Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6928: How to use user.ignore file with DB2 plugin

13 July,18 at 09:18 PM

Applies to:
All versions of Centrify DB2 Plug-in

Background:
DB2 plugin did not use user.ignore -files. There are visible same error in AIX messages-log as It looks that there is still problem with DB2 plugin and user.ignore-files.

=== Example ===
spankki is both AD and local user, was verified in AD

finduserbyname did ignore the user:

Oct 19 08:54:19 t9072011n1 auth|security:debug adclient[10944528]: DEBUG <fd:20 CAPIAuthValidatePlainTextUser > base.schema ExtSchema: NSS ignoring user 'spankki'

Then finduserbyADname still proceed:

Oct 19 08:54:19 t9072011n1 auth|security:debug adclient[10944528]: DEBUG <fd:20 CAPIAuthValidatePlainTextUser > base.adagent findObject ADNames: spankki name: spankki type=SAM domain=FIN.HQ.SGR
 

From db2diag.log showing verifying both AD and local user.
===
2015-10-19-08.54.19.862362+180 I435490A532 LEVEL: Info
PID : 15401214 TID : 14909 PROC : db2sysc 0
INSTANCE: db2rbot1 NODE : 000 DB : DBOAT1
APPHDL : 0-22982
HOSTNAME: t9072011n1
EDUID : 14909 EDUNAME: db2agent (DBOAT1) 0
FUNCTION: DB2 UDB, bsu security, sqlexLogPluginMessage, probe:20
DATA #1 : String with size, 130 bytes
File: userpass_cdc.c, Line: 124, centrifydc_db2userpass: Could not validate the password for user: spankki using Active Directory.

2015-10-19-08.54.20.400703+180 I436513A518 LEVEL: Info
PID : 15401214 TID : 14909 PROC : db2sysc 0
INSTANCE: db2rbot1 NODE : 000 DB : DBOAT1
APPHDL : 0-22982
HOSTNAME: t9072011n1
EDUID : 14909 EDUNAME: db2agent (DBOAT1) 0
FUNCTION: DB2 UDB, bsu security, sqlexLogPluginMessage, probe:20
DATA #1 : String with size, 116 bytes
File: userpass_cdc.c, Line: 215, centrifydc_db2userpass: Validate the password for local user: spankki successfully.
===

Question:

User is put into user.ignore list, how to skip user from being checked on AD?

Answer:

DB2 plugin will check the user.ignore list when the following parameter is set:

db2.implement.pam.ignore.users: true


In case it does not work try setting the following as a last resort:

nss.user.ignore.all: True
 

(Once parameters are set, make sure DB2 instance is restarted)

After adding "nss.user.ignore.all: true" and user can be skipped from checking on AD

=== centrifydc.log ===
Oct 20 11:30:56 t9072011n1 auth|security:debug adclient[10944528]: DEBUG <fd:20 CAPIAuthValidatePlainTextUser > base.schema ExtSchema: NSS ignoring user 'spankki'

Oct 20 11:30:56 t9072011n1 auth|security:debug adclient[10944528]: DEBUG <fd:20 CAPIAuthValidatePlainTextUser > base.objecthelper.user findUserByADName: spankki ignored
===

Related Articles

 articleKB-1956: SQL30082N Security processing failed with reason "15" ("Processing Failure"). articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-3040: How to run setupdb2.sh to configure Centrify DB2 plugin articleKB-0547: How to Collect Debug Logs from a DB2 server with the Centrify App Server Plug-in articleInstalling DB2 Express-C on Linux and configuring the Centrify DB2 plugin articleHOWTO: Install, configure and test the Centrify IBM DB2 SSO Module articleKB-8905: Significantly slow DB2 transaction times when using the Centrify DB2 plugin articleHOWTO: Configure the IBM DB2 SSO Module for Kerberos/GSSAPI SSO articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0)