Results 1 to 3 of 3
  1. #1
    Join Date
    Aug 2011
    Location
    Columbus, OH
    Posts
    55

    Unanswered: Looking for insight on instance owner priviliges and package binds

    Hello DB2 friends! This junior DB2 DBA is looking to for some help understanding why an instance owner might not be able to perform a database bind. Below is my issue, any help or info would be great appreciated!!!

    I recently upgraded a DB2 LUW database from ESE 8.1 fix pack 14 to ESE 9.7 fix pack 4. During the upgrade I moved the database from instA on
    serverA to instB on serverB via a redirected restores. The upgrade was a successful, but now I'm having some problems binding packages after
    the upgrade. Note: I changed the 'real'instance and server names to instA, serverA,... to make it easier to follow.

    When I try to perform "db2 REBIND PACKAGE DB2ADMIN.P6560004" I receive the following error message:

    SQL30060N "instb" does not have the privilege to perform operation
    "0x2203". SQLSTATE=08004

    I can see the package was originally created by the user DB2ADMIN, but I would think as the instance owner, I should be able to bind a package
    or do anything else in the database I want.

    When I generate the ddl for the instance owner, this is what I see: GRANT "SYSROLE_AUTH_SECADM" TO USER "INSTB";

    when I generate the ddl for the instance owner group, this is what I see:

    GRANT "SYSROLE_AUTH_DBADM" TO GROUP "DB2ADMD";

    GRANT BIND ON PACKAGE "DB2ADMIN"."P6560004" TO GROUP "DB2ADMD" WITH GRANT OPTION;

    GRANT CONNECT ON DATABASE TO GROUP "DB2ADMD";

    GRANT CONTROL ON PACKAGE "DB2ADMIN"."P6560004" TO GROUP "DB2ADMD";

    GRANT DBADM ON DATABASE TO GROUP "DB2ADMD";

    GRANT EXECUTE ON PACKAGE "DB2ADMIN"."P6560004" TO GROUP "DB2ADMD" WITH GRANT OPTION;


    As you can see I even tried to explicitly grant package privileges to the group.


    ServerA is authenticated with OpenLDAP and ServerB is authenticated with Centrify (Active Directory).

    ServerA's dbm cfg parameters for SYSADM group membership & authentication information:

    SYSADM group name (SYSADM_GROUP) = DB2GRP1
    SYSCTRL group name (SYSCTRL_GROUP) =
    SYSMAINT group name (SYSMAINT_GROUP) =
    SYSMON group name (SYSMON_GROUP) =

    Client Userid-Password Plugin (CLNT_PW_PLUGIN) =
    Client Kerberos Plugin (CLNT_KRB_PLUGIN) =
    Group Plugin (GROUP_PLUGIN) =
    GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) =
    Server Plugin Mode (SRV_PLUGIN_MODE) = UNFENCED
    Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) =
    Server Userid-Password Plugin (SRVCON_PW_PLUGIN) =
    Server Connection Authentication (SRVCON_AUTH) = NOT_SPECIFIED
    Database manager authentication (AUTHENTICATION) = SERVER
    Cataloging allowed without authority (CATALOG_NOAUTH) = NO
    Trust all clients (TRUST_ALLCLNTS) = YES
    Trusted client authentication (TRUST_CLNTAUTH) = CLIENT

    InstA's group membership:

    >-serverB:CM(/dev/pts/1):/home/instb
    >-instb-> id
    uid=213(instb) gid=102(db2grp1) groups=1(staff),101(icmadgrp)

    ServerB's dbm cfg parameters for SYSADM group membership & authentication information:

    SYSADM group name (SYSADM_GROUP) = DB2ADMD
    SYSCTRL group name (SYSCTRL_GROUP) = DB2CTRL
    SYSMAINT group name (SYSMAINT_GROUP) =
    SYSMON group name (SYSMON_GROUP) =

