Troubleshooting
Problem
When db2 user is added to a new security group defined on the operating system (user's secondary security group), and any db2 operation that needs to access file systems owned by this newly added secondary security group. error SQL3508N may be returned complaining about permissions rights.
Symptom
The operation that accesses file systems owned by secondary security group of the user, may fail causing the whole operation to fail.
Cause
The cause of this error is because db2 was not restarted after the user was added to a secondary security group defined on the operation system.
Environment
e.g:
user db2inst1 has the following primary security group:
lsuser db2inst1
groups=db2group1,db2group2,db2group3
db2inst1 user executes a db2 operation like load which uses /db2/load/data/ path for its temporary files.
/db2/load/data path is owned by group db2group3 which is secondary group for user db2inst1.
ls -ld /db2/load/data
drwxrwxr-x 4 db2inst2 db2group3 256 Oct 31 11:23 /db2/load/
drwxrwsr-x 4 db2inst2 db2group3 256 Oct 30 13:25 /db2/load/data
outside of db2, db2inst1 can successfully create files and directories under /db2/load/data, but not within db2 process.
drwxrwsr-x 8 bpldevld bpldevld 256 Nov 01 15:42 /db2/bplfeed/db2utlgn/bpldbd02/
Diagnosing The Problem
To diagnose the problem, use the following steps:
1. look through db2diag.log for the process that failed with sql3508 error and you will see the following messages:
2013-11-05-15.32.36.491339-300 I4032A3847 LEVEL: Error (OS)
PID : 38797342 TID : 23913 PROC : db2sysc 0
INSTANCE: db2inst1 NODE : 000 DB : sample
APPHDL : 0-17331 APPID: *LOCAL.db2inst1.131105203226
AUTHID : db2inst1 HOSTNAME:
EDUID : 23913 EDUNAME: db2agent (DB2INST1) 0
FUNCTION: DB2 Common, OSSe, ossErrorIOAnalysis, probe:100
CALLED : OS, -, mkdir
OSERR : EACCES (13) "Permission denied"
DATA #1 : String, 186 bytes
A total of 2 analysis will be performed :
- User info
- Path access permission
Target file = /db2/load/data/file.txt
DATA #2 : String, 194 bytes
Real user ID of current process = 102138
Effective user ID of current process = 102138
Real group ID of current process = 12070
Effective group ID of current process = 12070
DATA #3 : String, 41 bytes
current sbrk(0) value: 0x0000000114f14d20
DATA #4 : String, 362 bytes
Information of each subdirectory leading up to the first inaccessible one is shown in the format below :
<UID>:<GID>:<permissions> (subdirectories)
43728:10010:775 (db2)
132635:12218:775 (load)
107797:12970:2775 (data)
Here above we show only the primary security group of user db2inst1.
2. user db2inst1 may try to create files or subdirectories under /db2/load/data/ path outside of db2 to see if those can be created successfully.
if yes, then the issue is only within db2 operation which does not see the permissions of the user db2inst1 on the secondary group db2group3.
Resolving The Problem
To resolve the issue, restart db2 after adding the user to a secondary security group so that db2 process see the effective changes to user's security:
db2 force applictaions all
db2stop force
db2start
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21656731