Becoming URGENT password invalid

I was in your exact situation once -- users could login, but couldn't
connect to the database. We were using NIS and we had to "push" the
user IDs to the server - to make it local. If this applies to you,
you may want to give it a shot if it's an option.

Dunno if this works for you, but that's my $0.02.

Keith Ponnapalli
adv_dba at yahoo dot com
IBM Certified Advanced Database Administrator - DB2 UDB V8.1 for Linux,
UNIX, and Windows
INFORMIX Certified Database Administrator

Bob Stearns wrote:

My client is bugging me for a solution to this problem!

I am still getting "Password Invalid" with all new users I define on my
linux box. I have tried all the suggestions made here and they made
exactly no difference. I have server authorization set. I do have
connect authority for the new user. I have all the same groups for the
new user as the one that works. I have tried simpler passwords as well
as the password of a working account. I can login to the server with SSH
using the password I assigned. It fails from the Client and Server
command lines with sql state 08001.

I am at my wits end. What little hair I had is now pulled out. Where do
I go from here? I tried a sniffer trace, but the traffic I'm interested
in is encrypted.

Any help, suggestions, rtfm pointers, etc. will be gratefully accepted.

Keith wrote:

I was in your exact situation once -- users could login, but couldn't
connect to the database. We were using NIS and we had to "push" the
user IDs to the server - to make it local. If this applies to you,
you may want to give it a shot if it's an option.

Dunno if this works for you, but that's my $0.02.

Keith Ponnapalli
adv_dba at yahoo dot com
IBM Certified Advanced Database Administrator - DB2 UDB V8.1 for Linux,
UNIX, and Windows
INFORMIX Certified Database Administrator

Bob Stearns wrote:

My client is bugging me for a solution to this problem!

I am still getting "Password Invalid" with all new users I define on my
linux box. I have tried all the suggestions made here and they made
exactly no difference. I have server authorization set. I do have
connect authority for the new user. I have all the same groups for the
new user as the one that works. I have tried simpler passwords as well
as the password of a working account. I can login to the server with SSH
using the password I assigned. It fails from the Client and Server
command lines with sql state 08001.

I am at my wits end. What little hair I had is now pulled out. Where do
I go from here? I tried a sniffer trace, but the traffic I'm interested
in is encrypted.

Any help, suggestions, rtfm pointers, etc. will be gratefully accepted.

We never have had any NIS on these servers. Thanks for replying,

Bob Stearns wrote:

My client is bugging me for a solution to this problem!

I am still getting "Password Invalid" with all new users I define on my
linux box. I have tried all the suggestions made here and they made
exactly no difference. I have server authorization set. I do have
connect authority for the new user. I have all the same groups for the
new user as the one that works. I have tried simpler passwords as well
as the password of a working account. I can login to the server with SSH
using the password I assigned. It fails from the Client and Server
command lines with sql state 08001.

I am at my wits end. What little hair I had is now pulled out. Where do
I go from here? I tried a sniffer trace, but the traffic I'm interested
in is encrypted.

Any help, suggestions, rtfm pointers, etc. will be gratefully accepted.

Have you set the diaglevel to 4 and then looked at the db2diag output?
There might be something interesting there regarding the connection.
Additionally, collect a trace and see if something happens there.

Have you logged in as one such problematic user at the database server and
changed the password manually? Maybe you are forced to change the password
and ssh somehow ignores that, still logging you on?

Are the users actually allowed to connect from a remote machine?

Maybe the failed-login count is not set to 0 (zero) for some reason? What
is the limit on the failed-login count?

--
Knut Stolze
DB2 Information Integration Development
IBM Germany

Knut Stolze wrote:

Bob Stearns wrote:

My client is bugging me for a solution to this problem!

I am still getting "Password Invalid" with all new users I define on my
linux box. I have tried all the suggestions made here and they made
exactly no difference. I have server authorization set. I do have
connect authority for the new user. I have all the same groups for the
new user as the one that works. I have tried simpler passwords as well
as the password of a working account. I can login to the server with SSH
using the password I assigned. It fails from the Client and Server
command lines with sql state 08001.

I am at my wits end. What little hair I had is now pulled out. Where do
I go from here? I tried a sniffer trace, but the traffic I'm interested
in is encrypted.

Any help, suggestions, rtfm pointers, etc. will be gratefully accepted.

Have you set the diaglevel to 4 and then looked at the db2diag output?
There might be something interesting there regarding the connection.
Additionally, collect a trace and see if something happens there.

