Re: Problem with Windows domain users
- From: "Guy ." <gbowerman@xxxxxxxxx>
- Date: Mon, 17 Mar 2008 14:04:54 -0700 (PDT)
Martin,
I just posted a blog entry with what I believe to be a summary of the known problems with IDS in Windows domain configurations:
http://www.ibm.com/developerworks/blogs/page/gbowerman?entry=ids_problems_with_windows_domains
As of IDS 10.00.TC6 the situation was not good and I'm sorry for the problems you, Rotor and others were having. All the known problems with Windows domains have now been fixed. QA testing of IDS in various Windows domain scenarios was woefully insufficient - as a result of these problems it has been significantly increased.
Regards
Guy
----- Original Message ----
From: Martin Graney <mgraney@xxxxxxx>
To: Guy Bowerman <gbowerman@xxxxxxxxx>; informix-list@xxxxxxxx; rotor <rotor@xxxxxxxxxxxx>; bozon <curtis@xxxxxxxxxxxx>
Sent: Monday, March 17, 2008 8:18:47 AM
Subject: RE: Problem with Windows domain users
Dear Guy/rotor/bozon/et al:
I found your entry while I was searching on another issue. I had meant to
bring this to the attention of IBM technical support some time ago. Has
there been any resolution of this issue?
My company resells Informix on a Windows platform as the backend to a
Police/Fire/EMS Computer Aided Dispatch (CAD) system. As we normally do not
have access to the customers' Windows Domain Admin our applications are
installed on a standalone server (So normally an IDS Windows domain install
is not an option). We rely on IDS passing authentication through the
Windows OS.
As of IDS 10.0 TC6 Windows pass-thru authentication is broken (10.0TC5 and
below are OK). I had found a reference on the IBM IDS tech support site
referencing an issue with dbaccess (I am looking for the reference now).
When this fix was implemented it broke the Windows pass-thru authentication.
If you are looking to run a standalone IDS server and use Windows
pass-through authentication use IDS 10.0TC5 or below. I have tested IDS
10.0TC6, 10.0TC7, 11.0TC2 and found the Windows pass-through authentication
to be a problem. I assume IDS 10.0TC8 and IDS 11.0TC1 exhibit similar
behavior.
Please let me know if you have gotten a response on this problem from IBM.
I will forward the IBM tech support article to you when I find it again.
Best regards,
Martin M. Graney
Network Manager
Queues Enforth Deveopment, Inc.
14 Summer Street
2nd Floor
Malden, MA 01248
w: 781-870-1131
mgraney@xxxxxxx
-----Original Message-----
From: informix-list-bounces@xxxxxxxx [mailto:informix-list-bounces@xxxxxxxx]
On Behalf Of Guy Bowerman
Sent: Wednesday, January 30, 2008 12:13 PM
To: informix-list@xxxxxxxx
Subject: Re: Problem with Windows domain users
If it is your support case you have the option to raise the priority of
the case at any time, and doing this would probably get you quicker and
more effective results than pasting emails from tech support out of
context to this alias.
Make sure you have supplied support with the details they need such as
the functional domain level, canonical domain name etc. and make sure
they know the priority of this case.
If you all know IBM's support is very bad in comparing with
Informix.
I didn't understand this sentence but I think I disagree.
Guy
rotor wrote:
_______________________________________________There should be no difference in authentication behaviour betweenUnfortunately the difference exists. I have 3 clear instances on my
7 and 10.0.
computer installed locally - 7th, 9th and 10th. First two give me
connect as domain user (using short name without domain and
backslash), but third one - not. Try yourself - it is very simple to
reproduce...
Does it make any difference at all if you start the IDS service asNo difference.
the localsystem user instead of the informix user?
Failing this I suggest you log a support call.If you all know IBM's support is very bad in comparing with
Informix. I can quota to you two answers from support.
First one:
I am writing to inform you that I have been assigned the PMR you
logged earlier regarding getting error 951 after migration.
I am currently researching the issue but to help investigate the
problem further please can you tell me:-
1) How did you migrate from version 7 to 10?
2) Did you run oncheck -cDI and -cc after migrating? If so, did they
report any errors?
3) Check the owner of oninit in directory \INFORMIXDIR/bin. It
should be root and not Informix.
4) Possible other cause maybe the password expiry. Expiration is
checked in function __osgetpwnam() by a system call passwdexpired():
so reset that if it has expired and that should resolve it.
5) Also check with the OS system administrator for any trust or
password errors or warnings.
And the second (a week! later):
Yes good point, I don't know why I was thinking about UNIX.
I have researched further and here are my findings:
The following situations can cause error -951:
* Informix user account was deleted and recreated
* Windows server membership has changed from domain to workgroup
* Windows server membership has changed from workgroup to domain
* Change in domain default policy for informix domain user
* User 'informix' is not a member of administrator group at the
server
* Check the service started using the local informix account and
password.
* Are you using role separation?
* Can connect locally on this box? Verify that /etc/hosts.equiv
and /hosts file contain information about each of the windows
machines
* It may be necessary to remove the IDS registry entries and
remove and recreate the user informix and group Informix-Admin.
The following is a list of steps that you can use to resolve -951
errors for Informix users in your environment.
1 - Connection attempts fail with error -951 when Informix Dynamic
Server is installed in a Windows domain and the domain controller
name is greater than 13 characters. If the Domain Install option is
selected when installing (IDS), and the Primary Domain
Controller's machine name is greater than 13 characters in length,
attempts to connect to the database server fail with error -951.
2- Run the following:
d:/informix/astools/addrights informix
to add the following rights to the user:
Adds the following user rights to the local account
specified:
SeTcbPrivilege
SeServiceLogonRight
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
Note: This could also be accomplished by reinstalling the
engine. Suggest increasing quota
3- Insure that the Local and Effective Settings are correct on the
box
running IDS. Under the Control Panel -> Administrative Tools ->
Local Security
Settings - make sure that the local Informix user, or the group
Informix-Admin
is added both the Local and Effective Settings.
Policy
- Access this computer from the network
- Act as part of the operating system
- Increase quotas
- Log on as a batch job
- Log on as a service
- Log on locally
- Replace a process level token
4- Log into the Domain Controller and use the 'User Rights for
Domains' tool
to add the user Informix, or the group Informix-Admin to the 'Access
this
computer from the network' policy.
5- Bounce the local server to have these changes take effect and
verify security policies.
Also create the user informix in the domain controller and make user
informix a member of the Global Domain Admin group. Then log in as
domain_name\informix from individual computers to enable domain
installation.
Choose the Domain install option when prompted by the installation
wizard when you run the installation program.
Hope that helps.
How do you think, Is it good help from support for about million
dollars a year?
Informix-list mailing list
Informix-list@xxxxxxxx
http://www.iiug.org/mailman/listinfo/informix-list
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
- Prev by Date: onstat -g dis output shows 5 servers, but only 2 unique Server Numbers
- Next by Date: iDS-On-iPhone
- Previous by thread: RE: Problem with Windows domain users
- Next by thread: RE: Problem with Windows domain users
- Index(es):
Relevant Pages
|
