Applies to:
All versions of Centrify DirectControl DB2 plugin (username and password plugin)
Question:
After installing and configuring DirectControl DB2 plugin, a local account was added to /etc/centrifydc/user.ignore. Later, adreload and adflush were run but db2 connect fails for the local account with the below error message:
vttidb2: ~/sqllib/db2dump$ db2 connect to vttitest
SQL30082N Security processing failed with reason "15" ("Processing Failure").
SQLSTATE=08001
where vttitest is the name of the database.
What is the reason?
Answer:
There can be several reasons and so customer are advised to follow the below steps. To make it easy, we will use vtti01 as the name of the local account in /etc/passwd.
1) Please run the following command on the DB2 server (running Centrify) to check the Centrify DB2 configuration.
db2 get dbm config |egrep -i "auth|gss|group|srvcon"
SYSADM group name (SYSADM_GROUP) = VTTI01
SYSCTRL group name (SYSCTRL_GROUP) =
SYSMAINT group name (SYSMAINT_GROUP) =
SYSMON group name (SYSMON_GROUP) =
Group Plugin (GROUP_PLUGIN) =
GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) =
Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) =
Server Userid-Password Plugin (SRVCON_PW_PLUGIN) = centrifydc_db2userpass
Server Connection Authentication (SRVCON_AUTH) = NOT_SPECIFIED
Database manager authentication (AUTHENTICATION) = SERVER
Alternate authentication (ALTERNATE_AUTH_ENC) =
NOT_SPECIFIED
Cataloging allowed without authority (CATALOG_NOAUTH) = NO
Trusted client authentication (TRUST_CLNTAUTH) = CLIENT
Bypass federated authentication (FED_NOAUTH) = NO
In the above output, you should see centrifydc_db2userpass line suggesting the "Username/Password plug-in plugin" is being used. While the default DB2 Username/Password plug-in will authenticate only users in a NIS domain or in the password file (/etc/passwd), this Centrify plug-in (centrifydc_db2userpass) supports both Active Directory and non-Active Directory users. A non-Active Directory user may be a UNIX user from local stores such as /etc/passwd and NSS (Name Service Switch); or who has been authenticated using PAM (Pluggable Authentication Modules) or AIX’s LAM (Loadable Authentication Module).
2) Db2 diagnostic log should also be run. See KB-0547 (How to turn on DB2 debug logs) & run Centrify Debug too at the same time.
3) Examine local /etc/passwd to make sure the local account is present.
cat /etc/passwd | grep vtti01 > /tmp/passwd
vtti01:x:608:608:DB2 instance 01:/home/vtti01:/bin/bash
4) Examine the local /etc/shadow file to make sure the account is still active (not expired)
vtti01:$2a$10$fJiI26veDDIzmlB8uhuOa.DvSJf2ThgNXXv7/GnbsobH0dBKQn3zq:1477
1:0:99999:7:::
This expiration data includes the last time a user changed their password, the number of days a user can use a given password, an interval to warn a user that their password is going to expire, etc. There are six fields that apply to password expiration, and they are described in the shadow manual page.
5) Run id and getent command to check for id and gid and groups to which the local account belongs. In the getent command, the local account vtti01 has to be present
vttidb2:~# id vtti01
uid=608(vtti01) gid=608(vtti01)
groups=608(vtti01),65(sshd),10(wheel),100(users)
vttidb2:~$ getent group
vtti01:!:608:joeuser, vtti01
6) Always run Centrify's setupdb2.sh on the DB2 server. This script automates the installation and configuration of the DirectControl DB2 security plug-ins. This is the preferred method for installing and setting up the DirectControl DB2 security plug-ins. If you are performing a manual install, please follow steps on page 7 (4.2.2 Setup for Username/Password plug-in) of the below guide.
http://www.centrify.com/downloads/products/documentation/suite2011/ga/centrify-dc-db2.pdf
Cross-check the following:
a) /etc/pam.d/centrifydc_db2userpass and make sure it reads:
auth include common-auth
account include common-account
b) Examine /etc/pam.d/common-auth to check if Centrify has added the relevant pam libraries.Note: it is either common-auth or system-auth depending on the flavor of Linux used.
In a particular customer's case, the below lines were missing. Restarting Centrify will restore these important lines.
auth sufficient pam_centrifydc.so
auth requisite pam_centrifydc.so deny
7) After making all the configuration changes, switch to DB2 instance owner and run db2stop to stop the db2.
8) db2start to start db2.
9) Note: The correct syntax to connect to DB2 instance is
# db2 connect to vttitest user vtti01
where vttitest is the name of the database and vtti01 is the name of the local account.
10) Now if you still see a message like this below, then additional steps may need to be followed.
vttidb2:~/sqllib/db2dump$ db2 connect to vttitest
SQL30082N Security processing failed with reason "15" ("PROCESSING FAILURE").
SQLSTATE=08001
11) Edit /etc/centrifydc/centrifydc.conf and go to the bottom of the file and type:
db2.userpass.allow.localnopasswd.vtti01: true
(note, DB2INSTANCE=vtti01).
The Centrify username/password plug-in, like the IBM default username/password plug-in, has the ability to allow users who are logged into the DB2 server machine to connect without a password. This Single Sign-on feature for local users is enabled or disabled by setting the centrifydc.conf property, db2.userpass.allow.localnopasswd.<db2instance> to true or false. Note, this property is applied on a per-instance basis. The default value is false. However, the setupdb2.sh script will set this property to true if the
user selects to install only the Username/Password plug-in and not the GSSAPI plug-in.
12) Restart db2 and attempt the connect and you will not be prompted for password.
13) If you still encounter SQL errors, please contact Centrify support for further assistance.