| Author |
Message
|
| AlainB |
 Posted: Wed Nov 26, 2003 4:36 am Post subject: Authorization problems |
 |
|
Voyager
Joined: 31 Oct 2002
Posts: 79
Location: Belgium
|
Hi all,
I've got a strange behaviour with an MQ 5.2 CSD5 install on a Sun Solaris. Using a user called ifsasys, I try to put a message in the DLQ thru amqsput ... and I have a 2059 error !
Here is the snapshot of what I'm doing ... if you have an explanation about that, feel free to share it !
ifsasys # sduaj @ /BBL/DEV-API/IFSA210/log > id
uid=7592(ifsasys) gid=2632(ifsasys)
ifsasys # sduaj @ /BBL/DEV-API/IFSA210/log > su -c mqm "/opt/mqm/bin/dspmqaut -t qmgr -p ifsasys"
Password:
loading MQSeries Environment ...
Entity ifsasys has the following authorizations for object BBDAJ:
inq
set
connect
altusr
setid
setall
ifsasys # sduaj @ /BBL/DEV-API/IFSA210/log > su - mqm -c "/opt/mqm/bin/dspmq"
Password:
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
loading MQSeries Environment ...
QMNAME(BBDAJ) STATUS(Running)
ifsasys # sduaj @ /BBL/DEV-API/IFSA210/log > /opt/mqm/samp/bin/amqsput SYSTEM.DEAD.LETTER.QUEUE
Sample AMQSPUT0 start
MQCONN ended with reason code 2059
Strange, isn'it ? The refresh security has been performed and the queue manager is the default queue manager ...
_________________
Alain Buret
Visit http://www.fosdem.org |
|
| Back to top |
|
 |
| clindsey |
| Posted: Wed Nov 26, 2003 5:32 am Post subject: |
|
|
Knight
Joined: 12 Jul 2002
Posts: 586
Location: Dallas, Tx
|
2059 is an indicator that the queue manager is not running. The results are as if BBDAJ is not the default queue manager. Try passing the name to be sure....
/opt/mqm/samp/bin/amqsput SYSTEM.DEAD.LETTER.QUEUE BBDAJ
Charlie
Last edited by clindsey on Wed Nov 26, 2003 8:35 am; edited 1 time in total |
|
| Back to top |
|
|
| AlainB |
| Posted: Wed Nov 26, 2003 5:37 am Post subject: |
|
|
Voyager
Joined: 31 Oct 2002
Posts: 79
Location: Belgium
|
Hi Charlie,
This has been tried too, but the problem remains :
ifsasys # sduaj @ /BBL/DEV-API/IFSA210/log > /opt/mqm/samp/bin/amqsput SYSTEM.DEAD.LETTER.QUEUE BBDAJ
Sample AMQSPUT0 start
MQCONN ended with reason code 2059
ifsasys # sduaj @ /BBL/DEV-API/IFSA210/log > su - mqm -c "cat /var/mqm/mqs.ini"
Password:
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
loading MQSeries Environment ...
#********************************************************************#
#* *#
#* Statement: Licensed Materials - Property of IBM *#
#* *#
#* 04L1773, 5765-B73 *#
#* 04L1802, 5639-B42 *#
#* 04L1788, 5765-B74 *#
#* 04L1830, 5639-B43 *#
#* (C) Copyright IBM Corp. 1994, 1998 *#
#* *#
#*********************************************************************#
#***********************************************************************#
#* Module Name: mqs.ini *#
#* Type : MQSeries Machine-wide Configuration File *#
#* Function : Define MQSeries resources for an entire machine *#
#* *#
#***********************************************************************#
#* Notes : *#
#* 1) This is the installation time default configuration *#
#* *#
#***********************************************************************#
AllQueueManagers:
#********************************************************************#
#* The path to the qmgrs directory, below which queue manager data *#
#* is stored *#
#********************************************************************#
DefaultPrefix=/var/mqm
ClientExitPath:
ExitsDefaultPath=/var/mqm/exits
LogDefaults:
LogPrimaryFiles=5
LogSecondaryFiles=5
LogFilePages=16384
LogType=CIRCULAR
LogBufferPages=32
LogDefaultPath=/var/mqm/log
QueueManager:
Name=BBDAJ
Prefix=/var/mqm
Directory=BBDAJ
DefaultQueueManager:
Name=BBDAJ
_________________
Alain Buret
Visit http://www.fosdem.org |
|
| Back to top |
|
|
| mqonnet |
| Posted: Wed Nov 26, 2003 5:59 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
This sure is strange. Some pointers
1) did you by any chance try and recycle the qm. if so what was the result
2) everything looks good so there must be some subtle difference or change that is not known. Has this qm been always the default qm or did you add the stanza to the ini file. If you added it, then you have to recycle your qm for the change to take effect
3) i would test the exact same scenario on a different qm with the same userid on the same system. If that works, then that would term a problem here. But if that too fails with this userid, then you have to figure out whats wrong with this userid. Is this userid part of any domain. Are there any domain controllers. If so, then you have to add the doman names, i believe to your authorizations.