Have you logged in as one such problematic user at the database server and
changed the password manually? Maybe you are forced to change the password
and ssh somehow ignores that, still logging you on?

Are the users actually allowed to connect from a remote machine?

Maybe the failed-login count is not set to 0 (zero) for some reason? What
is the limit on the failed-login count?

Thanks for the reply.

Diaglevel 4 gave me exactly one message of relevance:
check password failed with rc = -2146500502
That's FFFFFFFF800F006 A in 64 bit hex, but I wouldn't know where to look
it up. All the other messages at or near the same time had to do with
loading a security plugin.

I thought I had tried it, but I redid the experiment and obtained the
same result.

User is can, new user U00001 can not, even though SSH login works for both.

Where is the failed login count you are speaking of? Is it a linux or
db2 property?

Bob Stearns wrote:

Diaglevel 4 gave me exactly one message of relevance:
check password failed with rc = -2146500502
That's FFFFFFFF800F006 A in 64 bit hex, but I wouldn't know where to look
it up.
This ZRC maps to SQL30082: Security processing failed with reason <whatever>
All the other messages at or near the same time had to do with
loading a security plugin.
DB2 uses so-called "security plugins" for the authentication. So what are
all those other messages? They might be very relevant!
Where is the failed login count you are speaking of? Is it a linux or
db2 property?

I know that AIX has this. I'm not sure about Linux. It is an operating
system thing.

--
Knut Stolze
DB2 Information Integration Development
IBM Germany

Knut Stolze wrote:

Bob Stearns wrote:

Diaglevel 4 gave me exactly one message of relevance:
check password failed with rc = -2146500502
That's FFFFFFFF800F006 A in 64 bit hex, but I wouldn't know where to look
it up.

This ZRC maps to SQL30082: Security processing failed with reason <whatever>

All the other messages at or near the same time had to do with
loading a security plugin.

DB2 uses so-called "security plugins" for the authentication. So what are
all those other messages? They might be very relevant!

Where is the failed login count you are speaking of? Is it a linux or
db2 property?

I know that AIX has this. I'm not sure about Linux. It is an operating
system thing.

You may get this twice, my news reader stuttered.

As far as I know, linux (PAM security) does not have this.

While I know you are knowledgeable, how did you look up the code (what
does ZRC stand for)? Via books (online?) or via some arcane, to me at
least, use of the client or server clp?

Here is the whole db2diag from level 4 on to level 4 off:

2006-06-09-16.14.10.936797-240 I278144681G287 LEVEL: Event
PID : 20057 TID : 3054567552 PROC : db2flacc
INSTANCE: db2inst1 NODE : 000
FUNCTION: DB2 UDB, config/install, sqlfLogUpdateCf gParam, probe:30
CHANGE : CFG DBM: "Diaglevel" From: "3" To: "4"

2006-06-09-16.14.33.834104-240 I278144969G258 LEVEL: Severe
PID : 19498 TID : 3007191552
FUNCTION: DB2 Common, Security, Users and Groups, secLogMessage, probe:20
DATA #1 : String, 44 bytes
check password failed with rc = -2146500502
2006-06-09-16.14.59.995382-240 I278145228G316 LEVEL: Info
PID : 20082 TID : 3054567552
FUNCTION: DB2 Common, Security, Users and Groups,
secLoadClientAu thPlugin, probe:10
DATA #1 : String, 94 bytes
Loaded plugin library
/db2home/db2inst1/sqllib/security32/plugin/IBM/client/IBMOSauthclient .so

2006-06-09-16.14.59.995559-240 I278145545G249 LEVEL: Info
PID : 20082 TID : 3054567552
FUNCTION: DB2 Common, Security, Users and Groups, secLogMessage, probe:20
DATA #1 : String, 37 bytes
db2secClientAut hPluginInit successful

2006-06-09-16.14.59.995882-240 I278145795G306 LEVEL: Info
PID : 20082 TID : 3054567552
2006-06-09-16.14.10.936797-240 I278144681G287 LEVEL: Event
PID : 20057 TID : 3054567552 PROC : db2flacc
INSTANCE: db2inst1 NODE : 000
FUNCTION: DB2 UDB, config/install, sqlfLogUpdateCf gParam, probe:30
CHANGE : CFG DBM: "Diaglevel" From: "3" To: "4"

