ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » MQ does find rights for group members

Post new topic  Reply to topic
 MQ does find rights for group members « View previous topic :: View next topic » 
Author Message
LMD
PostPosted: Wed Oct 02, 2019 12:28 pm    Post subject: MQ does find rights for group members Reply with quote

Acolyte

Joined: 30 Oct 2002
Posts: 56
Location: Paris - France

Hello,

I have a problem with MQ rights for group members.

Environment :
- Linux RHEL, MQ 9.1.0.3
- users defined in a Windows AD (user1, user2, ...)
- AD group "mqadm" containing (user1, user2, ...)
- users and groups are less than 12 characters long
- AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)

Linux sees accounts and AD groups:
Quote:
su - user1
--> ok
user1 is part of the mqadm group:
Quote:
id
uid=22209498(user1) gid=22200513(domain users) groups=22224118(mqadm) ...


I give all rights on all MQ objects to the group:

SET AUTHREC OBJTYPE(QMGR) GROUP('mqadm') AUTHADD(ALL)
SET AUTHREC PROFILE(**) OBJTYPE(QUEUE) GROUP('mqadm') AUTHADD(ALL)
...

When I ask about the group's rights, I have:

DISPLAY ENTAUTH GROUP('mqadm') OBJTYPE(QMGR) all
OBJNAME(QM) ENTITY(mqadm)
ENTTYPE(GROUP) OBJTYPE(QMGR)
AUTHLIST(ALTUSR,CHG,CONNECT,DLT,DLT,DSP,INQ,SET,SETALL,SETID,CTRL,SYSTEM)

When I try to connect via MQ Explorer (without password), I get the error:
Quote:
AMQ8077W: The "user1" entity does not have the appropriate rights to access the "QM01" object.
EXPLANATION :
The specified entity cannot access the required object. The following rights are required: connect

-> and yet the user1 account belongs to the mqadm group.

When I try to connect via MQ Explorer (with password), I get the error:
Quote:
AMQ5534E: Failure to authenticate the user ID "user1
EXPLANATION :
The user ID and password provided by the program'MQ Explorer 9.1.0' could not be authenticated.

--> and yet I am sure of the user1 account password)

I probably forgot something, but I really don't see what.
javascript:emoticon('')
Thank you for your help!
_________________
lmd_at_demey-consulting.fr - http://demey-consulting.fr - Paris, France.
WMQ, WAS & IIB Certified.
#IBMChampion
Back to top
View user's profile Send private message Visit poster's website
hughson
PostPosted: Wed Oct 02, 2019 12:56 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

I assume you have either issued REFRESH SECURITY or restarted the queue manager since adding user1 to group mqadm.

When you issue the following command what does it show?

Code:
DISPLAY ENTAUTH PRINCIPAL('user1') OBJTYPE(QMGR) ALL

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
LMD
PostPosted: Wed Oct 02, 2019 1:19 pm    Post subject: Reply with quote

Acolyte

Joined: 30 Oct 2002
Posts: 56
Location: Paris - France

Hi Morag,

yes, security refreshed and QM restarted after.

Quote:
DISPLAY ENTAUTH PRINCIPAL('user1') OBJTYPE(QMGR) ALL
4 : DISPLAY ENTAUTH PRINCIPAL('user1') OBJTYPE(QMGR) ALL
AMQ8866I: Affichage des détails relatifs au service d'entité.
OBJNAME(WMQ01PP) ENTITY(user1)
ENTTYPE(PRINCIPAL) OBJTYPE(QMGR)
AUTHLIST( )


_________________
lmd_at_demey-consulting.fr - http://demey-consulting.fr - Paris, France.
WMQ, WAS & IIB Certified.
#IBMChampion
Back to top
View user's profile Send private message Visit poster's website
hughson
PostPosted: Wed Oct 02, 2019 1:31 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

LMD wrote:
Quote:
DISPLAY ENTAUTH PRINCIPAL('user1') OBJTYPE(QMGR) ALL
4 : DISPLAY ENTAUTH PRINCIPAL('user1') OBJTYPE(QMGR) ALL
AMQ8866I: Affichage des détails relatifs au service d'entité.
OBJNAME(WMQ01PP) ENTITY(user1)
ENTTYPE(PRINCIPAL) OBJTYPE(QMGR)
AUTHLIST( )


This does seem to suggest that the queue manager is not aware of the groups that 'user1' is in.

Hopefully someone on this forum is familiar with setting up a queue manager on Linux to use a Windows Active Directory, and can advise.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
LMD
PostPosted: Fri Oct 04, 2019 6:25 am    Post subject: Reply with quote

Acolyte

Joined: 30 Oct 2002
Posts: 56
Location: Paris - France

Hello,
So the problem is solved. Two important points:
- One AUTHINFO with AUTHENMD(PAM)
- A VERY poorly documented environment variable (no mention in the KC) to be exported for the mqm account :
Quote:
export MQS_GETGROUPLIST_API=1


Thank you all for your precious help.
_________________
lmd_at_demey-consulting.fr - http://demey-consulting.fr - Paris, France.
WMQ, WAS & IIB Certified.
#IBMChampion
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » MQ does find rights for group members
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.