Cheers
Kumar |
|
| Back to top |
|
|
| mqonnet |
| Posted: Wed Nov 26, 2003 6:01 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
Also Charlie, i think you mentioned this by mistake.
"/opt/mqm/samp/bin/amqsput BBDAJ SYSTEM.DEAD.LETTER.QUEUE"
Should be
"/opt/mqm/samp/bin/amqsput SYSTEM.DEAD.LETTER.QUEUE BBDAJ", instead.
Cheers
Kumar |
|
| Back to top |
|
|
| clindsey |
| Posted: Wed Nov 26, 2003 8:39 am Post subject: |
|
|
Knight
Joined: 12 Jul 2002
Posts: 586
Location: Dallas, Tx
|
Thanks Kumar. If you keyed it in the way I indicated, you would get a 2058. I corrected the post.
Charlie |
|
| Back to top |
|
|
| AlainB |
| Posted: Wed Nov 26, 2003 10:15 pm Post subject: |
|
|
Voyager
Joined: 31 Oct 2002
Posts: 79
Location: Belgium
|
Hi all,
| Quote: |
This sure is strange. Some pointers
1) did you by any chance try and recycle the qm. if so what was the result |
Yes, I've done it ...
| Quote: |
| 2) everything looks good so there must be some subtle difference or change that is not known. Has this qm been always the default qm or did you add the stanza to the ini file. If you added it, then you have to recycle your qm for the change to take effect |
This queue manager has always been the default queue manager and is the only one running on that host.
| Quote: |
| 3) i would test the exact same scenario on a different qm with the same userid on the same system. If that works, then that would term a problem here. But if that too fails with this userid, then you have to figure out whats wrong with this userid. Is this userid part of any domain. Are there any domain controllers. If so, then you have to add the doman names, i believe to your authorizations. |
Let's gonna try this ...
Thanks for help
_________________
Alain Buret
Visit http://www.fosdem.org |
|
| Back to top |
|
|
| AlainB |
| Posted: Thu Nov 27, 2003 6:14 am Post subject: |
|
|
Voyager
Joined: 31 Oct 2002
Posts: 79
Location: Belgium
|
Well, that's really strange.
I've compared the ifsasys and ifsa rights with another host where the same applications and configurations are made, and there this is working fine.
I've extracted the mqaut from one and applied it to the other where the problem is, refreshed the security, and even restarted the queue manager, but the problem remains the same ...
Any idea ?
_________________
Alain Buret
Visit http://www.fosdem.org |
|
| Back to top |
|
|
| clindsey |
| Posted: Thu Nov 27, 2003 6:23 am Post subject: |
|
|
Knight
Joined: 12 Jul 2002
Posts: 586
Location: Dallas, Tx
|
Could be a problem with MQ getting the IPC resources it needs to create a shared memory connection... maybe low on some kernel parameters. See if you are logging any internal errors at the time of the failed connect. Go to /var/mqm/errors and look for AMQxxxx.0.FDC with timestamps near the time of your failure. If there is, then post the header portion of the FDC.
