IBM Support

db2 load or any other db2 operation may fail with sql3508 error

Troubleshooting


Problem

When db2 user is added to a new security group defined on the operating system (user's secondary security group), and any db2 operation that needs to access file systems owned by this newly added secondary security group. error SQL3508N may be returned complaining about permissions rights.

Symptom

The operation that accesses file systems owned by secondary security group of the user, may fail causing the whole operation to fail.

Cause

The cause of this error is because db2 was not restarted after the user was added to a secondary security group defined on the operation system.

Environment

e.g:

user db2inst1 has the following primary security group:

lsuser db2inst1

groups=db2group1,db2group2,db2group3

db2inst1 user executes a db2 operation like load which uses /db2/load/data/ path for its temporary files.

/db2/load/data path is owned by group db2group3 which is secondary group for user db2inst1.

ls -ld /db2/load/data

drwxrwxr-x 4 db2inst2 db2group3 256 Oct 31 11:23 /db2/load/

drwxrwsr-x 4 db2inst2 db2group3 256 Oct 30 13:25 /db2/load/data


outside of db2, db2inst1 can successfully create files and directories under /db2/load/data, but not within db2 process.

drwxrwsr-x 8 bpldevld bpldevld 256 Nov 01 15:42 /db2/bplfeed/db2utlgn/bpldbd02/

Diagnosing The Problem

To diagnose the problem, use the following steps:

1. look through db2diag.log for the process that failed with sql3508 error and you will see the following messages:

2013-11-05-15.32.36.491339-300 I4032A3847 LEVEL: Error (OS)
PID : 38797342 TID : 23913 PROC : db2sysc 0
INSTANCE: db2inst1 NODE : 000 DB : sample
APPHDL : 0-17331 APPID: *LOCAL.db2inst1.131105203226
AUTHID : db2inst1 HOSTNAME:
EDUID : 23913 EDUNAME: db2agent (DB2INST1) 0
FUNCTION: DB2 Common, OSSe, ossErrorIOAnalysis, probe:100
CALLED : OS, -, mkdir
OSERR : EACCES (13) "Permission denied"
DATA #1 : String, 186 bytes
A total of 2 analysis will be performed :
- User info
- Path access permission

Target file = /db2/load/data/file.txt
DATA #2 : String, 194 bytes
Real user ID of current process = 102138
Effective user ID of current process = 102138
Real group ID of current process = 12070
Effective group ID of current process = 12070
DATA #3 : String, 41 bytes
current sbrk(0) value: 0x0000000114f14d20
DATA #4 : String, 362 bytes
Information of each subdirectory leading up to the first inaccessible one is shown in the format below :
<UID>:<GID>:<permissions> (subdirectories)

43728:10010:775 (db2)
132635:12218:775 (load)
107797:12970:2775 (data)

Here above we show only the primary security group of user db2inst1.

2. user db2inst1 may try to create files or subdirectories under /db2/load/data/ path outside of db2 to see if those can be created successfully.

if yes, then the issue is only within db2 operation which does not see the permissions of the user db2inst1 on the secondary group db2group3.

Resolving The Problem

To resolve the issue, restart db2 after adding the user to a secondary security group so that db2 process see the effective changes to user's security:

db2 force applictaions all
db2stop force
db2start

[{"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Security \/ Plug-Ins - IBM Suplied\/Default","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"10.1;10.5;9.5;9.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21656731

Page Feedback