| Author |
Message
|
| vivica12 |
 Posted: Mon Apr 21, 2008 11:38 am Post subject: SETMQAUT and AMQ7026 |
 |
|
Acolyte
Joined: 13 Jul 2007
Posts: 58
|
Can anyone explain how the setmqaut determines if a group or user is valid on an AIX system?
I am receiving an:
AMQ7026: A principal or group name was invalid
On a group that used to work just fine for setting authority on objects.
On the AIX server, I can run an "lsgroup group" and get a valid response for the group.
But when I do a "setmqaut -m QMGR -t q -n QUEUE -g group +put"
I get AMQ7026: A principal or group name was invalid
I also can't run a dspmqaut to display permissions with this group that was already set successfully. (this is occurring with multiple groups)
What is a setmqaut doing that would hinder it from seeing a group that is valid on the system itself?
(yes I posted this before, but asked a different question, I'm hoping this question will get a response  )
_________________
Vivica - signing off |
|
| Back to top |
|
 |
| jeevan |
| Posted: Mon Apr 21, 2008 1:47 pm Post subject: Re: SETMQAUT and AMQ7026 |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| vivica12 wrote: |
Can anyone explain how the setmqaut determines if a group or user is valid on an AIX system?
I am receiving an:
AMQ7026: A principal or group name was invalid
On a group that used to work just fine for setting authority on objects.
On the AIX server, I can run an "lsgroup group" and get a valid response for the group.
But when I do a "setmqaut -m QMGR -t q -n QUEUE -g group +put"
I get AMQ7026: A principal or group name was invalid
I also can't run a dspmqaut to display permissions with this group that was already set successfully. (this is occurring with multiple groups)
What is a setmqaut doing that would hinder it from seeing a group that is valid on the system itself?
(yes I posted this before, but asked a different question, I'm hoping this question will get a response ) |
Make sure that username/groupname you use are local to the server you are running the setmqaut and are spelled correctly. If the use exist in the local systems, you should not get this error. |
|
| Back to top |
|
|
| sidharth_bora |
| Posted: Mon Apr 21, 2008 6:23 pm Post subject: |
|
|
Voyager
Joined: 24 Nov 2005
Posts: 87
|
| can u check the dmpmqaut dump and check that the group is appearing in the dump |
|
| Back to top |
|
|
| vivica12 |
| Posted: Tue Apr 22, 2008 4:52 am Post subject: |
|
|
Acolyte
Joined: 13 Jul 2007
Posts: 58
|
The backup of the OAM shows the groups all over the place on previous setmqaut commands -- which shows that it worked at one point.
The dmpmqaut shows the groups in the entity field for many objects that it was previously set for. (reminder the setmqaut is now failing for many groups, not just one. also the dspmqaut for any objects with these groups permission also shows invalid -- even though that same item shows up correctly in the dmpmqaut).
The groups are all recognized by the server when doing an 'lsgroup'.
(note that the groups are not technically local groups, they are being provided through an AD/Unix software. BUT the groups were all working, and the groups are all still valid on the server, just can't figure out what setmqaut is doing that it no longer recognizes the groups.)
_________________
Vivica - signing off |
|
| Back to top |
|
|
| vivica12 |
| Posted: Tue Apr 22, 2008 4:55 am Post subject: |
|
|
Acolyte
Joined: 13 Jul 2007
Posts: 58
|
another note of interest -- the setmqaut IS working for groups that are defined directly in the /etc/group file on the local AIX server.
I realize this is normal behaviour, but just stating that this piece does work, but other groups known to the server, that once worked (literally 2 weeks ago on the same server/same MQ version) no longer work.
_________________
Vivica - signing off |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 22, 2008 5:03 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Have you seen this:
http://www.mqseries.net/phpBB2/viewtopic.php?p=203196
Not directly applicable I agree, but possibly related.