You might try a connection in socket mode as well. Start a listener for the qm if you do not have one. Run 'netstat -an | grep 1414'. You will get a LISTENING result if the listener is active on the default port. If not, run
'runmqlsr -t tcp &'. Then run
/opt/mqm/samp/bin/amqscnxc -x localhost
You will get a success message or another 2059. If this connects, the problem is confined to shared memory connects.
If you want to put messages on a queue in sockets mode. First 'export MQSERVER=SYSTEM.DEF.SVRCONN/TCP/localhost' and then run /opt/mqm/samp/bin/amqsputc (note the c on the end for client)
Charlie |
|
| Back to top |
|
|
| AlainB |
| Posted: Thu Nov 27, 2003 11:43 pm Post subject: |
|
|
Voyager
Joined: 31 Oct 2002
Posts: 79
Location: Belgium
|
Well guys,
This looks really really strange for a problem !!!
Charlie, I've tried your sugggestion, and no FDC files are present on the host. No error generated in logs ...
Here's the output of the various command that I've done :
| Quote: |
$ export MQSERVER=SYSTEM.DEF.SRVCONN/TCP/localhost
$ /opt/mqm/samp/bin/amqscnxc -x localhost
Sample AMQSCNXC start
Connecting to the default queue manager
using the server connection channel SYSTEM.DEF.SVRCONN
on connection name localhost.
Connection established to queue manager BBDAJ
Sample AMQSCNXC end
$ /opt/mqm/samp/bin/amqsputc SYSTEM.DEAD.LETTER.QUEUE
Sample AMQSPUT0 start
MQCONN ended with reason code 2059
$ id
uid=7592(ifsasys) gid=2632(ifsasys) |
As you can see, I can connect when using amqscnx, but not using the put program ...
Here is the interessant variable set in the /etc/system file ... the host is a Sun Ultra-Enterprise 10000 with 8 CPUs and 8 Gb of RAM
| Quote: |
set shmsys:shminfo_shmmax=4294967295
set shmsys:shminfo_shmmin=1
set shmsys:shminfo_shmmni=3360
set shmsys:shminfo_shmseg=2166
set semsys:seminfo_semaem=16384
set semsys:seminfo_semopm=200
set semsys:seminfo_semmap=1026
set semsys:seminfo_semmnu=2648
set semsys:seminfo_semmni=3148
set semsys:seminfo_semmns=34732
set semsys:seminfo_semmsl=762
set semsys:seminfo_semume=856
set semsys:seminfo_semvmx=32767
set msgsys:msginfo_msgmax=8192
set msgsys:msginfo_msgmnb=30720
set msgsys:msginfo_msgseg=5000
set msgsys:msginfo_msgssz=20
set msgsys:msginfo_msgmap=2252
set msgsys:msginfo_msgmni=50
set msgsys:msginfo_msgtql=200
set rlim_fd_cur=1024
|
_________________
Alain Buret
Visit http://www.fosdem.org |
|
| Back to top |
|
|
| clindsey |
| Posted: Fri Nov 28, 2003 7:16 am Post subject: |
|
|
Knight
Joined: 12 Jul 2002
Posts: 586
Location: Dallas, Tx
|
Alan, this is VERY strange. Essentially, an MQCONNX works but an MQCONN fails both in client and server bindings. I suppose it is time to get an MQ trace. I can give it a brief look but it may be time to open a PMR on this problem. I will email you about the trace.
Charlie |
|
| Back to top |
|
|
| AlainB |
| Posted: Sun Nov 30, 2003 11:38 pm Post subject: |
|
|
Voyager
Joined: 31 Oct 2002
Posts: 79
Location: Belgium
|
Hi all,
I've opened a PMR last week, but still no news.
Charlie: thanks for your info I already know how to take a trace  I've took one and sent to you this morning ...
_________________
Alain Buret
Visit http://www.fosdem.org |
|
| Back to top |
|
|
| AlainB |
| Posted: Fri Dec 05, 2003 2:20 am Post subject: SOLVED !!! |
|
|
Voyager
Joined: 31 Oct 2002
Posts: 79
Location: Belgium
|
Hurray ... problem solved
Really a stupid thing, but hard to find.
