Hi,
Fine IBM-ese speak, but no there is no local account with the same name as my
domain UserId account.
So, if I read it correctly, if I create a local account 'rlacroix' that matches
my domain UserId account ('[EMAIL PROTECTED]') and put it in the mqm group, it
should work??
Am I interrupting it correctly?
Regards,
Roger Lacroix
Capitalware Inc.
http://www.capitalware.biz
On Thu, 13 Sep 2007 18:40:14 -0400, T-Rob <[EMAIL PROTECTED]> wrote:
> Wow Roger, rough day indeed! I have a few things that might help, however
> I almost always perform a silent install with a domain-controlled service
> account instead of local so I have little direct experience here.
>
> Is this scenario happening? (From the v6 System Admin guide...)
> The OAM first checks the local security database, then the database of the
> primary domain, and finally the database of any trusted domains. The first
> user ID encountered is used by the OAM for checking. Each of these user
> IDs might have different group memberships on a particular computer. Some
> control commands (for example, crtmqm) change authorities on WebSphere MQ
> objects using the Object Authority Manager (OAM). Because the OAM searches
> the security databases in the order given above to determine the authority
> rights for a given user ID, the authority determined by the OAM might
> override the fact that a user ID is a member of the local mqm group. For
> example, if you issue crtmqm from a user ID authenticated by a domain
> controller that has membership of the local mqm group through a global
> group, the command fails if the system has a local user of the same name
> who is not in the local mqm group.
>
> And since the server is in a domain, the service account will try to
> search the domain controller/Active Directory whenever it fails to get a
> local hit. Also, any ID, local or domain, that will run WMQ or create
> QMgrs needs elevated privileges as follows...
> Logon as a batch job
> Logon as a service
> Shut down the system
> Act as part of the operating system
> Bypass traverse checking
> Replace a process level token
> Increase quotas
> Debug programs
> Read Group Membership
> Read Group Membership SAM
>
> These are NOT guaranteed to local administrators since they reside in the
> Active Directory or domain that the server account belongs to, not the
> user's account.
>
> HTH -- T.Rob
>
>
>
> MQSeries List <[email protected]> wrote on 09/13/2007
> 06:07:43 PM:
>
>> All,
>>
>> Well, today's been a bad MQ day. It started off with such promise
>> then went straight into the gutter.
>>
>> Help... Please help.
>>
>> This morning I decided to upgrade MQ on a PC at a client site from
>> WMQ v5.3 CSD13 to WMQ v6. Since I had 3 queue managers that I
>> wanted to keep, I thought the simplest and easiest thing to do is to
>> uninstall WMQ v5.3 then install WMQ v6. Of course, since I have
>> install WMQ v6 at least 20 times, it never even occurred to me to
>> take a backup first (and of course, Murphy bite me right the @ss).
>>
>> So I did the following:
>> - Uninstalling WMQ v5.3
>> - rebooted
>> - Installed WMQ v6 and selected local account (not domain)
>> - reboot
>> - Started MQ Explorer
>> - Created a test queue manager and as it is trying to define a
>> listener, I get 2035 (not authorized).
>> - I checked via runmqsc and sure enough 2035.
>> - Stopped and deleted the test queue manager.
>> - I stop the MQ Services
>> - I check that my account is in the mqm group and it is (it is in
>> the Admin group too).
>> - I start 'Prepare WebSphere MQ Wizard' and it complains about MQ
>> not having authority to 'query information about your user account'.
>> It wants a domain account for MQ. I go 'say what'.
>>
>> Figuring I messed something up in the install, I decide to uninstall
>> everything and start again. I did and it makes absolutely no
> difference.
>>
>> The event viewer has a bunch of the following messages:
>>
>> "Access was denied when attempting to retrieve group membership
>> information for user '[EMAIL PROTECTED]'.
>> WebSphere MQ, running with the authority of user
>> '[EMAIL PROTECTED]', was unable to retrieve group membership
>> information for the specified user.
>> Ensure Active Directory access permissions allow user
>> '[EMAIL PROTECTED]' to read group memberships for user
>> '[EMAIL PROTECTED]'. To retrieve group membership information
>> for a domain user, MQ must run with the authority of a domain user."
>>
>> So, I figured I must have a old setting that is conflicting with WMQ
>> v6. So, uninstall WMQ v6, delete everything under
>> {WMQ_Install_Dir}, go delete the 'mqm' group and 'MUSR_MQADMIN'
>> service account. I even made sure the registry was clean.
>>
>> Next I shut the PC off, unplug the network cable, started it up
>> again and logged in as 'Administrator'.
>>
>> I did the following:
>> - Installed WMQ v6 and selected local account (not domain)
>> - reboot
>> - Started MQ Explorer
>> - Created a test queue manager and it worked perfectly
>> - Stopped and deleted the test queue manager
>>
>> Turned off the PC, plugged in the network cable, started it and
>> logged in with my domain account. I immediately added my domain
>> account to the local mqm group.
>>
>> I did the following:
>> - Started MQ Explorer
>> - Created a test queue manager and as it is trying to define a
>> listener, I get 2035 (not authorized).
>>
>> Ahhhhhhhhhhhhh and screamed at the moon.
>>
>> Logged off as domain user and logged in as 'Administrator' and
>> everything works.
>>
>> I even applied v6.0.2.2 (logged in as Administrator) and I still get
>> the problem when I log in with my domain account.
>>
>> Interesting item:
>>
>> - Under local 'Administrator' account if I start 'Prepare WebSphere
>> MQ Wizard' it says local setup (No network)
>>
>> - Under my domain UserId account if I start 'Prepare WebSphere MQ
>> Wizard' and it complains about MQ not having authority to 'query
>> information about your user account'. It wants a domain account for MQ.
>>
>>
>> Why is MQ insisting on checking my domain UserId against the domain
>> when I installed / configured MQ as a local setup. It never did
>> this under WMQ v5.3.
>>
>> How can I force it to only look locally? (My domain account is in
>> the local mqm group.)
>>
>> I've wasted a whole day on this when it should have been 30 minutes.
>> And now I don't even have a working MQ environment on my PC (under
>> domain UserId that is).
>>
>> Help! Anyone please.
>>
>>
>> Regards,
>> Roger Lacroix
>> Capitalware Inc.
>> http://www.capitalware.biz
>
> To unsubscribe, write to [EMAIL PROTECTED] and,
> in the message body (not the subject), write: SIGNOFF MQSERIES
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
To unsubscribe, write to [EMAIL PROTECTED] and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
