| Author |
Message
|
| blane99 |
 Posted: Mon Jun 25, 2007 1:54 pm Post subject: MQ OAM problem |
 |
|
Apprentice
Joined: 12 Jun 2002
Posts: 41
|
We have MQ 5.3 CSD06 on Solaris 2.8 - OAM is enabled and an application has been working for years until this morning on 2 different servers. History - We had created a unix group called mqpt and added one ID (joeb) as a member to this group. The setmqaut command was issued based on the group rather than the principal. When we enter the following command:
dspmqaut -m X -n TESTQ -t queue -g mqpt
All the proper authorizations display correctly.
When we enter :
dspmqaut -m X -n TESTQ -t queue -p joeb
Not a single authorization displays.
We ran an MQ trace and saw that there were zero authorizations for this ID. Other unix groups and its members (on the same qmgrs ) seem to work as expected but not this one ID joeb. Nothing has changed on the servers including NIS. Anyone ever run into a problem like this? |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Mon Jun 25, 2007 1:57 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You didn't authorize joeb to anything... you only authorized the group that joeb is a member of...
Try dmpmqaut, also.
And please apply a newer CSD than 06. I don't care if it's been working, it's going to break at some point, or you're going to need features that are not available at that csd level. You're running a larger and larger risk of running into known, already solved, problems the longer you stay at such an old CSD.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| blane99 |
| Posted: Mon Jun 25, 2007 2:08 pm Post subject: |
|
|
Apprentice
Joined: 12 Jun 2002
Posts: 41
|
About upgrading - have been pushing for quite a while . This issue certainly gives me more leverage. Thanks. Question - I don't see anything so different re: output from dmpmqaut command.
profile: TESTQ
object type: queue
entity: mqpt
entity type: group
authority: get browse put inq set dlt chg dsp passid passall setid setall clr
Because joeb is a member of mqpt I should be able to see the same kind of output when using the dspmqaut * "-p joeb", at least that's the way all the other ID's work. Are you saying that this should not work? Anyway, I still have the problem. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jun 25, 2007 2:21 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
As you changed authorizations on the OS level (adding the user to the group ...) did you issue a REFRESH SECURITY command ?? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| blane99 |
| Posted: Mon Jun 25, 2007 2:24 pm Post subject: |
|
|
Apprentice
Joined: 12 Jun 2002
Posts: 41
|
| We did do a refresh (and recyceld the qmgr) , however, we just ran the command as a last resort because the ID was made a member of the group 2+ years ago and has not been updated since. |
|
| Back to top |
|
|
| mehedi |
| Posted: Mon Jun 25, 2007 11:08 pm Post subject: Unix - setmqaut and dspmqaut - only -g(group) not -p |
|
|
Centurion
Joined: 11 Nov 2001
Posts: 102
Location: PSTech
|
blane ,
On Unix
the setmqaut and dspmqaut commands work only with the -g (group) option , and not the -p(principal) option.
Mehedi |
|
| Back to top |
|
|
| Toronto_MQ |
| Posted: Wed Jun 27, 2007 10:49 am Post subject: Re: Unix - setmqaut and dspmqaut - only -g(group) not -p |
|
|
Master
Joined: 10 Jul 2002
Posts: 263
Location: read my name
|
| mehedi wrote: |
blane ,
On Unix
the setmqaut and dspmqaut commands work only with the -g (group) option , and not the -p(principal) option.
Mehedi |
That's not entirely true. The command does accept the -p flag on all UNIX systems, however effectively grants/displays authorities for that ID's primary group.
Blane99 - is mqpt the primary group for joeb? Can you display the output from 'id -a joeb'?
Steve |
|
| Back to top |
|
|
|
|
