Results 1 to 5 of 5
  1. #1
    Join Date
    Aug 2011
    Location
    Columbus, OH
    Posts
    55

    Unanswered: connection problem when specifying user/password locally, but not remotely

    Hello DB2 friend!

    I have a DB2 ESE 9.7 fix pack 5 database running on AIX 7.1

    The database was created and configured by the IBM TDS 6.3 fix pack 10 software.

    I can successfully do the following:

    1. switch users to the database instance owner on the server using the command "su - <db_instance_owner>"
    2. connect to the database as the database instance owner on the local database server without specifying a
    username and password using the command "db2 connect to <db_name>"
    3. connect to the database as the database instance owner when connecting remotely

    >-mgtitdsa02/dev/pts/5):/rhome/admreyno
    >-admreyno-> su - tdsinst
    Password:

    >-mgtitdsa02/dev/pts/5):/opt/IBM/home/tdsinst
    >-tdsinst-> db2 connect to iamdb

    Database Connection Information

    Database server = DB2/AIX64 9.7.5
    SQL authorization ID = TDSINST
    Local database alias = IAMDB


    I CANNOT do:

    1. connect to the database as the database instance owner when the database


    >-mgtitdsa02/dev/pts/5):/opt/IBM/home/tdsinst
    >-tdsinst-> db2 connect to iamdb user tdsinst using td$inst
    SQL30082N Security processing failed with reason "24" ("USERNAME AND/OR
    PASSWORD INVALID"). SQLSTATE=08001


    If the password was incorrect, I wouldn't be able to su to the user or to connect remotely. Is there a dbm parameter I have set incorrectly?

    Any ideas on things I can check?


    Supporting details:

    The user is local to the server.


    >-mgtitdsa02/dev/pts/5):/opt/IBM/home/tdsinst
    >-tdsinst-> db2 list db directory

    System Database Directory

    Number of entries in the directory = 2

    Database 1 entry:

    Database alias = IAMDB
    Database name = IAMDB
    Local database directory = /opt/IBM/home/tdsinst
    Database release level = d.00
    Comment =
    Directory entry type = Indirect
    Catalog database partition number = 0
    Alternate server hostname =
    Alternate server port number =

    Database 2 entry:

    Database alias = LDAPDB2B
    Database name = IAMDB
    Local database directory = /opt/IBM/home/tdsinst
    Database release level = d.00
    Comment =
    Directory entry type = Indirect
    Catalog database partition number = 0
    Alternate server hostname =
    Alternate server port number =

    >-tdsinst-> db2 get dbm cfg

    Database Manager Configuration

    Node type = Enterprise Server Edition with local and remote clients

    Database manager configuration release level = 0x0d00

    CPU speed (millisec/instruction) (CPUSPEED) = 2.834065e-07
    Communications bandwidth (MB/sec) (COMM_BANDWIDTH) = 1.000000e+02

    Max number of concurrently active databases (NUMDB) = 8
    Federated Database System Support (FEDERATED) = NO
    Transaction processor monitor name (TP_MON_NAME) =

    Default charge-back account (DFT_ACCOUNT_STR) =

    Java Development Kit installation path (JDK_PATH) = /opt/IBM/home/tdsinst/sqllib/java/jdk64

    Diagnostic error capture level (DIAGLEVEL) = 4
    Notify Level (NOTIFYLEVEL) = 3
    Diagnostic data directory path (DIAGPATH) = /db2log/
    Alternate diagnostic data directory path (ALT_DIAGPATH) =
    Size of rotating db2diag & notify logs (MB) (DIAGSIZE) = 0

    Default database monitor switches
    Buffer pool (DFT_MON_BUFPOOL) = OFF
    Lock (DFT_MON_LOCK) = OFF
    Sort (DFT_MON_SORT) = OFF
    Statement (DFT_MON_STMT) = OFF
    Table (DFT_MON_TABLE) = OFF
    Timestamp (DFT_MON_TIMESTAMP) = ON
    Unit of work (DFT_MON_UOW) = OFF
    Monitor health of instance and databases (HEALTH_MON) = ON

    SYSADM group name (SYSADM_GROUP) = IDSLDAP
    SYSCTRL group name (SYSCTRL_GROUP) =
    SYSMAINT group name (SYSMAINT_GROUP) =
    SYSMON group name (SYSMON_GROUP) =

    Client Userid-Password Plugin (CLNT_PW_PLUGIN) =
    Client Kerberos Plugin (CLNT_KRB_PLUGIN) =
    Group Plugin (GROUP_PLUGIN) =
    GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) =
    Server Plugin Mode (SRV_PLUGIN_MODE) = UNFENCED
    Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) =
    Server Userid-Password Plugin (SRVCON_PW_PLUGIN) =
    Server Connection Authentication (SRVCON_AUTH) = NOT_SPECIFIED
    Cluster manager (CLUSTER_MGR) =