I've no direct experience of this AD software, so can't comment authoritativly.[/url]
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Apr 22, 2008 5:37 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9470
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| But when I do a "setmqaut -m QMGR -t q -n QUEUE -g group +put" |
Did you enter this exact command? It refers to a group named 'group,' not lsgroup.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| vivica12 |
| Posted: Tue Apr 22, 2008 7:36 am Post subject: |
|
|
Acolyte
Joined: 13 Jul 2007
Posts: 58
|
lsgroup is an AIX command that allows you to see information about any group the server knows about. I am trying to show that the AIX server knows about the 'group'.
And yes the exact command -- here it is exactly as I am doing on the command line
$ setmqaut -m MYQMGR -t qmgr -g mygroup +connect
AMQ7026: A principal or group name was invalid.
Note that the vdxmis group is a group that does show up in the dumpmqaut, and in the OAM backup..but is no longer considered valid to MQ. Also an 'lsgroup mygroup' on the AIX command line shows the group ID, and users associated.
_________________
Vivica - signing off |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Apr 22, 2008 9:56 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
echo 'reset security'|runmqsc MYQMGR
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 22, 2008 2:45 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
And make sure that the user you are running this under has the right path etc set...
ex which lsgroup...
As often when using LDAP type software you need to make sure that the LDAP is hit before the "default Unix" gets hit on the path...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Nigelg |
| Posted: Tue Apr 22, 2008 9:47 pm Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
You don't say which level of WMQ you are using.
At 5.3 WMQ uses getgrent() etc to find the groups. In AIX, LDAP & AD software, like VAS from Vintela, is not supported by the the getgrent() interface. APAR IY69385 was raised to fix this, included in CSD11 and in v6 GA.
The APAR uses an alternative interface. At v6 this is automatically enabled. At 5.3, an env var has to be set to enable it.
Install the CSD, and set the env var before restarting the qmgr.
| Code: |
| export MQS_USERATTR_API=YES |
This will enable WQ to find the group names on the AD server.
_________________
MQSeries.net helps those who help themselves.. |
|
| Back to top |
|
|
| vivica12 |
| Posted: Wed Apr 23, 2008 5:52 am Post subject: |
|
|
Acolyte
Joined: 13 Jul 2007
Posts: 58
|
Current MQ version is 6.0.2.1 on AIX5.3TL6sp5.
reset security is not a command option in runmqsc. I have done a refresh security with no change.
This is VAS for Vintella, but with MQv6 this shouldn't be an issue with the getgrent(), and I shouldn't have to enable that env var below.
"which lsgroup" shows "/usr/sbin/lsgroup", which I assume is the proper command on the AIX server.
I have a PMR open with IBM as the VAS/MQ interaction worked until the AIX5.3TL6sp5 upgrade. My AIX team is also looking into this, but we're going on three weeks now without a solution.
Any other thoughts?
_________________
Vivica - signing off |
|
| Back to top |
|
|
| Nigelg |
| Posted: Wed Apr 23, 2008 11:59 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
| Quote: |
| I have a PMR open with IBM as the VAS/MQ interaction worked until the AIX5.3TL6sp5 upgrade |
This rather vital piece of information was omitted originally. It looks like the problem is with the AIX maintenance.
_________________
MQSeries.net helps those who help themselves.. |
|
| Back to top |
|
|
| vivica12 |
| Posted: Fri Apr 25, 2008 11:59 am Post subject: |
|
|
Acolyte
Joined: 13 Jul 2007
Posts: 58
|
It was left out because my original post didn't get a single response. So in this post I was really trying to learn what a setmqaut actually does, so as to try and figure out why it no longer works. So far IBM has not said it's an OS issue, so i'm basically just getting no where, but i know it doesn't work any longer.
_________________
Vivica - signing off |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Apr 25, 2008 3:38 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
We have seen weird stuff going on with authorization depending on where on the PATH the corresponding LDAP libraries were placed...
You will probably need to check this as well for the mqm user as it is running the qmgr... and making the calls...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
