| Author |
Message
|
| pezi |
 Posted: Wed Feb 15, 2017 6:17 am Post subject: Authenication for windows users connecting to SUSE MQServer |
 |
|
Novice
Joined: 08 Feb 2008
Posts: 15
Location: Vienna/Austria
|
Hi,
I try to install an MQ 8.0 server on SUSE Linux (SLES11) and have already setup a QM, Channel, Listener and a sample queue.
Now I try to connect to this queue via my MQ client on Windows and get the reason code 2035 (no authentication I think).
When I was running the MQServer on Windows I just had to add the windows user into the local user group MQM.
Now the server is on Linux and I do not have access to the user administration.
Is there another way to authenticate a user connecting to the MQServer without having to add him to the MQM user group?
If not in which form I need to add the windows user to be accepted by the MQServer (e.g. <domain name>\<user name>)?
Thanks for your hints
Peter |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Feb 15, 2017 6:31 am Post subject: Re: Authenication for windows users connecting to SUSE MQSer |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| pezi wrote: |
| When I was running the MQServer on Windows I just had to add the windows user into the local user group MQM. |
This wasn't a good idea even on Windows. Membership of the mqm group should be seriously restricted.
| pezi wrote: |
| Now the server is on Linux and I do not have access to the user administration. |
Well someone does.
| pezi wrote: |
Is there another way to authenticate a user connecting to the MQServer without having to add him to the MQM user group?
If not in which form I need to add the windows user to be accepted by the MQServer (e.g. <domain name>\<user name>)? |
No Linux server will understand the windows format of <domain name>\<user name>. You need to provide a valid Linux user by one of the methods MQ offers (MCA user, channel authority record mapping, etc.) and make sure that Linux user has the needed authorities. Note that on Linux, MQ authorities apply at the group not the user level - user level authorities are specific to the Windows OS. So be careful not to accidentally authorize more people than you mean.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Feb 15, 2017 7:43 am Post subject: Re: Authenication for windows users connecting to SUSE MQSer |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| ...Note that on Linux, MQ authorities apply at the group not the user level - user level authorities are specific to the Windows OS... |
A slight clarification (dependent on MQ version of course):
| Quote: |
| Using the -p attribute on the setmqaut command does not grant access to all users in the same primary group, when user-based authorizations are enabled in the qm.ini file as described in Service stanza format. |
The above extract from HERE.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Feb 15, 2017 8:56 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
I stand rightly corrected 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Feb 16, 2017 12:11 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| I stand rightly corrected |
There's so much new function these days that it's very difficult to remember all the detail...
...I prefer to think of it as reminded rather than corrected.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Thu Feb 16, 2017 3:42 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| Quote: |
| get the reason code 2035 (no authentication I think) |
2035 covers a multitude of authorization sins. You need to check the exact reason for failure in the qmgr error logs, then make an appropriate choice to remediate.
Adding a user to the mqm group gives full MQ admin authority. It should only be done if the user needs direct MQ administrator access. There are arguments against having anyone in the mqm group.
_________________
Glenn |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Feb 17, 2017 12:18 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| gbaddeley wrote: |
| Quote: |
| get the reason code 2035 (no authentication I think) |
2035 covers a multitude of authorization sins. You need to check the exact reason for failure in the qmgr error logs, then make an appropriate choice to remediate.
Adding a user to the mqm group gives full MQ admin authority. It should only be done if the user needs direct MQ administrator access. There are arguments against having anyone in the mqm group. |
You mean anyone but the mqm user in the mqm group, right? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun Feb 19, 2017 3:47 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| fjb_saper wrote: |
| You mean anyone but the mqm user in the mqm group, right? |
Yes. Ideally, mqm should be the only userid that has mqm as its primary group. No other userids should have mqm as a secondary group membership. All local MQ admin tasks should be done via 'sudo su - mqm' logon to mqm. YMMV
_________________
Glenn |
|
| Back to top |
|
|
|
|
