure your mq service Id is part of that group. If you changed group membership of the service id, be aware that you have to bounce the MQ service for it to take effect.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| pintrader |
| Posted: Sun Jun 22, 2014 11:35 pm Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
hi
I have tried putting the double quotes but the same error happens. AMQ7026; A principal or group name is not valid.
The only thing I haven't done is putting my MYSVC group into the Domain mqm group. ( I have no access to AD right now, so will do it later).
(MYSVC is a group I created in Active Directory. Inside this group I will have give some users access to the MQ, hence i need to assign permission to MYSVC, using -g "MYSVC@mydomain" )
thanks |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Jun 23, 2014 12:08 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
I just did a test on a rig of mine.
I added the user to AD
Then I auth'd the user to use a channel using MQExplorer (user=myservice)
all I specified was the AD Username (myservice). WMQ added the AD Domain for me.
The qm.ini is all the default settings.
Then I dumped the config with dumpmqcfg.
here is the authrec record
| Code: |
SET AUTHREC +
PROFILE('GLASSFISH.SVRCONN') +
PRINCIPAL('myservice@XXX-SYS-TEST') +
OBJTYPE(CHANNEL) +
AUTHADD(CHG,DLT,DSP,CTRL,CTRLX)
|
I don't see a lot wrong with that. Perhaps you should switch from 'setmqaut' to using AUTHREC records inside 'runmqsc'.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Jun 23, 2014 12:09 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
sorry. Network glitch caused a double post of the same thing
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| pintrader |
| Posted: Mon Jun 23, 2014 12:17 am Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
hi
in version 7.0 WMQ the -g option only applies to local group. But now version 7.5 allows to enter a domain group.
I tried setmqaut ... -g "MyDomain\Domain Users" . Domain Users is an actual group that is in the AD. When I went to check its object authority, it is shown being created. However when i try to delete the authority, it gives me AMQ4808 : Unknown Group "Domain Users@MyDomain".
What is happening?
Also, in the document: http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.adm.doc/q021310_.htm?lang=en
| Code: |
Medium-grained access control
MQTT clients are divided into different groups to publish and subscribe to different sets of topics, and to send messages to MQTT clients.
Procedure
Create multiple user IDs, mqttUsers, and multiple administrative topics in the publish/subscribe topic tree.
Authorize different mqttUsers to different topics.
setmqaut -m qMgr -t topic -n topic1 -p mqttUserA -all +pub +sub
setmqaut -m qMgr -t topic -n topic2 -p mqttUserB -all +pub +sub
[u]Create a group mqtt[/u], and add all mqttUsers to the group.
Authorize mqtt to send topics to MQTT clients.
setmqaut -m qMgr -t q -n SYSTEM.MQTT.TRANSMIT.QUEUE -p mqtt -all +put |
Why is it using -p for mqtt group ? Shouldn't it be -g ? because it says "Create a group mqtt"
Last edited by pintrader on Mon Jun 23, 2014 12:21 am; edited 2 times in total |
|
| Back to top |
|
|
| pintrader |
| Posted: Mon Jun 23, 2014 12:19 am Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| smdavies99 wrote: |
I just did a test on a rig of mine.
I added the user to AD
Then I auth'd the user to use a channel using MQExplorer (user=myservice)
all I specified was the AD Username (myservice). WMQ added the AD Domain for me.
The qm.ini is all the default settings.
Then I dumped the config with dumpmqcfg.
here is the authrec record
| Code: |
SET AUTHREC +
PROFILE('GLASSFISH.SVRCONN') +
PRINCIPAL('myservice@XXX-SYS-TEST') +
OBJTYPE(CHANNEL) +
AUTHADD(CHG,DLT,DSP,CTRL,CTRLX)
|
I don't see a lot wrong with that. Perhaps you should switch from 'setmqaut' to using AUTHREC records inside 'runmqsc'. |
hi smdavies, thanks you have always been so helpful..(as does the rest.. :) ). My bad, I am confusing Organization unit and groups in AD. Sorry am not an AD person. So I guess MYSVC cannot be used with -g as MYSVC is an organization unit. I will create an actual group and try again. |
|
| Back to top |
|
|
|
|
