Scribd
Upload
290 views6 pages

DB2 and Transparent LDAP in DB2 DPF - Misleading Error SQL30082N - Db2talk

The document summarizes troubleshooting an authentication issue when connecting to a DB2 DPF database from Datastage. The error SQL30082N was occurring when connecting to data nodes but not the coordinator node. It was found that the /etc/pam.d/db2 file, which configures PAM authentication for DB2, was only on the coordinator node and not the data nodes. Copying this file to the data nodes resolved the issue. PAM authentication works by first trying LDAP, then local authentication if LDAP fails, using the same password for both.

Uploaded by

prakash_6849
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
290 views6 pages

DB2 and Transparent LDAP in DB2 DPF - Misleading Error SQL30082N - Db2talk

The document summarizes troubleshooting an authentication issue when connecting to a DB2 DPF database from Datastage. The error SQL30082N was occurring when connecting to data nodes but not the coordinator node. It was found that the /etc/pam.d/db2 file, which configures PAM authentication for DB2, was only on the coordinator node and not the data nodes. Copying this file to the data nodes resolved the issue. PAM authentication works by first trying LDAP, then local authentication if LDAP fails, using the same password for both.

Uploaded by

prakash_6849
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

db2talk

DB2Linux,UnixandWindowsAdministrationandDevelopment
OCTOBER13,2014BYPAVANKRISTIPATI

DB2andTransparentLDAPinDB2DPFMisleading
errorSQL30082N
Inthisblogpost,IwillquicklycovermyrecentexperienceintroubleshootingaDB2/LDAPauthenticationprobleminaDB2DPF
database.

Problem:
InaDB2(9.7FixPack7)DPFdatawarehousedatabase,aconnectionaemptbyDatastagetoanynodeotherthanthecoordinator
nodewasfailing.Connectionaempttocoordinatornodesucceeds.Thesameuseridandpasswordwerebeingusedinboththe
aempts.

Background:

IwasworkingonaproofofconceptthatwouldallowETL(DataStage)jobstodirectlyconnecttothedatanodestoallowparallel
loads(directlyintoeachpartition)intoadatawarehousedatabase.UserIDusedbyDatastagewassystemlevelid(nonLDAP).
Theuseridwascreatedonallthedatanodesandcoordinatornode.ThetestETLjobwasabortingwithafamiliarerrormessage.
Allevidenceindicatedthatthiscouldbeapasswordproblem.

Approachtosolution:
ForthetestELTjob,useridandpasswordweresavedandweresuppliedasparameter(s).Thateliminatedthechanceofdierent
password(incorrectone)beingusedtoconnecttodatanodes.
Itriedtoisolatetheproblemtoaspecicuserid.However,IfoundthatETLjobsfailedevenwheninstanceownerscredentials
were used. To remove Datastage from the equation, I did an explicit connection to DB2 as Instance owner from the command
prompt on one of the data nodes. To my surprise, this failed !! To me, this indicated a bigger problem. However, an implicit
connectionwassuccessful.

db2inst1@hostdata01:~>id
uid=608(db2inst1)gid=608(bcuigrp)groups=608(bcuigrp)

db2inst1@hostdata01:~>db2connecttoedwdv<<<<SuccessfulImplicitconnection.
DatabaseConnectionInformation
Databaseserver=DB2/LINUXX86649.7.7
SQLauthorizationID=DB2INST1
Localdatabasealias=EDWDV

Herewastheerrormessagewhenanexplicitconnectionaemptwasmade.

$db2connecttoedwdvuserdb2inst1<<<<<Thisworksjustfineonthecoordinatornode.
Entercurrentpasswordfordb2inst1:
SQL30082NSecurityprocessingfailedwithreason"24"("USERNAMEAND/OR
PASSWORDINVALID").SQLSTATE=08001

Messagesindb2diag.log
db2diag.loghadamessagethatindicatedpasswordproblem.

Passwordvalidationforuserdb2inst1failedwithrc=2146500507

Preliminarychecks
1)TheuserIDwasnotlocked.
2)Thepasswordthatwasbeingsuppliedwastherightone.
3)Therewasnorecentxpackthatwasappliedthatcouldhavemessedupthings.
4)InstanceownerspasswordlesssshbetweenDPFnodeswasworkingjustne.(ThisisactuallyaprerequisiteinDB2DPF).
5)db2setparameterforDB2andtransparentLDAPauthentication(DB2AUTH=OSAUTHDB)wassetonallthenodes.

