db2talk

DB2Linux,UnixandWindowsAdministrationandDevelopment
OCTOBER13,2014BYPAVANKRISTIPATI

DB2andTransparentLDAPinDB2DPFMisleading
errorSQL30082N
Inthisblogpost,IwillquicklycovermyrecentexperienceintroubleshootingaDB2/LDAPauthenticationprobleminaDB2DPF
database.

Problem:
InaDB2(9.7FixPack7)DPFdatawarehousedatabase,aconnectionaemptbyDatastagetoanynodeotherthanthecoordinator
nodewasfailing.Connectionaempttocoordinatornodesucceeds.Thesameuseridandpasswordwerebeingusedinboththe
aempts.

Background:

IwasworkingonaproofofconceptthatwouldallowETL(DataStage)jobstodirectlyconnecttothedatanodestoallowparallel
loads(directlyintoeachpartition)intoadatawarehousedatabase.UserIDusedbyDatastagewassystemlevelid(nonLDAP).
Theuseridwascreatedonallthedatanodesandcoordinatornode.ThetestETLjobwasabortingwithafamiliarerrormessage.
Allevidenceindicatedthatthiscouldbeapasswordproblem.

Approachtosolution:
ForthetestELTjob,useridandpasswordweresavedandweresuppliedasparameter(s).Thateliminatedthechanceofdierent
password(incorrectone)beingusedtoconnecttodatanodes.
Itriedtoisolatetheproblemtoaspecicuserid.However,IfoundthatETLjobsfailedevenwheninstanceownerscredentials
were used. To remove Datastage from the equation, I did an explicit connection to DB2 as Instance owner from the command
prompt on one of the data nodes. To my surprise, this failed !! To me, this indicated a bigger problem. However, an implicit
connectionwassuccessful.

db2inst1@hostdata01:~>id
uid=608(db2inst1)gid=608(bcuigrp)groups=608(bcuigrp)

db2inst1@hostdata01:~>db2connecttoedwdv<<<<SuccessfulImplicitconnection.
DatabaseConnectionInformation
Databaseserver=DB2/LINUXX86649.7.7
SQLauthorizationID=DB2INST1
Localdatabasealias=EDWDV

Herewastheerrormessagewhenanexplicitconnectionaemptwasmade.

$db2connecttoedwdvuserdb2inst1<<<<<Thisworksjustfineonthecoordinatornode.
Entercurrentpasswordfordb2inst1:
SQL30082NSecurityprocessingfailedwithreason"24"("USERNAMEAND/OR
PASSWORDINVALID").SQLSTATE=08001

Messagesindb2diag.log
db2diag.loghadamessagethatindicatedpasswordproblem.

Passwordvalidationforuserdb2inst1failedwithrc=2146500507

Preliminarychecks
1)TheuserIDwasnotlocked.
2)Thepasswordthatwasbeingsuppliedwastherightone.
3)Therewasnorecentxpackthatwasappliedthatcouldhavemessedupthings.
4)InstanceownerspasswordlesssshbetweenDPFnodeswasworkingjustne.(ThisisactuallyaprerequisiteinDB2DPF).
5)db2setparameterforDB2andtransparentLDAPauthentication(DB2AUTH=OSAUTHDB)wassetonallthenodes.

Errorsin/var/log/messagesfile
I noticed that an error message was being wrien to /var/log/messages le (this was SUSE Linux) every time an explicit
connectionaemptwasmade.

