| Author |
Message
|
| WannaBeInAParker |
 Posted: Wed Dec 15, 2004 7:17 am Post subject: amqoamd on Windows issue (User no longer exists) |
 |
|
Voyager
Joined: 09 Dec 2003
Posts: 81
|
Running MQSeries 5.3 CSD07 on Windows 2000 server.
We have an environment where there are a number of different users that define/delete MQSeries Objects. Due to different reasons, some of the users that defined objects on some queue managers no longer exist and their IDs have been deleted.
When we run the amqoamd command to save off the authorities for a queue manager, we are getting the following error, whenever an object was defined by a user that no longer exists:
User name: FAIL : unresolved account
Authorities: altusr connect inq set setall setid chg crt dlt dsp (0x009f07ff)
SID: S-1-5-21-1177238915-1767777339-725345543-43546
Has anyone run into this? Is the only workaround to delete and recreate the object as a current user?
Any help is appreciated.
_________________
-WannaBe- |
|
| Back to top |
|
 |
| vennela |
| Posted: Wed Dec 15, 2004 7:39 am Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
On UNIX platforms:
One can create MQ objects if one is in mqm group. The user who created the MQ object is not stored anywhere. BUT, if authorizations on the MQ object is set using setmqaut then that is when you get such kind of errors.
I think that this is valid for windows platforms also. |
|
| Back to top |
|
|
| WannaBeInAParker |
| Posted: Wed Dec 15, 2004 7:47 am Post subject: |
|
|
Voyager
Joined: 09 Dec 2003
Posts: 81
|
We have not set authority for the user that created the object and is now missing, so my guess is that it works differently in unix.
We do not hit this issue in Unix land because we run the queue manager/runmqsc/setmqaut,etc. as mqm. We are able to do this using sudo or pbrun which keeps an audit of all actions performed. In Windows there isn't something comparable to sudo or pbrun.
My organization does not allow the use of shared IDs without an audit trail of who did what.
_________________
-WannaBe- |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Wed Dec 15, 2004 1:50 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| WannaBeInAParker wrote: |
| My organization does not allow the use of shared IDs without an audit trail of who did what. |
uhm... so how does your organisation deal with the lack of that in MQ?
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| WannaBeInAParker |
| Posted: Wed Dec 15, 2004 1:56 pm Post subject: |
|
|
Voyager
Joined: 09 Dec 2003
Posts: 81
|
The Security group does not allow ids to be shared if there is no audit trail of what os level commands were run. Obviously, they have no idea what was entered within runmqsc. They just need to know who ran the runmqsc. Lets just say their procedures are not MQSeries aware. I obviously will not shed light on this fact.
_________________
-WannaBe- |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Wed Dec 15, 2004 3:00 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Dec 15, 2004 3:50 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You did not specify if a dmpmqaut command for the qmgr would show the bad user and as such allow you to delete the corresponding auth.
As a general reminder it is bad policy to authorize a specific user. You should if possible set the authorizations at the group level, then add the user to the relevant group.
Hint: in Unix you don't have a choice. If you set the auth. at user level MQ sets the auth. for the primary group of the usr.
Enjoy  |
|
| Back to top |
|
|
| WannaBeInAParker |
| Posted: Thu Dec 16, 2004 2:47 am Post subject: |
|
|
Voyager
Joined: 09 Dec 2003
Posts: 81
|
fjb_saper,
Thanks, no authorizations were set on the user and or group. (if we did, we never set authority on prinicpal, always group). The user was simply the user that defined the queue. For example, as shown below this queue grants the principal what appears to be +all on the queue. The user smithje1admin was the user that defined the queue.
- - - - - - - -
profile: RKS.IMSRKSREQUEST.GIC
object type: queue
entity: smithje1admin@CORP
entity type: principal
authority: allmqi dlt chg dsp clr
- - - - - - - -
profile: RKS.IMSRKSREQUEST.GIC
object type: queue
entity: mqm@INAW2168
entity type: group
authority: allmqi dlt chg dsp clr
- - - - - - - -
If anyone has access to a Windows queue manager, simply define a queue and do not set authority, then dmpmqaut the authorities. You should see that your id as well as the group you belong to are granted +all authority. If anyone sees differently, let me know, could be environmental.
_________________
-WannaBe- |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Dec 16, 2004 3:15 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Well now you should be able to remove all the relevant authorities for this user and get on with the task that started the thread.
And by remove I mean so that he/she doesn't show up in dmpmqaut anymore.
(setmqaut ..... remove)
Enjoy |
|
| Back to top |
|
|
| WannaBeInAParker |
| Posted: Fri Dec 17, 2004 4:14 am Post subject: |
|
|
Voyager
Joined: 09 Dec 2003
Posts: 81
|
What username should i remove? The account does not exist any longer, see my original post where user name is unresolved name.
_________________
-WannaBe- |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Dec 17, 2004 2:35 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Well if the user name does no longer exist but still has permissions as shown in dmpmqaut you need to remove the permissions (setmqaut .... remove) not the user from windows which as you so rightly stated does not exist anymore...
Hope this clears it up |
|
| Back to top |
|
|
| WannaBeInAParker |
| Posted: Fri Dec 17, 2004 3:44 pm Post subject: |
|
|
Voyager
Joined: 09 Dec 2003
Posts: 81
|
fjb_saper,
Please provide the setmqaut command that I would use.
setmqaut -m APLS10W1 -n <QUEUE> -t q -p <UNKNOWN_USER> -all
Please note that the command above requires a user or group. There is no user and group is mqm which should never be removed.
BTW, the only solution we have come up with is to delete and recreate the object. Obviously not a good solution.
_________________
-WannaBe- |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Dec 18, 2004 8:48 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Admin manual pp 326 (RTFM)
setmqaut -m qmgr -n profile -t object type -remove -p principal
 |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Sat Dec 18, 2004 10:15 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| fjb_saper wrote: |
Admin manual pp 326 (RTFM)
setmqaut -m qmgr -n profile -t object type -remove -p principal
|
And what should he put in for the principal? He doesn't know the user name.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Dec 19, 2004 9:37 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| My understanding is that dmpmqaut did show the offending principal. |
|
| Back to top |
|
|
|
|