    Client Userid-Password Plugin (CLNT_PW_PLUGIN) =
    Client Kerberos Plugin (CLNT_KRB_PLUGIN) =
    Group Plugin (GROUP_PLUGIN) = centrifydc_db2group
    GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) =
    Server Plugin Mode (SRV_PLUGIN_MODE) = UNFENCED
    Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) =
    Server Userid-Password Plugin (SRVCON_PW_PLUGIN) = centrifydc_db2userpass
    Server Connection Authentication (SRVCON_AUTH) = SERVER_ENCRYPT
    Cluster manager (CLUSTER_MGR) =

    Database manager authentication (AUTHENTICATION) = SERVER
    Alternate authentication (ALTERNATE_AUTH_ENC) = NOT_SPECIFIED
    Cataloging allowed without authority (CATALOG_NOAUTH) = NO
    Trust all clients (TRUST_ALLCLNTS) = YES
    Trusted client authentication (TRUST_CLNTAUTH) = CLIENT
    Bypass federated authentication (FED_NOAUTH) = NO


    instB's group membership:

    >-serverB/dev/pts/1):/db2/instb
    >-instb-> id
    uid=1208(instb) gid=1022(db2admd)



    Helpful info:

    >-instb-> db2level
    DB21085I Instance "instb" uses "64" bits and DB2 code release "SQL09074"
    with level identifier "08050107".
    Informational tokens are "DB2 v9.7.0.4", "s110330", "IP23236", and Fix Pack
    "4".
    Product is installed at "/opt/IBM/db2/V9.7".

    >-instb-> db2licm -l
    Product name: "DB2 Enterprise Server Edition"
    License type: "CPU Option"
    Expiry date: "Permanent"
    Product identifier: "db2ese"
    Version information: "9.7"
    Enforcement policy: "Soft Stop"
    Features:
    DB2 Performance Optimization ESE: "Not licensed"
    DB2 Storage Optimization: "Not licensed"
    DB2 Advanced Access Control: "Not licensed"
    DB2 Geodetic Data Management: "Not licensed"
    IBM Homogeneous Replication ESE: "Not licensed"

    **************************

    >-insta-> db2level
    DB21085I Instance "insta" uses "32" bits and DB2 code release "SQL08027"
    with level identifier "03080106".
    Informational tokens are "DB2 v8.1.1.128", "s061108", "U810098", and FixPak
    "14".
    Product is installed at "/usr/opt/db2_08_01".


    >-insta-> db2licm -l
    Product Name = "DB2 Enterprise Server Edition"
    Product Identifier = "DB2ESE"
    Version Information = "8.2"
    Expiry Date = "Permanent"
    Registered Connect User Policy = "Disabled"
    Number Of Entitled Connect Users = "5"
    Enforcement Policy = "Soft Stop"
    Number of processors = "1"
    Number of licensed processors = "2"
    Database partitioning feature = "Not entitled"
    Annotation = ""
    Other information = ""

    Product Name = "DB2 High Availability Disaster Recovery Option"
    Product Identifier = "DB2HADR"
    Version Information = "8.2"
    Expiry Date = "Permanent"
    Annotation = ""
    Other information = ""

    Product Name = "DB2 Advanced Security Option"
    Product Identifier = "DB2ASO"
    Version Information = "8.2"
    Expiry Date = "Permanent"
    Annotation = ""
    Other information = ""

  2. #2
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    Security environment in DB2 has changed substantially between DB2 8 and DB2 9.7.

    Group privileges may not be applicable when dealing with static SQL (packages). So, try this:

    - CREATE ROLE mydbadm
    - GRANT DBADM ON DATABASE TO ROLE mydbadm
    - GRANT ROLE mydbadm TO USER instb

    I would not use system-defined roles, as they may have side effects.
    ---
    "It does not work" is not a valid problem statement.

  3. #3
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    Consider also this: System environment variables
    ---
    "It does not work" is not a valid problem statement.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •