| Author |
Message
|
| n0ahz0rk |
 Posted: Wed Sep 08, 2004 9:12 pm Post subject: Windows 5.3 Server and Client install - 2035 error |
 |
|
Novice
Joined: 08 Sep 2004
Posts: 12
|
Hi,
I have just completed an install of mqserver on one machine and mqclient on another machine. (Both machines WinXP pro).
I created a queue manager by using the following commands (not prefixed by #)
# define queue manager
crtmqm -q QUEUE.MANAGER
# start queue manager
strmqm QUEUE.MANAGER
# Start MQSC commands
runmqsc QUEUE.MANAGER
# Define queues
DEFINE QLOCAL(QUEUE1)
# Create a server-connection channel
DEFINE CHANNEL(CHANNEL1) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER(' ')
# Create a client-connection channel
DEFINE CHANNEL(CHANNEL1) CHLTYPE(CLNTCONN) TRPTYPE(TCP) QMNAME('QUEUE.MANAGER') CONNAME('10.6.115.45(1414)')
# Stop MQSC
end
# Start a listener
runmqlsr -t tcp -m QUEUE.MANAGER -p 1414
Then I copied the file AMQCLCHL.TAB from the C:\Program Files\IBM\WebSphere MQ\Qmgrs\QUEUE!MANAGER\@ipcc directory on the machine that has the mqserver to the C:\Program Files\IBM\WebSphere MQ\ChannelTable directory on the machine that has mqclient.
Then on the mqclient machine, I set the following two system environment variables, MQCHLLIB=C:\Program Files\IBM\WebSphere MQ\ChannelTable and MQCHLTAB=AMQCLCHL.TAB
Then on the client machine I tried to run the sample program:
amqsgetc QUEUE1 QUEUE.MANAGER
The output is:
Sample AMQSGET0 start
MQCONN ended with reason code 2035 
I realise this is an authorisation failure, I'm not sure how to fix it though. The client machine is on a domain, the server machine is not. Do the machines both need to be on a domain for a trusted connection ?? Or is there some way I can set it up to accept this client.
Thanks in advance.... sorry for the long post.
Regards,
Noah. |
|
| Back to top |
|
 |
| n0ahz0rk |
| Posted: Wed Sep 08, 2004 9:43 pm Post subject: |
|
|
Novice
Joined: 08 Sep 2004
Posts: 12
|
Further to this, the AMQERR01.LOG from the server machine under the Qmgrs\QUEUE!MANAGER\errors directory has the following message:
9/9/2004 15:39:17
AMQ8075: Authorization failed because the SID for entity 'ClientUser' cannot be obtained.
EXPLANATION:
The Object Authority Manager was unable to obtain a SID for the specified entity.
ACTION:
Ensure that the entity is valid, and that all necessary domain controllers are available.
----- amqzfubn.c : 1945 ------------------------------------------------------- |
|
| Back to top |
|
|
| JasonE |
| Posted: Thu Sep 09, 2004 1:40 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
At a guess these are 2 standalone (not domain) machines, and on the client machine you are signed on as 'ClientUser' which is invalid on the server machine.
Lookup is done by SID if possible, then userid. In your case a simple solution woulod be to define the id "clientuser" on the server machine |
|
| Back to top |
|
|
| Nigelg |
| Posted: Thu Sep 09, 2004 1:57 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
| ALternatively, set MCAUSER on the SVRCONN channel to an autorised user on the server. |
|
| Back to top |
|
|
| n0ahz0rk |
| Posted: Thu Sep 09, 2004 4:03 am Post subject: |
|
|
Novice
Joined: 08 Sep 2004
Posts: 12
|
Correct you are JasonE, I added an account for 'ClientUser' on the server machine and added it to the mqm group and the connection is now fine.
Thanks.  |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Sep 09, 2004 5:53 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Just realize that that user, being in the mqm group, has full authority to do anything to any MQ objects on that QM.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| n0ahz0rk |
| Posted: Thu Sep 09, 2004 5:17 pm Post subject: |
|
|
Novice
Joined: 08 Sep 2004
Posts: 12
|
OK, thanks for the help.
I found that when I tried to connect to the queue manager from the same sample program (amqsgetc) on a Unix box (also has MQClient 5.3), I don't get the 2035 error, but there is certainly no account on the MQ Server machine for the Unix user.
Any ideas why this is different ?
Noah. |
|
| Back to top |
|
|
| JasonE |
| Posted: Fri Sep 10, 2004 12:21 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Unless you put an MCAUSERID (forces the inbound userid), a security exit etc in place then the inbound userid is the one you are signed on with, and for which validation will occur.
What userid are you signed on with on the Unix box. Is the Windows server in a domain? Could there be a domain user with that name? |
|
| Back to top |
|
|
|
|