    Database manager authentication (AUTHENTICATION) = SERVER
    Alternate authentication (ALTERNATE_AUTH_ENC) = NOT_SPECIFIED
    Cataloging allowed without authority (CATALOG_NOAUTH) = NO
    Trust all clients (TRUST_ALLCLNTS) = YES
    Trusted client authentication (TRUST_CLNTAUTH) = CLIENT
    Bypass federated authentication (FED_NOAUTH) = NO

    Default database path (DFTDBPATH) = /opt/IBM/home/tdsinst

    Database monitor heap size (4KB) (MON_HEAP_SZ) = AUTOMATIC(90)
    Java Virtual Machine heap size (4KB) (JAVA_HEAP_SZ) = 2048
    Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0
    Size of instance shared memory (4KB) (INSTANCE_MEMORY) = AUTOMATIC(617417)
    Agent stack size (AGENT_STACK_SZ) = 1024
    Sort heap threshold (4KB) (SHEAPTHRES) = 0

    Directory cache support (DIR_CACHE) = YES

    Application support layer heap size (4KB) (ASLHEAPSZ) = 15
    Max requester I/O block size (bytes) (RQRIOBLK) = 32767
    Workload impact by throttled utilities(UTIL_IMPACT_LIM) = 10

    Priority of agents (AGENTPRI) = SYSTEM
    Agent pool size (NUM_POOLAGENTS) = AUTOMATIC(100)
    Initial number of agents in pool (NUM_INITAGENTS) = 0
    Max number of coordinating agents (MAX_COORDAGENTS) = AUTOMATIC(200)
    Max number of client connections (MAX_CONNECTIONS) = AUTOMATIC(MAX_COORDAGENTS)

    Keep fenced process (KEEPFENCED) = YES
    Number of pooled fenced processes (FENCED_POOL) = AUTOMATIC(MAX_COORDAGENTS)
    Initial number of fenced processes (NUM_INITFENCED) = 0

    Index re-creation time and redo index build (INDEXREC) = RESTART

    Transaction manager database name (TM_DATABASE) = 1ST_CONN
    Transaction resync interval (sec) (RESYNC_INTERVAL) = 180

    SPM name (SPM_NAME) = mgtitdsa
    SPM log size (SPM_LOG_FILE_SZ) = 256
    SPM resync agent limit (SPM_MAX_RESYNC) = 20
    SPM log path (SPM_LOG_PATH) =

    TCP/IP Service name (SVCENAME) = DB2_tdsinst
    Discovery mode (DISCOVER) = SEARCH
    Discover server instance (DISCOVER_INST) = ENABLE

    SSL server keydb file (SSL_SVR_KEYDB) =
    SSL server stash file (SSL_SVR_STASH) =
    SSL server certificate label (SSL_SVR_LABEL) =
    SSL service name (SSL_SVCENAME) =
    SSL cipher specs (SSL_CIPHERSPECS) =
    SSL versions (SSL_VERSIONS) =
    SSL client keydb file (SSL_CLNT_KEYDB) =
    SSL client stash file (SSL_CLNT_STASH) =

    Maximum query degree of parallelism (MAX_QUERYDEGREE) = ANY
    Enable intra-partition parallelism (INTRA_PARALLEL) = NO

    Maximum Asynchronous TQs per query (FEDERATED_ASYNC) = 0

    No. of int. communication buffers(4KB)(FCM_NUM_BUFFERS) = AUTOMATIC(4096)
    No. of int. communication channels (FCM_NUM_CHANNELS) = AUTOMATIC(2048)
    Node connection elapse time (sec) (CONN_ELAPSE) = 10
    Max number of node connection retries (MAX_CONNRETRIES) = 5
    Max time difference between nodes (min) (MAX_TIME_DIFF) = 60

    db2start/db2stop timeout (min) (START_STOP_TIME) = 10

  2. #2
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,367
    Check the errors in the db2diag.log (look for a message containing 'password validation for user....').
    Is local login enabled for this user id? (execute: luser -f <user id> as root)

  3. #3
    Join Date
    Aug 2011
    Location
    Columbus, OH
    Posts
    55
    Thanks for the quick response, DB2girl!

    When I execute the command you noted below I see :
    login=true


    I turned up DIAGLEVEL to 4 and tried to connect specifiying the user/pw (the way it doesn't work) and tried to connect w/o specifying the user/pw (the way it DOES work). The diag.log logged lots of Info and Event details about the successful connection, but NOTHING about the unsuccessful connection. Also, I searched for 'password validation' and found nothing.

  4. #4
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,367
    DB2 should log some message into the db2diag.log.

    Can you login directly as the instance owner (without using su/sudo) and then try connecting specifying id/pwd? Also, please check the ownership/permissions on the following file .../sqllib/security/db2ckpw. Here is what mine shows:

    -r-s--x--x 1 root db2iadm1 4070125 Aug 22 13:45 db2ckpw

  5. #5
    Join Date
    Aug 2011
    Location
    Columbus, OH
    Posts
    55
    We just figured it out. It seems using the $ in the password was no good. When the local user's password was changed, it caused the problem to surface. We changed the password using passwd on the server to use @ instead of $ and that fixed the problem.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •