Hi Hubert and Paul,
I agree with your comments if the domain UserId account was not in
the local mqm group.
Both of you are assuming that the local MQ is asking the domain
controller first but the manual says that it makes the request locally first.
i.e.
- Local Windows API call: what groups is the user
'[EMAIL PROTECTED]' in? Windows will return the list which in
my case is the local 'mqm' group.
- Since the UserId is in the local mq group, the mqm group has full
authority and there is no reason to go any further.
Now, either the above is not done under WMQ v6 or IBM added a
secondary call to the domain controller to request what domain groups
the UserId is in.
It is 2 separate Windows API calls to lookup local groups of a UserId
and domain groups of a UserId. The manual says that it searches
until it finds a hit. And there is a hit when it queries the local
groups. A hit that has full authority, so point is there to do a
domain controller call to lookup UserId against the domain groups.
This is a fundamental change in WMQ v6. I don't know if the MQ code
is going straight to the domain controller for the group lookup
(skipping the local lookup) or it forceably doing both.
Regards,
Roger Lacroix
Capitalware Inc.
At 04:02 AM 09/14/07, you wrote:
Roger,
I agree with Hubert on this point. You can use a local account for
MQ but it needs the additional privilege to allow it to query domain
membership in Active Directory. I believe that the default for this
was YES with Win2000 and NO for Win2003. I seem to recall the
specific permission is documented in the System Admin guide.
Just on another tangent though, you're not running your QMgr under
VMware are you by any chance? There is a known problem with MQ
looking up domain info when under VMware (under certain conditions).
Cheers,
Paul
-----Original Message-----
From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf
Of Hubert Kleinmanns
Sent: 14 September 2007 07:24
To: [email protected]
Subject: Re: WMQ v6 and Windows local install problems
Roger,
I had similar problems in the past. I guess the problem is not, that
your domain user has not enough privileges. I would say, your
problem is, that the local mqm admin user is not allowed to query
the domain user configurations.
The local mqm admin user but be allowed to ask the domain
controllers about domain users. So maybe when you add the local mqm
admin user to a domain group, which allows a query in the domain
user definitions, this mqm admin user would recognize, that your
domain user is a member of the local mqm group. And then (hopefully)
the mqm admin user would allow your domain user, to access mq resources.
Regards
Hubert
To unsubscribe, write to [EMAIL PROTECTED] and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
To unsubscribe, write to [EMAIL PROTECTED] and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
