SYSADM, authentication 
Author Message
 SYSADM, authentication

Hi,

can anyone explain/comment on following sequence of commands issued in
CLP. My questions are at the bottom.

my environment:
- fresh installation of DB2 v7.1 on W2000
- following commands I iussed as domain user DADAM, which belongs to
the local (not domain) group of Administrators

D:\PROGRA~1\SQLLIB\BIN>db2stop                     (1)
SQL1064N  DB2STOP processing was successful.

D:\PROGRA~1\SQLLIB\BIN>db2start                    (2)
SQL1063N  DB2START processing was successful.

D:\PROGRA~1\SQLLIB\BIN>db2set DB2_GRP_LOOKUP=      (3)

D:\PROGRA~1\SQLLIB\BIN>db2stop                     (4)
SQL1092N  "DADAM" does not have the authority to perform the requested
command.

D:\PROGRA~1\SQLLIB\BIN>db2 update dbm cfg using sysadm_group ' '   (5)
DB20000I  The UPDATE DATABASE MANAGER CONFIGURATION command completed
successfully.
DB21025I  Client changes will not be effective until the next time the
application is started or the TERMINATE command has been issued.  Server
changes will not be effective until the next DB2START command.

D:\PROGRA~1\SQLLIB\BIN>db2set DB2_GRP_LOOKUP=local   (6)

D:\PROGRA~1\SQLLIB\BIN>db2stop                       (7)
SQL1064N  DB2STOP processing was successful.

D:\PROGRA~1\SQLLIB\BIN>db2start                      (8)
SQL1063N  DB2START processing was successful.

D:\PROGRA~1\SQLLIB\BIN>db2 create db d1              (9)
SQL1092N  "DADAM" does not have the authority to perform the requested
command.

Q1: Why is it possible, that a user can issue db2 update dbm cfg (5),
but cannot db2start/db2stop (4) ? According db2 manuals, START DBM
command requires one of sysadm,sysctrl,sysmaint, while update dbm cfg
requires sysadm.

Q2: How come a user can issue db2start/db2stop (7,8), but cannot issue
create db (9) ? Manual says user need to be one of sysadm,sysctrl to
create a database.

Q3: What is a default value for variable DB2_GRP_LOOKUP ? Manual says:
Default=null           Values: LOCAL, DOMAIN
, but that does not say whether "null" means "local" or "domain".

Thanks for any hints

--
Daniel Adam

Sent via Deja.com http://www.***.com/
Before you buy.



Tue, 29 Apr 2003 03:00:00 GMT
 SYSADM, authentication

Daniel,
The answer for your Q 3 is, DB2 enumerates the user group wherever the
user name is found if DB2_GRP_LOOKUP is null.DB2_GRP_LOOKUP is set to
force group enumeration at the desired location ie LOCAL or DOMAIN.

Hope this helps.



Quote:
> Hi,

> can anyone explain/comment on following sequence of commands issued in
> CLP. My questions are at the bottom.

> my environment:
> - fresh installation of DB2 v7.1 on W2000
> - following commands I iussed as domain user DADAM, which belongs to
> the local (not domain) group of Administrators

> D:\PROGRA~1\SQLLIB\BIN>db2stop                     (1)
> SQL1064N  DB2STOP processing was successful.

> D:\PROGRA~1\SQLLIB\BIN>db2start                    (2)
> SQL1063N  DB2START processing was successful.

> D:\PROGRA~1\SQLLIB\BIN>db2set DB2_GRP_LOOKUP=      (3)

> D:\PROGRA~1\SQLLIB\BIN>db2stop                     (4)
> SQL1092N  "DADAM" does not have the authority to perform the requested
> command.

> D:\PROGRA~1\SQLLIB\BIN>db2 update dbm cfg using sysadm_group ' '   (5)
> DB20000I  The UPDATE DATABASE MANAGER CONFIGURATION command completed
> successfully.
> DB21025I  Client changes will not be effective until the next time the
> application is started or the TERMINATE command has been issued.
Server
> changes will not be effective until the next DB2START command.

> D:\PROGRA~1\SQLLIB\BIN>db2set DB2_GRP_LOOKUP=local   (6)

> D:\PROGRA~1\SQLLIB\BIN>db2stop                       (7)
> SQL1064N  DB2STOP processing was successful.

> D:\PROGRA~1\SQLLIB\BIN>db2start                      (8)
> SQL1063N  DB2START processing was successful.

> D:\PROGRA~1\SQLLIB\BIN>db2 create db d1              (9)
> SQL1092N  "DADAM" does not have the authority to perform the requested
> command.

> Q1: Why is it possible, that a user can issue db2 update dbm cfg (5),
> but cannot db2start/db2stop (4) ? According db2 manuals, START DBM
> command requires one of sysadm,sysctrl,sysmaint, while update dbm cfg
> requires sysadm.

> Q2: How come a user can issue db2start/db2stop (7,8), but cannot issue
> create db (9) ? Manual says user need to be one of sysadm,sysctrl to
> create a database.

> Q3: What is a default value for variable DB2_GRP_LOOKUP ? Manual says:
> Default=null           Values: LOCAL, DOMAIN
> , but that does not say whether "null" means "local" or "domain".

> Thanks for any hints

> --
> Daniel Adam

> Sent via Deja.com http://www.deja.com/
> Before you buy.

--
Cheers,
Sathyaram S

Sent via Deja.com http://www.deja.com/
Before you buy.



Tue, 29 Apr 2003 03:00:00 GMT
 SYSADM, authentication


Quote:
> Q2: How come a user can issue db2start/db2stop (7,8), but cannot issue
> create db (9) ? Manual says user need to be one of sysadm,sysctrl to
> create a database.

Answer to this seems to be fixpack 1. Should've checked that first,
sorry.

--
Daniel Adam

Sent via Deja.com http://www.deja.com/
Before you buy.



Tue, 29 Apr 2003 03:00:00 GMT
 
 [ 3 post ] 

 Relevant Pages 

1. Does BulkInsert in DTS object require sysadm privileges?

2. Different SYSADM??

3. Training for a UNIX SysAdm ???

4. Job:Informix Palo Alto SysAdm/DBA Sun/Macs

5. problems and a question assigning SYSADM authority

6. adding sysadm authority to a user (aix)

7. About SYSADM and "db2admin"

8. db2batch without sysadm authority ?

9. How to assign SYSADM Authority?

10. How to set SYSADM authority in DB2 UDB for winnt personal edition

11. SYSADM on WinNT4

12. Some questions on SYSADM


 
Powered by phpBB® Forum Software