Applies to:All versions of
Centrify DB2 Plug-in
Background:DB2 plugin did not use user.ignore -files. There are visible same error in AIX messages-log as It looks that there is still problem with DB2 plugin and user.ignore-files.
=== Example ===
spankki is both AD and local user, was verified in AD
finduserbyname did ignore the user:
Oct 19 08:54:19 t9072011n1 auth|security:debug adclient[10944528]: DEBUG <fd:20 CAPIAuthValidatePlainTextUser > base.schema ExtSchema: NSS ignoring user 'spankki'
Then finduserbyADname still proceed:
Oct 19 08:54:19 t9072011n1 auth|security:debug adclient[10944528]: DEBUG <fd:20 CAPIAuthValidatePlainTextUser > base.adagent findObject ADNames: spankki name: spankki type=SAM domain=FIN.HQ.SGR
From db2diag.log showing verifying both AD and local user.
===
2015-10-19-08.54.19.862362+180 I435490A532 LEVEL: Info
PID : 15401214 TID : 14909 PROC : db2sysc 0
INSTANCE: db2rbot1 NODE : 000 DB : DBOAT1
APPHDL : 0-22982
HOSTNAME: t9072011n1
EDUID : 14909 EDUNAME: db2agent (DBOAT1) 0
FUNCTION: DB2 UDB, bsu security, sqlexLogPluginMessage, probe:20
DATA #1 : String with size, 130 bytes
File: userpass_cdc.c, Line: 124, centrifydc_db2userpass: Could not validate the password for user: spankki using Active Directory.
2015-10-19-08.54.20.400703+180 I436513A518 LEVEL: Info
PID : 15401214 TID : 14909 PROC : db2sysc 0
INSTANCE: db2rbot1 NODE : 000 DB : DBOAT1
APPHDL : 0-22982
HOSTNAME: t9072011n1
EDUID : 14909 EDUNAME: db2agent (DBOAT1) 0
FUNCTION: DB2 UDB, bsu security, sqlexLogPluginMessage, probe:20
DATA #1 : String with size, 116 bytes
File: userpass_cdc.c, Line: 215, centrifydc_db2userpass: Validate the password for local user: spankki successfully.
===
Question:User is put into user.ignore list, how to skip user from being checked on AD?
Answer:DB2 plugin will check the user.ignore list when the following parameter is set:
db2.implement.pam.ignore.users: true
In case it does not work try setting the following as a last resort:
nss.user.ignore.all: True
(Once parameters are set, make sure DB2 instance is restarted)
After adding "nss.user.ignore.all: true" and user can be skipped from checking on AD
=== centrifydc.log ===
Oct 20 11:30:56 t9072011n1 auth|security:debug adclient
[10944528]: DEBUG <fd:20 CAPIAuthValidatePlainTextUser > base.schema ExtSchema: NSS ignoring user 'spankki'
Oct 20 11:30:56 t9072011n1 auth|security:debug adclient[10944528]: DEBUG <fd:20 CAPIAuthValidatePlainTextUser > base.objecthelper.user findUserByADName: spankki ignored
===