Sie sind auf Seite 1von 6
db2talk DB2Linux,UnixandWindowsAdministrationandDevelopment OCTOBER13,2014 BY PAVANKRISTIPATI

DB2Linux,UnixandWindowsAdministrationandDevelopment

DB2andTransparentLDAPinDB2DPF–Misleading

errorSQL30082N

Inthisblogpost,IwillquicklycovermyrecentexperienceintroubleshootingaDB2/LDAPauthenticationprobleminaDB2DPF

database.

Problem:

InaDB2(9.7FixPack7)DPFdata‑warehousedatabase,aconnectionaemptbyDatastagetoanynodeotherthanthecoordinator

nodewasfailing.Connectionaempttocoordinatornodesucceeds.Thesameuseridandpasswordwerebeingusedinboththe

aempts.

Background:

IwasworkingonaproofofconceptthatwouldallowETL(DataStage)jobstodirectlyconnecttothedatanodestoallowparallel

loads(directlyintoeachpartition)intoadata‑warehousedatabase.UserIDusedbyDatastagewassystem‑levelid(non‑LDAP).

Theuseridwascreatedonallthedatanodesandcoordinatornode.ThetestETLjobwasabortingwithafamiliarerrormessage.

Allevidenceindicatedthatthiscouldbeapasswordproblem.

Approachtosolution:

ForthetestELTjob,useridandpasswordweresavedandweresuppliedasparameter(s).Thateliminatedthechanceofdifferent

password(incorrectone)beingusedtoconnecttodatanodes.

Itriedtoisolatetheproblemtoaspecificuserid.However,IfoundthatETLjobsfailedevenwheninstanceowner’scredentials were used. To remove Datastage from the equation, I did an explicit connection to DB2 as Instance owner from the command prompt on one of the data nodes. To my surprise, this failed !! To me, this indicated a bigger problem. However, an implicit connectionwassuccessful.

db2inst1@hostdata01:~> id uid=608(db2inst1) gid=608(bcuigrp) groups=608(bcuigrp)

db2inst1@hostdata01:~> db2 connect to edwdv <<<<‐‐‐‐‐ Successful Implicit connection. Database Connection Information

Database server SQL authorization ID Local database alias

= DB2/LINUXX8664 9.7.7 = DB2INST1 = EDWDV

Herewastheerrormessagewhenanexplicitconnectionaemptwasmade.

$db2 connect to edwdv user db2inst1

Enter current password for db2inst1:

SQL30082N Security processing failed with reason "24" ("USERNAME AND/OR PASSWORD INVALID"). SQLSTATE=08001

<<<<<‐‐‐‐‐‐‐‐‐ This works just fine on the coordinator node.

This works just fine on the coordinator node. Messagesindb2diag.log

Messagesindb2diag.log

db2diag.loghadamessagethatindicatedpasswordproblem.

Password validation for user db2inst1 failed with rc = ‐2146500507

Preliminarychecks

1)TheuserIDwasnotlocked.

2)Thepasswordthatwasbeingsuppliedwastherightone.

3)Therewasnorecentfixpackthatwasappliedthatcouldhavemessedupthings.

4)Instanceowner’spassword‑less‘ssh’betweenDPFnodeswasworkingjustfine.(Thisisactuallyapre‑requisiteinDB2DPF).

Errorsin/var/log/messagesfile

I noticed that an error message was being wrien to /var/log/messages file (this was SUSE Linux) every time an explicit connectionaemptwasmade.

Oct 7 10:28:39 hostdata01 db2ckpwd 5[2871]: pam_warn(db2:auth): function= [pam_sm_authenticate] servic

pam_warn(db2:auth): function= [pam_sm_authenticate] servic The key words for me were “pam_warn”, “db2:auth”,

thefile/etc/pam.d/db2.

Tomysurprise,Ifoundthisfileonlyonthecoordinatornode.

db2inst1@hostadm01:/etc/pam.d> ls ‐ltr /etc/pam.d/db2 ‐rw‐r‐‐r‐‐ 1 root root 383 2014‐10‐08 16:15 db2

<<<<‐‐‐‐‐‐‐‐‐ This is on the co‐ordinator nod

db2inst1@hostdata01:/etc/pam.d> ls ‐ltr /etc/pam.d/db2 <<<<‐‐‐‐‐‐‐‐‐ This is on the data1 node /bin/ls: /etc/pam.d/db2: No such file or directory

db2inst1@hostdata02:/etc/pam.d> ls ‐ltr /etc/pam.d/db2 <<<<‐‐‐‐‐‐‐‐‐ This is on the data2 node /bin/ls: /etc/pam.d/db2: No such file or directory

db2inst1@hostdata03:/etc/pam.d> ls ‐ltr /etc/pam.d/db2 <<<<‐‐‐‐‐‐‐‐‐ This is on the data3 node /bin/ls: /etc/pam.d/db2: No such file or directory

This is on the data3 node /bin/ls: /etc/pam.d/db2: No such file or directory

TheproblemwasthatDB2expectedthefile/etc/pam.d/db2tobeonallthenodesintheDPFdatabase.However,thisfilewasonly

onthecoordinatornode.TheerrormessageSQL30082Nwasmisleading.Itindicatedthattheproblemcouldbewiththeuserid’s

credentials.

Solution:

After the file /etc/pam.d/db2 file was copied onto the data nodes, explicit connection aempt worked as expected. No instance restartwasrequired.ThisexperienceisareminderthateachnodeinaDPFdatabaseneedstobeconfiguredexactlythesameway. Minordifferencesmighthidetheproblemsforsometimebutitisonlyamaeroftimethatproblemssurface.

Contentsof/etc/pam.d/db2file

Belowwashowour/etc/pam.d/db2filelookedlike.IamnotaPAM(ProgrammableAccessModule)expert.However,aftersome

research,Inowunderstandthattheauthenticationprocess(forDB2)istop‑downasoutlinedinthefile/etc/pam.d/db2.

# The PAM configuration file for DB2 auth sufficient pam_ldap.so use_first_pass auth required pam_unix2.so account sufficient pam_ldap.so account required pam_unix2.so password required pam_pwcheck.so

password sufficient pam_ldap.so use_first_pass

password required pam_unix2.so session required pam_unix2.so

use_authtok use_first_pass

PAMisflexibleanditsupportsbothlocalandLDAPusers.TheabovePAMconfigurationsupportssystemuseridsvia

pam_unix2.soandLDAPusersviapam_ldap.so.

pam_ldap.so — As this is in the 1st line, DB2 first tries to authenticate via LDAP. If authentication succeeds, the process exits (withasuccess)dictatedbykeyword‘sufficient’(asin‘necessaryandsufficient’condition).

pam_unix2.so — If the user id is NOT found in LDAP or if LDAP authentication fails, DB2 then relies on operating system (LINUX in this case) to authenticate the user. “use_first_pass” in the 1st line passes on the password to 2nd authentication aempt.Userisnotpromptedforthepasswordforthesecondtime.Thisauthenticationstepisa‘required’one.Ifauthentication failsinthisstep,anerrorisreturnedtotheuser.

Hopethishelps.IwouldappreciateanyonesharingyourexperienceswithPAMinAIXorLINUX.

ThisentrywaspostedinDB2Basics,DB2Tips,DPF.Bookmarkthepermalink.

Onethoughton“DB2andTransparentLDAPinDB2DPF–Misleading

errorSQL30082N

bhardwajn|March19,2015at8:35pm

RebloggedthisonAgentDB2andcommented:

ThisarticleisforanyonelookingtoresolvedatastageissueswithDB2DPF.