Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1956: SQL30082N Security processing failed with reason "15" ("Processing Failure").

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:07 AM

Applies to:
 
All versions of Centrify DirectControl DB2 plugin (username and password plugin) 
 
Question:
 
After installing and configuring DirectControl DB2 plugin, a local account was added to /etc/centrifydc/user.ignore. Later, adreload and adflush were run but db2 connect fails for the local account with the below error message:
 
vttidb2: ~/sqllib/db2dump$ db2 connect to vttitest
SQL30082N Security processing failed with reason "15" ("Processing Failure").
SQLSTATE=08001
 
where vttitest is the name of the database.
 
What is the reason?
 
Answer:
 
There can be several reasons and so customer are advised to follow the below steps. To make it easy, we will use vtti01 as the name of the local account in /etc/passwd.
 
1) Please run the following command on the DB2 server (running Centrify) to check the Centrify DB2 configuration.
 
db2 get dbm config |egrep -i "auth|gss|group|srvcon"
 
SYSADM group name (SYSADM_GROUP) = VTTI01 
SYSCTRL group name (SYSCTRL_GROUP) = 
SYSMAINT group name (SYSMAINT_GROUP) = 
SYSMON group name (SYSMON_GROUP) = 
Group Plugin (GROUP_PLUGIN) = 
GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) = 
Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) =
Server Userid-Password Plugin (SRVCON_PW_PLUGIN) = centrifydc_db2userpass 
Server Connection Authentication (SRVCON_AUTH) = NOT_SPECIFIED 
Database manager authentication (AUTHENTICATION) = SERVER 
Alternate authentication (ALTERNATE_AUTH_ENC) = 
NOT_SPECIFIED 
Cataloging allowed without authority (CATALOG_NOAUTH) = NO 
Trusted client authentication (TRUST_CLNTAUTH) = CLIENT 
Bypass federated authentication (FED_NOAUTH) = NO 
 
In the above output, you should see centrifydc_db2userpass line suggesting the "Username/Password plug-in plugin" is being used. While the default DB2 Username/Password plug-in will authenticate only users in a NIS domain or in the password file (/etc/passwd), this Centrify plug-in (centrifydc_db2userpass) supports both Active Directory and non-Active Directory users. A non-Active Directory user may be a UNIX user from local stores such as /etc/passwd and NSS (Name Service Switch); or who has been authenticated using PAM (Pluggable Authentication Modules) or AIX’s LAM (Loadable Authentication Module).
 
2) Db2 diagnostic log should also be run. See KB-0547 (How to turn on DB2 debug logs) & run Centrify Debug too at the same time.
 
3) Examine local /etc/passwd to make sure the local account is present. 
 
cat /etc/passwd | grep vtti01 > /tmp/passwd 
vtti01:x:608:608:DB2 instance 01:/home/vtti01:/bin/bash
 
4) Examine the local /etc/shadow file to make sure the account is still active (not expired)
 
vtti01:$2a$10$fJiI26veDDIzmlB8uhuOa.DvSJf2ThgNXXv7/GnbsobH0dBKQn3zq:1477
1:0:99999:7:::
 
This expiration data includes the last time a user changed their password, the number of days a user can use a given password, an interval to warn a user that their password is going to expire, etc. There are six  fields that apply to password expiration, and they are described in the shadow manual page.
 
5) Run id and getent command to check for id and gid and groups to which the local account belongs. In the getent command, the local account vtti01 has to be present 
 
vttidb2:~# id vtti01
uid=608(vtti01) gid=608(vtti01)
groups=608(vtti01),65(sshd),10(wheel),100(users)
 
vttidb2:~$ getent group
vtti01:!:608:joeuser, vtti01
 
6) Always run Centrify's setupdb2.sh on the DB2 server. This script automates the installation and configuration of the DirectControl DB2 security plug-ins. This is the preferred method for installing and setting up the DirectControl DB2 security plug-ins. If you are performing a manual install, please follow steps on page 7 (4.2.2 Setup for Username/Password plug-in) of the below guide.
 
http://www.centrify.com/downloads/products/documentation/suite2011/ga/centrify-dc-db2.pdf
 
Cross-check the following:
 
a) /etc/pam.d/centrifydc_db2userpass and make sure it reads:
 
auth       include    common-auth
account include    common-account
 
b) Examine /etc/pam.d/common-auth to check if Centrify has added the relevant pam libraries.Note: it is either common-auth or system-auth depending on the flavor of Linux used.
 
In a particular customer's case, the below lines were missing. Restarting Centrify will restore these important lines.
 
auth sufficient pam_centrifydc.so
auth requisite pam_centrifydc.so deny
 
7) After making all the configuration changes,  switch to DB2 instance owner and run db2stop to stop the db2.
 
8)  db2start to start db2.
 
9)  Note: The correct syntax to connect to DB2 instance is 
 
# db2 connect to vttitest user vtti01
 
where vttitest is the name of the database and vtti01 is the name of the local account.
 
10) Now if you still see a message like this below, then additional steps may need to be followed.
 
vttidb2:~/sqllib/db2dump$ db2 connect to vttitest 
 
SQL30082N  Security processing failed with reason "15" ("PROCESSING FAILURE").
SQLSTATE=08001
 
11) Edit /etc/centrifydc/centrifydc.conf and go to the bottom of the file and type: 
 
db2.userpass.allow.localnopasswd.vtti01: true
 
(note, DB2INSTANCE=vtti01).
 
The Centrify username/password plug-in, like the IBM default username/password plug-in, has the ability to allow users who are logged into the DB2 server machine to connect without a password. This Single Sign-on feature for local users is enabled or disabled by setting the centrifydc.conf property, db2.userpass.allow.localnopasswd.<db2instance> to true or false. Note, this property is applied on a per-instance basis. The default value is false. However, the setupdb2.sh script will set this property to true if the 
user selects to install only the Username/Password plug-in and not the GSSAPI plug-in.
 
12) Restart db2 and attempt the connect and you will not be prompted for password.
 
13) If you still encounter SQL errors, please contact Centrify support for further assistance.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.