2006-06-09-16.14.33.834104-240 I278144969G258 LEVEL: Severe
PID : 19498 TID : 3007191552
FUNCTION: DB2 Common, Security, Users and Groups, secLogMessage, probe:20
DATA #1 : String, 44 bytes
check password failed with rc = -2146500502
2006-06-09-16.14.59.995382-240 I278145228G316 LEVEL: Info
PID : 20082 TID : 3054567552
FUNCTION: DB2 Common, Security, Users and Groups,
secLoadClientAu thPlugin, probe:10
DATA #1 : String, 94 bytes
Loaded plugin library
/db2home/db2inst1/sqllib/security32/plugin/IBM/client/IBMOSauthclient .so

2006-06-09-16.14.59.995559-240 I278145545G249 LEVEL: Info
PID : 20082 TID : 3054567552
FUNCTION: DB2 Common, Security, Users and Groups, secLogMessage, probe:20
DATA #1 : String, 37 bytes
db2secClientAut hPluginInit successful

2006-06-09-16.14.59.995882-240 I278145795G306 LEVEL: Info
PID : 20082 TID : 3054567552

Bob Stearns wrote:

My client is bugging me for a solution to this problem!

I am still getting "Password Invalid" with all new users I define on my
linux box. I have tried all the suggestions made here and they made
exactly no difference. I have server authorization set. I do have
connect authority for the new user. I have all the same groups for the
new user as the one that works. I have tried simpler passwords as well
as the password of a working account. I can login to the server with SSH
using the password I assigned. It fails from the Client and Server
command lines with sql state 08001.

I am at my wits end. What little hair I had is now pulled out. Where do
I go from here? I tried a sniffer trace, but the traffic I'm interested
in is encrypted.

Any help, suggestions, rtfm pointers, etc. will be gratefully accepted.

If this is urgent, open a PMR. Don't post the same issue to this group
under 10 different threads.

Did you try using db2iupdt as I suggested a few days ago?

Are you on AIX? There is a bug related to a memory leak in the db2ckpw
process, and if you reach the limit you will experience authentication
errors (you have to cycle DB2 to resolve this issue).

Bob Stearns wrote:

While I know you are knowledgeable, how did you look up the code (what
does ZRC stand for)? Via books (online?) or via some arcane, to me at
least, use of the client or server clp?
Nothing arcane. ;-) There is a tool available to DB2 developers for just
such purposes.
2006-06-09-16.14.59.995382-240 I278145228G316 LEVEL: Info
PID : 20082 TID : 3054567552
FUNCTION: DB2 Common, Security, Users and Groups,
secLoadClientAu thPlugin, probe:10
DATA #1 : String, 94 bytes
Loaded plugin library
/db2home/db2inst1/sqllib/security32/plugin/IBM/client/IBMOSauthclient .so
This is exactly the security plug-in responsible for the authentication
based on the operating system's facilities.
2006-06-09-16.14.59.995559-240 I278145545G249 LEVEL: Info
PID : 20082 TID : 3054567552
FUNCTION: DB2 Common, Security, Users and Groups, secLogMessage, probe:20
DATA #1 : String, 37 bytes
db2secClientAut hPluginInit successful

2006-06-09-16.14.33.834104-240 I278144969G258 LEVEL: Severe
PID : 19498 TID : 3007191552
FUNCTION: DB2 Common, Security, Users and Groups, secLogMessage, probe:20
DATA #1 : String, 44 bytes
check password failed with rc = -2146500502

Pity... not very helpful what the log files provide. I have no immediate
idea what might be amiss now.

So we'll have to try to tackle this thing in another way (unless you have a
support contract and can simply call IBM support and open a PMR). You
could collect a db2 trace and send this to me. I'm willing to have a look
- no promises, though! To gather a trace, just do this:

on the server:
$ db2trc on -f trc

on the client:
$ db2 connect to ... user ...

on the server
$ db2trc off
$ db2trc flw trc flw
$ db2trc fmt trc fmt

Then pack (gzip or whatever) the "flw" and "fmt" files together and just
send them.

--
Knut Stolze
DB2 Information Integration Development
IBM Germany

Ian wrote:

Are you on AIX? There is a bug related to a memory leak in the db2ckpw
process, and if you reach the limit you will experience authentication
errors (you have to cycle DB2 to resolve this issue).

Not on AIX as far as I understood - or Bob would have known about the login
count. ;-)

--
Knut Stolze
DB2 Information Integration Development
IBM Germany