Oct710:28:39hostdata01db2ckpwd5[2871]:pam_warn(db2:auth):function=[pam_sm_authenticate]service=[d

The key words for me were pam_warn, db2:auth, pam_sm_authenticate. Google search lead me to Ember Crooks blog
postonDB2andTransparentLDAP(hp://db2commerce.com/2011/02/28/db2andtransparentldap/).ThatiswhereIreadabout
thele/etc/pam.d/db2.
Tomysurprise,Ifoundthisleonlyonthecoordinatornode.

db2inst1@hostadm01:/etc/pam.d>lsltr/etc/pam.d/db2<<<<Thisisonthecoordinatornode
rwrr1rootroot3832014100816:15db2

db2inst1@hostdata01:/etc/pam.d>lsltr/etc/pam.d/db2<<<<Thisisonthedata1node
/bin/ls:/etc/pam.d/db2:Nosuchfileordirectory

db2inst1@hostdata02:/etc/pam.d>lsltr/etc/pam.d/db2<<<<Thisisonthedata2node
/bin/ls:/etc/pam.d/db2:Nosuchfileordirectory

db2inst1@hostdata03:/etc/pam.d>lsltr/etc/pam.d/db2<<<<Thisisonthedata3node
/bin/ls:/etc/pam.d/db2:Nosuchfileordirectory

TheproblemwasthatDB2expectedthele/etc/pam.d/db2tobeonallthenodesintheDPFdatabase.However,thislewasonly

TheproblemwasthatDB2expectedthele/etc/pam.d/db2tobeonallthenodesintheDPFdatabase.However,thislewasonly
onthecoordinatornode.TheerrormessageSQL30082Nwasmisleading.Itindicatedthattheproblemcouldbewiththeuserids
credentials.

Solution:
Afterthele/etc/pam.d/db2lewascopiedontothedatanodes,explicitconnectionaemptworkedasexpected.Noinstance
restartwasrequired.ThisexperienceisareminderthateachnodeinaDPFdatabaseneedstobeconguredexactlythesameway.
Minordierencesmighthidetheproblemsforsometimebutitisonlyamaeroftimethatproblemssurface.

Contentsof/etc/pam.d/db2file
Belowwashowour/etc/pam.d/db2lelookedlike.IamnotaPAM(ProgrammableAccessModule)expert.However,aftersome
research,Inowunderstandthattheauthenticationprocess(forDB2)istopdownasoutlinedinthele/etc/pam.d/db2.

#ThePAMconfigurationfileforDB2
authsufficientpam_ldap.souse_first_pass
authrequiredpam_unix2.so
accountsufficientpam_ldap.so
accountrequiredpam_unix2.so
passwordrequiredpam_pwcheck.so
passwordsufficientpam_ldap.souse_first_pass
passwordrequiredpam_unix2.souse_authtokuse_first_pass
sessionrequiredpam_unix2.so

PAMisexibleanditsupportsbothlocalandLDAPusers.TheabovePAMcongurationsupportssystemuseridsvia

PAMisexibleanditsupportsbothlocalandLDAPusers.TheabovePAMcongurationsupportssystemuseridsvia
pam_unix2.soandLDAPusersviapam_ldap.so.
pam_ldap.so As this is in the 1st line, DB2 rst tries to authenticate via LDAP. If authentication succeeds, the process exits
(withasuccess)dictatedbykeywordsucient(asinnecessaryandsucientcondition).
pam_unix2.so If the user id is NOT found in LDAP or if LDAP authentication fails, DB2 then relies on operating system
(LINUX in this case) to authenticate the user. use_rst_pass in the 1st line passes on the password to 2nd authentication
aempt.Userisnotpromptedforthepasswordforthesecondtime.Thisauthenticationstepisarequiredone.Ifauthentication
failsinthisstep,anerrorisreturnedtotheuser.
Hopethishelps.IwouldappreciateanyonesharingyourexperienceswithPAMinAIXorLINUX.
ThisentrywaspostedinDB2Basics,DB2Tips,DPF.Bookmarkthepermalink.

OnethoughtonDB2andTransparentLDAPinDB2DPFMisleading
errorSQL30082N

bhardwajn|March19,2015at8:35pm
RebloggedthisonAgentDB2andcommented:
ThisarticleisforanyonelookingtoresolvedatastageissueswithDB2DPF.
Reply

BlogatWordPress.com.|TheMistyLakeTheme.