| Author |
Message
|
| RogerLacroix |
 Posted: Thu Sep 13, 2007 2:11 pm Post subject: WMQ v6 and Windows local install problems |
 |
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
All,
Well, today's been a bad MQ day. It started off with such promise then went straight into the gutter.
Help... Please help.
This morning I decided to upgrade MQ on a PC at a client site from WMQ v5.3 CSD13 to WMQ v6. Since I had 3 queue managers that I wanted to keep, I thought the simplest and easiest thing to do is to uninstall WMQ v5.3 then install WMQ v6. Of course, since I have install WMQ v6 at least 20 times, it never even occurred to me to take a backup first (and of course, Murphy bite me right the @ss).
So I did the following:
- Uninstalling WMQ v5.3
- rebooted
- Installed WMQ v6 and selected local account (not domain)
- reboot
- Started MQ Explorer
- Created a test queue manager and as it is trying to define a listener, I get 2035 (not authorized).
- I checked via runmqsc and sure enough 2035.
- Stopped and deleted the test queue manager.
- I stop the MQ Services
- I check that my account is in the mqm group and it is (it is in the Admin group too).
- I start 'Prepare WebSphere MQ Wizard' and it complains about MQ not having authority to 'query information about your user account'. It wants a domain account for MQ. I go 'say what'.
Figuring I messed something up in the install, I decide to uninstall everything and start again. I did and it makes absolutely no difference.
The event viewer has a bunch of the following messages:
| Quote: |
Access was denied when attempting to retrieve group membership information for user 'rlacroix@usersdomainname'.
WebSphere MQ, running with the authority of user 'musr_mqadmin@localworkpc', was unable to retrieve group membership information for the specified user.
Ensure Active Directory access permissions allow user 'musr_mqadmin@localworkpc' to read group memberships for user 'rlacroix@usersdomainname'. To retrieve group membership information for a domain user, MQ must run with the authority of a domain user. |
So, I figured I must have a old setting that is conflicting with WMQ v6. So, uninstall WMQ v6, delete everything under {WMQ_Install_Dir}, go delete the 'mqm' group and 'MUSR_MQADMIN' service account. I even made sure the registry was clean.
Next I shut the PC off, unplug the network cable, started it up again and logged in as 'Administrator'.
I did the following:
- Installed WMQ v6 and selected local account (not domain)
- reboot
- Started MQ Explorer
- Created a test queue manager and it worked perfectly
- Stopped and deleted the test queue manager
Turned off the PC, plugged in the network cable, started it and logged in with my domain account. I immediately added my domain account to the local mqm group.
I did the following:
- Started MQ Explorer
- Created a test queue manager and as it is trying to define a listener, I get 2035 (not authorized).
Ahhhhhhhhhhhhh and screamed at the moon.
Logged off as domain user and logged in as 'Administrator' and everything works.
I even applied v6.0.2.2 (logged in as Administrator) and I still get the problem when I log in with my domain account.
Interesting item:
- Under local 'Administrator' account if I start 'Prepare WebSphere MQ Wizard' it says local setup (No network)
- Under my domain UserId account if I start 'Prepare WebSphere MQ Wizard' and it complains about MQ not having authority to 'query information about your user account'. It wants a domain account for MQ.
Why is MQ insisting on checking my domain UserId against the domain when I installed / configured MQ as a local setup. It never did this under WMQ v5.3.
How can I force it to only look locally? (My domain account is in the local mqm group.)
I've wasted a whole day on this when it should have been 30 minutes. And now I don't even have a working MQ environment on my PC (under domain UserId that is).
Help! Anyone please.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu Sep 13, 2007 2:14 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Is the local machine a member of the domain?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Sep 13, 2007 2:21 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| jefflowrey wrote: |
| Is the local machine a member of the domain? |
Are referring to these settings?
| Code: |
USERDNSDOMAIN=companydomain.net
USERDOMAIN=companydomain |
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Sep 13, 2007 4:26 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Um. I guess I mean "Is the machine configured to belong to the domain".
I guess it has to be because you can add domain users to the local groups.
Or did you have to manually authenticate against the domain when you were adding the domain user to the local group?
It may be that the domain administrators have configured the ActiveDirectory such that users not defined in the domain do not have permissions to query the domain for users&groups.
If there's a change in behavior between v5.3 and v6 in this matter - it may be a result of a change in the Windows API, rather than anything else. That is, that v6 calls a newer function in the Windows API than v5.3, because Microsoft deprecated the older call. 
I'd re-run the Prepare WebSphere MQ Wizard and double-check that you answered "no" to the question about domain controllers. You don't need to uninstall or reinstall. But you probably need to reboot...
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Sep 13, 2007 5:25 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Roger,
For future referance on Windows don't uninstall 5.3. The upgrade from 5.3 to 6.0 feature works great. I've done about 30 of them.
