| Author |
Message
|
| Scooter |
 Posted: Tue Aug 03, 2004 11:46 am Post subject: Use of alternateUserId to access a local queue |
 |
|
Apprentice
Joined: 01 May 2003
Posts: 35
Location: Dallas, Tx
|
Sorry to bring up an old issue but I have looked at the following two topics and have been unable to solve my problem.
http://www.mqseries.net/phpBB2/viewtopic.php?t=11247&highlight=alternateuserid
http://www.mqseries.net/phpBB2/viewtopic.php?t=13153&highlight=alternateuserid
I have MQ v5.3 with CSD05 running on Windows 2003 server. There is a local queue called "MQ.LOCAL.TEST". I have a program that is attempting to insert a message using VB.Net and the .Net components while passing alternateUserId. I keep getting the 2035 return code on the AccessQueue call. Here is the key lines of code from the program.
QMgr = New MQQueueManager("QM_mqt1")
OutputQueue = QMgr.AccessQueue("MQ.LOCAL.TEST", MQC.MQOO_OUTPUT + MQC.MQOO_FAIL_IF_QUIESCING + MQC.MQOO_SET_ALL_CONTEXT + MQC.MQOO_ALTERNATE_USER_AUTHORITY, String.Empty, String.Empty, "MQTestGrp")
"MQTestGrp" is a local group and has been give the following rights using "setmqaut".
dmpmqaut -m QM_mqt1 -g MQTestGrp
profile: MQ.LOCAL.TEST
object type: queue
entity: MQTestGrp@TOUCAN
entity type: group
authority: allmqi dlt chg dsp clr
- - - - - - - -
profile: SELF
object type: qmgr
entity: MQTestGrp@TOUCAN
entity type: group
authority: allmqi dlt chg dsp
- - - - - - - -
profile: @CLASS
object type: queue
entity: MQTestGrp@TOUCAN
entity type: group
authority: none
- - - - - - - -
profile: @CLASS
object type: qmgr
entity: MQTestGrp@TOUCAN
entity type: group
authority: none
The userid that the program is running under is a member of the "mqm" group and inserts message into the queue when I remove the alternateUserId option. The ID is not a group but an individual ID and is also a local user Id (neither ID used in this test is a domain account). The above code will also work if I change the alternateUserId field to pass the ID that is used to run the program.
It sounds like a issue with the rights that were given to the "MQTestGrp" local group, but not sure.
Any help or comments will be very welcome. |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Tue Aug 03, 2004 2:19 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Quote: |
I have MQ v5.3 with CSD05
|
Get yourself to CSD06 or CSD07. There were still a lot of bugs with the .NET classes at CSD05. Dont forget to reregister the new amqmdnet.dll after the upgrade!
| Quote: |
profile: @CLASS
object type: queue
entity: MQTestGrp@TOUCAN
entity type: group
authority: none
- - - - - - - -
profile: @CLASS
object type: qmgr
entity: MQTestGrp@TOUCAN
entity type: group
authority: none
|
I am not to familiar with the dump mq aut commands. It shows none in the quote. Don't know if thats a problem. I am more familiar with dspmqaut. Can you post the output of the following?
| Code: |
dspmqaut -m YourQMname -t qmgr -g MQTestGrp
dspmqaut -m YourQMname -t q -n MQ.LOCAL.TEST -g MQTestGRP
|
Check this post out:
http://www.mqseries.net/phpBB2/viewtopic.php?t=16219&highlight=altusr
We never got an answer from the dude who posted the original question, but you might be getting a 2035 error on the MQOPEN call if you didn't set a QM authority properly for using Alternate Users, namely +altusr. Try that out if it is not already set (+allmqi would take care of it by the way).
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Aug 03, 2004 2:23 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Code: |
OutputQueue = QMgr.AccessQueue("MQ.LOCAL.TEST", MQC.MQOO_OUTPUT + MQC.MQOO_FAIL_IF_QUIESCING + MQC.MQOO_SET_ALL_CONTEXT + MQC.MQOO_ALTERNATE_USER_AUTHORITY, String.Empty, String.Empty, "MQTestGrp")
|
Also, shouldn't you have the User ID (that is in the group) and not the group name (MQTestGrp) in this call?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Aug 03, 2004 3:33 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Peter does VB.net hit the same problem on windows as on Unix systems:
i.e. you cannot use an alternate id if you connect in MQ bindings mode
| Quote: |
| MQ uses the systems authentication and as such knows who you are (through your logon) and does not allow any substitution (bindings mode connection) |
Thanks for any clarification
F.J. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Aug 04, 2004 7:18 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
F.J., where did you find that quote? The APR and APG manuals have nothing like that in the sections that talk about Alternate User ID.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Aug 04, 2004 8:06 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
I am pretty sure that you can use AlternateUserID in bingings mode. If I remember correctly, when the connection to the queue manager is made, your logged on UserID is checked for +altusr authority. If it has been set, then the application can use the AlternateUserID for the rest of the MQ interactions with the queue manager.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| Scooter |
| Posted: Wed Aug 04, 2004 1:32 pm Post subject: |
|
|
Apprentice
Joined: 01 May 2003
Posts: 35
Location: Dallas, Tx
|
Thanks for the reply guys. Sorry it took so long to responsed back.
Peter:
Here is the output from the "dspmqaut" command. Every thing looks to be in order with the QManager and Group.
dspmqaut -m <QManager> -t qmgr -g MQTestGrp
inq
set
connect
altusr
dlt
chg
dsp
setid
setall
dspmqaut -m <QManager> -t q -n MQ.LOCAL.TEST -g MQTestGrp
get
browse
put
inq
set
dlt
chg
dsp
passid
passall
setid
setall
clr
You where correct with your second reply, I should have been passing a member of the group not the group. Man, I can't believe I did that.
To clarify what I found to help others. Roger is correct in that the UserId running the program needs +altusr rights to the QManager to pass the alternateUserId to the queue for validations. Peter is correct in pointing out that I should have been sending a member of the group and not the group name itself. The alternateUserId doesn't need rights to the QManager only to the Queue itself.
Hope my mistake helps others. 
Thanks for the help guys |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Aug 04, 2004 2:58 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Peter,
The limitation might only have been a java/JMS one.
I was looking at some way to change the userid
| Code: |
| qcf.createConnection(userid,passwd) |
and was getting rc 2035 every time the userid was different from the logged on user running the process (Windows) in bindings mode.
Now in client mode no problems.
Thanks
F.J. |
|
| Back to top |
|
|
|
|
