ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportAuthenication for windows users connecting to SUSE MQServer

Post new topicReply to topic
Authenication for windows users connecting to SUSE MQServer View previous topic :: View next topic
Author Message
pezi
PostPosted: Wed Feb 15, 2017 6:17 am Post subject: Authenication for windows users connecting to SUSE MQServer Reply with quote

Novice

Joined: 08 Feb 2008
Posts: 15
Location: Vienna/Austria

Hi,

I try to install an MQ 8.0 server on SUSE Linux (SLES11) and have already setup a QM, Channel, Listener and a sample queue.
Now I try to connect to this queue via my MQ client on Windows and get the reason code 2035 (no authentication I think).

When I was running the MQServer on Windows I just had to add the windows user into the local user group MQM.

Now the server is on Linux and I do not have access to the user administration.

Is there another way to authenticate a user connecting to the MQServer without having to add him to the MQM user group?
If not in which form I need to add the windows user to be accepted by the MQServer (e.g. <domain name>\<user name>)?

Thanks for your hints

Peter
Back to top
View user's profile Send private message Visit poster's website
Vitor
PostPosted: Wed Feb 15, 2017 6:31 am Post subject: Re: Authenication for windows users connecting to SUSE MQSer Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24391
Location: Ohio, USA

pezi wrote:
When I was running the MQServer on Windows I just had to add the windows user into the local user group MQM.


This wasn't a good idea even on Windows. Membership of the mqm group should be seriously restricted.

pezi wrote:
Now the server is on Linux and I do not have access to the user administration.


Well someone does.

pezi wrote:
Is there another way to authenticate a user connecting to the MQServer without having to add him to the MQM user group?
If not in which form I need to add the windows user to be accepted by the MQServer (e.g. <domain name>\<user name>)?


No Linux server will understand the windows format of <domain name>\<user name>. You need to provide a valid Linux user by one of the methods MQ offers (MCA user, channel authority record mapping, etc.) and make sure that Linux user has the needed authorities. Note that on Linux, MQ authorities apply at the group not the user level - user level authorities are specific to the Windows OS. So be careful not to accidentally authorize more people than you mean.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Feb 15, 2017 7:43 am Post subject: Re: Authenication for windows users connecting to SUSE MQSer Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5675

Vitor wrote:
...Note that on Linux, MQ authorities apply at the group not the user level - user level authorities are specific to the Windows OS...

A slight clarification (dependent on MQ version of course):

Quote:
Using the -p attribute on the setmqaut command does not grant access to all users in the same primary group, when user-based authorizations are enabled in the qm.ini file as described in Service stanza format.


The above extract from HERE.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Feb 15, 2017 8:56 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 24391
Location: Ohio, USA

I stand rightly corrected
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Feb 16, 2017 12:11 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5675

Vitor wrote:
I stand rightly corrected

There's so much new function these days that it's very difficult to remember all the detail...

...I prefer to think of it as reminded rather than corrected.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
gbaddeley
PostPosted: Thu Feb 16, 2017 3:42 pm Post subject: Reply with quote

Padawan

Joined: 25 Mar 2003
Posts: 1681
Location: Melbourne, Australia

Quote:
get the reason code 2035 (no authentication I think)

2035 covers a multitude of authorization sins. You need to check the exact reason for failure in the qmgr error logs, then make an appropriate choice to remediate.

Adding a user to the mqm group gives full MQ admin authority. It should only be done if the user needs direct MQ administrator access. There are arguments against having anyone in the mqm group.
_________________
Glenn
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Feb 17, 2017 12:18 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19206
Location: LI,NY

gbaddeley wrote:
Quote:
get the reason code 2035 (no authentication I think)

2035 covers a multitude of authorization sins. You need to check the exact reason for failure in the qmgr error logs, then make an appropriate choice to remediate.

Adding a user to the mqm group gives full MQ admin authority. It should only be done if the user needs direct MQ administrator access. There are arguments against having anyone in the mqm group.


You mean anyone but the mqm user in the mqm group, right?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
gbaddeley
PostPosted: Sun Feb 19, 2017 3:47 pm Post subject: Reply with quote

Padawan

Joined: 25 Mar 2003
Posts: 1681
Location: Melbourne, Australia

fjb_saper wrote:
You mean anyone but the mqm user in the mqm group, right?

Yes. Ideally, mqm should be the only userid that has mqm as its primary group. No other userids should have mqm as a secondary group membership. All local MQ admin tasks should be done via 'sudo su - mqm' logon to mqm. YMMV
_________________
Glenn
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportAuthenication for windows users connecting to SUSE MQServer
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.