I've took a truss trace of the execution of the amqsput program under the usercode that was giving problem; in the output, we can see this :
| Quote: |
...
stat("/var/mqm/mqs.ini", 0xFFBEE2E0) = 0
semget(1372812, 2, 0666|IPC_CREAT) = 327689
semop(327689, 0xFFBEE8FC, 2) = 0
stat("/var/mqm/qmgrs/BBDAJ/@ipcc/shmem/SUBPOOL.000", 0xFFBED970) Err#13 EACCES
semop(327689, 0xFFBEE900, 1) = 0
shmdt(0xFEEE0000) = 0
sigaction(SIGFPE, 0xFFBEE708, 0xFFBEE818) = 0
sigaction(SIGSEGV, 0xFFBEE708, 0xFFBEE818) = 0
sigaction(SIGBUS, 0xFFBEE708, 0xFFBEE818) = 0
sigaction(SIGILL, 0xFFBEE708, 0xFFBEE818) = 0
stat("/var/mqm/mqs.ini", 0xFFBED670) = 0
...
|
Well well ... so the user can't access SUBPOOL.000, while on another host it can ... what's the difference between these 2 installations ?
On the one where the problem occurs, the qmgr and log directories are on dedicated filesystems !
And that's the cause of the problem : these mount point directories have 770 access for mqm user, while it should be 775 !
| Quote: |
ifsasys # sduaj @ /var/mqm/qmgrs > cd BBDAJ
ksh: BBDAJ: permission denied
ifsasys # sduaj @ /var/mqm/qmgrs > ls -l
total 4
drwxrwxr-x 8 mqm mqm 512 Nov 14 2002 @SYSTEM
lrwxrwxrwx 1 root other 25 Mar 10 2003 BBDAJ -> /BBL/FAR/MQM/Queues/BBDAJ
ifsasys # sduaj @ /var/mqm/qmgrs > ls -l /BBL/FAR/MQM/Queues
/BBL/FAR/MQM/Queues: Permission denied
total 0
ifsasys # sduaj @ /var/mqm/qmgrs > cd /BBL/FAR/MQM
ifsasys # sduaj @ /BBL/FAR/MQM > ls -l
total 0
drwxrwx--- 4 mqm mqm 96 Nov 13 2002 Logs
drwxrwx--- 4 mqm mqm 96 Nov 13 2002 Queues
ifsasys # sduaj @ /BBL/FAR/MQM > ^D
mqm # sduaj @ /var/mqm/trace > cd /BBL/FAR/MQM
mqm # sduaj @ /BBL/FAR/MQM > chmod o+rx Queues
mqm # sduaj @ /BBL/FAR/MQM > ls -l
total 0
drwxrwx--- 4 mqm mqm 96 Nov 13 2002 Logs
drwxrwxr-x 4 mqm mqm 96 Nov 13 2002 Queues
mqm # sduaj @ /BBL/FAR/MQM > id
uid=1210(mqm) gid=1210(mqm)
mqm # sduaj @ /BBL/FAR/MQM > su ifsasys
Password:
ifsasys # sduaj @ /BBL/FAR/MQM > ls -l
total 0
drwxrwx--- 4 mqm mqm 96 Nov 13 2002 Logs
drwxrwxr-x 4 mqm mqm 96 Nov 13 2002 Queues
ifsasys # sduaj @ /BBL/FAR/MQM > cd Queues
ifsasys # sduaj @ /BBL/FAR/MQM/Queues > /opt/mqm/samp/bin/amqsput SYSTEM.DEAD.LETTER.QUEUE
Sample AMQSPUT0 start
target queue is SYSTEM.DEAD.LETTER.QUEUE
Working ...
Sample AMQSPUT0 end
ifsasys # sduaj @ /BBL/FAR/MQM/Queues/BBDAJ/@ipcc/shmem > id
uid=7592(ifsasys) gid=2632(ifsasys)
|
So, this was really a stupid thing, but not easy to find ... Thanks to all for your help, and especially Charlie "clindsey"
_________________
Alain Buret
Visit http://www.fosdem.org |
|
| Back to top |
|
|
|
|
