| Author |
Message
|
| User100 |
 Posted: Mon Jan 10, 2011 2:05 am Post subject: No security configured but user not authorized to runmqsc |
 |
|
Novice
Joined: 10 Jan 2011
Posts: 13
Location: Berlin, Germany
|
I have configured a personal user which is in the group mqm.
A queuemanager with default settings is created.
runmqsc qmgr works only with user mqm, but not with the other one who is in the group mqm...
Refresh security(*) and queuemanager restart was already done..
here are some more infos, I hope you have still some good advices left 
user@server:/export/home/user> runmqsc GPDS.QMGR
5724-H72 (C) Copyright IBM Corp. 1994, 2009. ALL RIGHTS RESERVED.
Starting MQSC for queue manager GPDS.QMGR.
AMQ8135: Not authorized.
No MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.
===========================================
user@server:/export/home/user> id user
uid=13112(user) gid=10(staff) groups=222(mqm),14400(mwbf),10(staff)
user@server:/export/home/user> id mqm
uid=221(mqm) gid=222(mqm) groups=42(trusted),222(mqm)
===========================================
user@server:/export/home/user> dspmqaut -m GPDS.QMGR -t qmgr -p user
Entity user has the following authorizations for object GPDS.QMGR:
inq
set
connect
altusr
crt
dlt
chg
dsp
setid
setall
system |
|
| Back to top |
|
 |
| Vitor |
| Posted: Mon Jan 10, 2011 5:29 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
I observe (though you've not said anything) you're using Unix. You can't authorize a user under Unix, only groups. I would theorize that as this user doesn't have a principle group of mqm he's picking up the authorities of the staff group.
You might want to do a dspmqaut against SYSTEM.ADMIN.COMMAND.QUEUE as well; all you've demonstrated with the example you've posted is that the user can connect to the queue manager, not that he can issue commands.
Failing that, enable security events & see what he's bouncing off.
You might also want to confirm what Unix (if it's Unix) you're using and what version of WMQ.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| User100 |
| Posted: Mon Jan 10, 2011 5:36 am Post subject: |
|
|
Novice
Joined: 10 Jan 2011
Posts: 13
Location: Berlin, Germany
|
Oh I am sorry.
We are using SLES 10 and WMQ 7.0.1.3
I am not authorizing anything.. it is all default. And only on this server I can not open a runmqsc with a user that is in the mqm group. On other servers I can crtmqm, runmqsc and so on... with this user which is in the group mqm.
mqm itself can do this on all servers.
So maybe anybody has an idea where to turn a skrew so that it works?! |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jan 10, 2011 5:47 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| User100 wrote: |
| So maybe anybody has an idea where to turn a skrew so that it works?! |
I stand by my previous comments surrounding group membership, and my advice on displays & events.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| User100 |
| Posted: Mon Jan 10, 2011 5:57 am Post subject: |
|
|
Novice
Joined: 10 Jan 2011
Posts: 13
Location: Berlin, Germany
|
| How can I check what the principle group of the user is? |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jan 10, 2011 5:59 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| User100 wrote: |
| How can I check what the principle group of the user is? |
On SLES 10? I've no idea. Speak to your sys admin or wait for someone with more experience to post.
I'd be inclined to say it's the first group listed by the id command, but that's not coming from a position of any authority.
As a minimum, it might be interesting to compare the results of that command for that user on the box where it doesn't have mqm authority to the results on a box where it does.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| User100 |
| Posted: Mon Jan 10, 2011 6:03 am Post subject: |
|
|
Novice
Joined: 10 Jan 2011
Posts: 13
Location: Berlin, Germany
|
Hmm.. no the order of the groups in the id listing can not be the problem..
On an other server it works and looks like this
user@server2:/export/home/user> id user
uid=13112(user) gid=10(staff) groups=222(mqm),10(staff) |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jan 10, 2011 6:38 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| User100 wrote: |
Hmm.. no the order of the groups in the id listing can not be the problem..
On an other server it works and looks like this
user@server2:/export/home/user> id user
uid=13112(user) gid=10(staff) groups=222(mqm),10(staff) |
Ok, not that then.
Time for a dspmqaut & some events then.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| User100 |
| Posted: Mon Jan 10, 2011 7:08 am Post subject: |
|
|
Novice
Joined: 10 Jan 2011
Posts: 13
Location: Berlin, Germany
|
...
user@server:/var/mqm> dspmqaut -m GPDS.QMGR -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p user
Entity user has the following authorizations for object SYSTEM.ADMIN.COMMAND.QUEUE:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr
So which other output do you like to see? Maybe it is a authorization problem on OS layer?! |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jan 10, 2011 7:13 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| User100 wrote: |
| So which other output do you like to see? |
The secuirty event that goes with the "not authorised" error. See exactly why the queue manager is refusing it.
| User100 wrote: |
| Maybe it is a authorization problem on OS layer?! |
It's unlikely. Unless you've got some wierd LDAP look-up,user mapping thing going on.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| User100 |
| Posted: Mon Jan 10, 2011 7:24 am Post subject: |
|
|
Novice
Joined: 10 Jan 2011
Posts: 13
Location: Berlin, Germany
|
There is nothing about this security event in the log files.
Not in the qmgr-log and not in the mq-log.
Where else should I look? |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jan 10, 2011 7:29 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| User100 wrote: |
| There is nothing about this security event in the log files. |
They're not log messages, they're specific queue manager messages. See here for an overview & how to enable & interpret them. Note they're actually called authority events, not security events as I've been saying. Times & names change.
Don't forget to disable them again when you've resolved the problem.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jan 10, 2011 7:32 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
Enable qmgr auth events. Try again. Then look in SYSTEM.ADMIN.QMGR.EVENT queue for the violation.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jan 10, 2011 7:58 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| User100 wrote: |
There is nothing about this security event in the log files.
Not in the qmgr-log and not in the mq-log.
Where else should I look? |
Show us the permissions in the file system for runmqsc
which runmqsc should show where the executable or link is.
ls -l should show the permissions.
My personal guess here is that the owner and group sticky bits are not set. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| User100 |
| Posted: Mon Jan 10, 2011 10:57 pm Post subject: |
|
|
Novice
Joined: 10 Jan 2011
Posts: 13
Location: Berlin, Germany
|
This is where it works...
user@server2:/opt/mqm/bin> ls -la | grep runmqsc
-r-sr-s--- 1 mqm mqm 17209 2010-08-12 15:32 runmqsc
and here not.. Sticky bits are not set, but there is a general permission to execute for user and group.. Could this be the problem?
user@server:/opt/mqm/bin> ls -la | grep runmqsc
-r-xr-x--- 1 mqm mqm 17209 2010-08-12 15:32 runmqsc
I will try to have a look at the auth events.. |
|
| Back to top |
|
|
|
|