Errorsin/var/log/messagesfile
I noticed that an error message was being wrien to /var/log/messages le (this was SUSE Linux) every time an explicit
connectionaemptwasmade.

Oct710:28:39hostdata01db2ckpwd5[2871]:pam_warn(db2:auth):function=[pam_sm_authenticate]service=[d

The key words for me were pam_warn, db2:auth, pam_sm_authenticate. Google search lead me to Ember Crooks blog
postonDB2andTransparentLDAP(hp://db2commerce.com/2011/02/28/db2andtransparentldap/).ThatiswhereIreadabout
thele/etc/pam.d/db2.
Tomysurprise,Ifoundthisleonlyonthecoordinatornode.

db2inst1@hostadm01:/etc/pam.d>lsltr/etc/pam.d/db2<<<<Thisisonthecoordinatornode
rwrr1rootroot3832014100816:15db2

db2inst1@hostdata01:/etc/pam.d>lsltr/etc/pam.d/db2<<<<Thisisonthedata1node
/bin/ls:/etc/pam.d/db2:Nosuchfileordirectory

db2inst1@hostdata02:/etc/pam.d>lsltr/etc/pam.d/db2<<<<Thisisonthedata2node
/bin/ls:/etc/pam.d/db2:Nosuchfileordirectory

db2inst1@hostdata03:/etc/pam.d>lsltr/etc/pam.d/db2<<<<Thisisonthedata3node
/bin/ls:/etc/pam.d/db2:Nosuchfileordirectory

TheproblemwasthatDB2expectedthele/etc/pam.d/db2tobeonallthenodesintheDPFdatabase.However,thislewasonly

TheproblemwasthatDB2expectedthele/etc/pam.d/db2tobeonallthenodesintheDPFdatabase.However,thislewasonly
onthecoordinatornode.TheerrormessageSQL30082Nwasmisleading.Itindicatedthattheproblemcouldbewiththeuserids
credentials.

Solution:
Afterthele/etc/pam.d/db2lewascopiedontothedatanodes,explicitconnectionaemptworkedasexpected.Noinstance
restartwasrequired.ThisexperienceisareminderthateachnodeinaDPFdatabaseneedstobeconguredexactlythesameway.
Minordierencesmighthidetheproblemsforsometimebutitisonlyamaeroftimethatproblemssurface.

Contentsof/etc/pam.d/db2file
Belowwashowour/etc/pam.d/db2lelookedlike.IamnotaPAM(ProgrammableAccessModule)expert.However,aftersome
research,Inowunderstandthattheauthenticationprocess(forDB2)istopdownasoutlinedinthele/etc/pam.d/db2.

#ThePAMconfigurationfileforDB2
authsufficientpam_ldap.souse_first_pass
authrequiredpam_unix2.so
accountsufficientpam_ldap.so
accountrequiredpam_unix2.so
passwordrequiredpam_pwcheck.so
passwordsufficientpam_ldap.souse_first_pass
passwordrequiredpam_unix2.souse_authtokuse_first_pass
sessionrequiredpam_unix2.so

PAMisexibleanditsupportsbothlocalandLDAPusers.TheabovePAMcongurationsupportssystemuseridsvia

PAMisexibleanditsupportsbothlocalandLDAPusers.TheabovePAMcongurationsupportssystemuseridsvia
pam_unix2.soandLDAPusersviapam_ldap.so.
pam_ldap.so As this is in the 1st line, DB2 rst tries to authenticate via LDAP. If authentication succeeds, the process exits
(withasuccess)dictatedbykeywordsucient(asinnecessaryandsucientcondition).
pam_unix2.so If the user id is NOT found in LDAP or if LDAP authentication fails, DB2 then relies on operating system
(LINUX in this case) to authenticate the user. use_rst_pass in the 1st line passes on the password to 2nd authentication
aempt.Userisnotpromptedforthepasswordforthesecondtime.Thisauthenticationstepisarequiredone.Ifauthentication
failsinthisstep,anerrorisreturnedtotheuser.
Hopethishelps.IwouldappreciateanyonesharingyourexperienceswithPAMinAIXorLINUX.
ThisentrywaspostedinDB2Basics,DB2Tips,DPF.Bookmarkthepermalink.

OnethoughtonDB2andTransparentLDAPinDB2DPFMisleading
errorSQL30082N

bhardwajn|March19,2015at8:35pm
RebloggedthisonAgentDB2andcommented:
ThisarticleisforanyonelookingtoresolvedatastageissueswithDB2DPF.
Reply

BlogatWordPress.com.|TheMistyLakeTheme.

You might also like