Back to your problem. I'm only 98% confident in this answer, so take it for what its worth. I don't think its 6.0 related. I bet that MQ install was set up to use a domain id when it was 5.3. If you are in Active Directory, MQ is gonna wanna check any domain ID against the domain for who knows exactly what I dont know. I have not been able to find a way for it not to. The only time it doesn't as you have found out is when you use a local ID. You would get the same problems for incoming client connections. If the channel had a hard coded Local ID for the MCAUSER you would be fine, other wise all the client apps would get 2035s for their domain IDs.
Look at my post here. Perhaps this group already exists at this client site and you just need to find out what MQ ID is in there for you to use, because maybe it was using this before you came along and upgraded it, wiping it clean.
http://www.mqseries.net/phpBB2/viewtopic.php?t=23108&highlight=domain
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Sep 13, 2007 5:26 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
And be happy this isn't a production server!!!!
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Sep 14, 2007 8:38 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| jefflowrey wrote: |
| I guess I mean "Is the machine configured to belong to the domain". |
Yes
| jefflowrey wrote: |
| Or did you have to manually authenticate against the domain when you were adding the domain user to the local group? |
No.
| jefflowrey wrote: |
| I'd re-run the Prepare WebSphere MQ Wizard and double-check that you answered "no" to the question about domain controllers. You don't need to uninstall or reinstall. But you probably need to reboot... |
I reboot and log in as local 'Administrator' and run the Prepare WebSphere MQ Wizard, it shows that it is set to 'No'.
If I reboot and log in with my domain account then run the Prepare WebSphere MQ Wizard, it displays an error about not able to get UserId info (including Event viewer entry) and then I click the Next button it wants domain UserId and password. Absolutely no ability to select 'No'.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Sep 14, 2007 8:44 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| PeterPotkay wrote: |
| I bet that MQ install was set up to use a domain id when it was 5.3. |
Nope. I installed WMQ v5.3 about 14 months ago using the local 'Adminstrator' account.
| PeterPotkay wrote: |
| If you are in Active Directory, MQ is gonna wanna check any domain ID against the domain for who knows exactly what I dont know. |
Only if you select 'Yes' in the Prepare WebSphere MQ Wizard.
No. 14 months ago I was give a brand new Dell PC, hence, it was a virgin. And no, the UserId 'musr_mqadmin@localworkpc' does not exist in the domain controller.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Sep 14, 2007 11:34 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| RogerLacroix wrote: |
I reboot and log in as local 'Administrator' and run the Prepare WebSphere MQ Wizard, it shows that it is set to 'No'.
If I reboot and log in with my domain account then run the Prepare WebSphere MQ Wizard, it displays an error about not able to get UserId info (including Event viewer entry) and then I click the Next button it wants domain UserId and password. Absolutely no ability to select 'No'.
Regards,
Roger Lacroix
Capitalware Inc. |
Roger,
Is your domain account member of the local administrator group and member of the local mqm group? Does it have rights to change the local machine's registry?
Remember as well Windows needs you to do some specific settings so that the MQ service user is allowed to "batch" query either the domain's or the local machine's user admin system for group membership... and the group membership on windows cannot be recurrent for MQ => only users can be entered as members in the mqm group. MQ won't recognize group members if the group has been made a member of the mqm group...
But I'm sure you already knew all that...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Sep 14, 2007 11:44 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| fjb_saper wrote: |
| Is your domain account member of the local administrator group and member of the local mqm group? Does it have rights to change the local machine's registry? |
Yes. Yes. Yes.
| fjb_saper wrote: |
| Remember as well Windows needs you to do some specific settings so that the MQ service user is allowed to "batch" query either the domain's or the local machine's user admin system for group membership... and the group membership on windows cannot be recurrent for MQ => only users can be entered as members in the mqm group. MQ won't recognize group members if the group has been made a member of the mqm group... |
No. There are no groups with groups.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Sep 14, 2007 11:50 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Remember as well Windows needs you to do some specific settings so that the MQ service user is allowed to "batch" query either the domain's or the local machine's user admin system for group membership...
Did you go through this step? For your domain account on the local machine?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Sep 14, 2007 12:02 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| fjb_saper wrote: |
Remember as well Windows needs you to do some specific settings so that the MQ service user is allowed to "batch" query either the domain's or the local machine's user admin system for group membership...
Did you go through this step? For your domain account on the local machine? |
I've never heard about special settings to allow a local service account to lookup local group / UserId settings.
Do you have a link?
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Sep 14, 2007 7:52 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| RogerLacroix wrote: |
| fjb_saper wrote: |
Remember as well Windows needs you to do some specific settings so that the MQ service user is allowed to "batch" query either the domain's or the local machine's user admin system for group membership...
Did you go through this step? For your domain account on the local machine? |
I've never heard about special settings to allow a local service account to lookup local group / UserId settings.
Do you have a link?
Regards,
Roger Lacroix
Capitalware Inc. |
Can't remember. I believe it's been talked about before (over a year ago) ... It's one of those windows security things....
To be able to verify credentials the account trying to do the verification needs some special access that needs to be granted. The lack of this access is what your error message was pointing to.
Sorry no link, but I'm sure that a search on M$ security will point you in the right direction...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Sat Sep 15, 2007 3:58 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Sep 17, 2007 8:26 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Roger, Any luck?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
