Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6928: How to use user.ignore file with DB2 plugin

13 July,18 at 09:18 PM

Applies to:
All versions of Centrify DB2 Plug-in

Background:

DB2 plugin did not use user.ignore -files. There are visible same error in AIX messages-log as It looks that there is still problem with DB2 plugin and user.ignore-files.

=== Example ===
spankki is both AD and local user, was verified in AD

finduserbyname did ignore the user:

Oct 19 08:54:19 t9072011n1 auth|security:debug adclient[10944528]: DEBUG <fd:20 CAPIAuthValidatePlainTextUser > base.schema ExtSchema: NSS ignoring user 'spankki'

Then finduserbyADname still proceed:

Oct 19 08:54:19 t9072011n1 auth|security:debug adclient[10944528]: DEBUG <fd:20 CAPIAuthValidatePlainTextUser > base.adagent findObject ADNames: spankki name: spankki type=SAM domain=FIN.HQ.SGR
 

From db2diag.log showing verifying both AD and local user.
===
2015-10-19-08.54.19.862362+180 I435490A532 LEVEL: Info
PID : 15401214 TID : 14909 PROC : db2sysc 0
INSTANCE: db2rbot1 NODE : 000 DB : DBOAT1
APPHDL : 0-22982
HOSTNAME: t9072011n1
EDUID : 14909 EDUNAME: db2agent (DBOAT1) 0
FUNCTION: DB2 UDB, bsu security, sqlexLogPluginMessage, probe:20
DATA #1 : String with size, 130 bytes
File: userpass_cdc.c, Line: 124, centrifydc_db2userpass: Could not validate the password for user: spankki using Active Directory.

2015-10-19-08.54.20.400703+180 I436513A518 LEVEL: Info
PID : 15401214 TID : 14909 PROC : db2sysc 0
INSTANCE: db2rbot1 NODE : 000 DB : DBOAT1
APPHDL : 0-22982
HOSTNAME: t9072011n1
EDUID : 14909 EDUNAME: db2agent (DBOAT1) 0
FUNCTION: DB2 UDB, bsu security, sqlexLogPluginMessage, probe:20
DATA #1 : String with size, 116 bytes
File: userpass_cdc.c, Line: 215, centrifydc_db2userpass: Validate the password for local user: spankki successfully.
===

Question:

User is put into user.ignore list, how to skip user from being checked on AD?

Answer:

DB2 plugin will check the user.ignore list when the following parameter is set:

db2.implement.pam.ignore.users: true


In case it does not work try setting the following as a last resort:

nss.user.ignore.all: True
 

(Once parameters are set, make sure DB2 instance is restarted)

After adding "nss.user.ignore.all: true" and user can be skipped from checking on AD

=== centrifydc.log ===
Oct 20 11:30:56 t9072011n1 auth|security:debug adclient[10944528]: DEBUG <fd:20 CAPIAuthValidatePlainTextUser > base.schema ExtSchema: NSS ignoring user 'spankki'

Oct 20 11:30:56 t9072011n1 auth|security:debug adclient[10944528]: DEBUG <fd:20 CAPIAuthValidatePlainTextUser > base.objecthelper.user findUserByADName: spankki ignored
===

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.