APAR status
Closed as program error.
Error description
Additional information added into ZF225050 First failure data (FDC) file, to point the MQ administrator towards a likely root cause of the problem within the operating system's System Security Services Daemon (SSSD) cache.
Local fix
Refresh the operating system's SSSD cache.
Problem summary
**************************************************************** USERS AFFECTED: A discrepancy between the outputs of getgrouplist and getgrgid_r C library calls can be due to a faulty SSSD cache. Clearing (also known as refreshing, invalidating) this cache might be the solution required to solve this discrepancy. Platforms affected: Linux on x86-64, Linux on Power, Linux on zSeries **************************************************************** PROBLEM DESCRIPTION: On Linux, when MQS_GETGROUPLIST_API has been in the environment before starting the queue manager, then upon encountering each new principal (user), then the queue manager will call getgrouplist to get a list of gids (integer group identifiers) for that principal/user and will then call getgrgid_r repeatedly to get the names for these groups. Due to an error or mis-configuration outside of IBM MQ, one or more of the getgrgid_r calls can return 0 (which means 'success') but also returning a null pointer for the group entry, which means a group entry does not exist for that gid. Although this is documented to be a tolerable return condition from getgrgid_r, this is still a self-inconsistent set of outputs from the operating system library calls (getgrouplist output disagrees with getgrgid output). The design of the MQ product is that it cannot continue to trust the outputs, and so must report an error, and try the default mechanism (see below). A First-failure data capture (FDC) record is written, with probe id ZF225050 if this condition is ever seen (it is seen extremely rarely, if ever). In the header of this FDC record, some more information is needed to give a hint to the true root cause of the issue, which is outside the MQ code, and probably within the operating system's SSSD cache, if there is one. After reporting the error via the FDC with probe id ZF225050, the MQ code then falls back to the default mechanism used when MQS_GETGROUPLIST_API is not set. The default mechanism is to call getgrent_r repeatedly to obtain group entries for all groups on the system, to look for those groups that contain the principal/user of interest. (If the SSSD cache is invalid, then even this default mechanism might fail to obtain the correct configuration. Again, the problem is outside of IBM code, and therefore we cannot fix it). The user should try refreshing the SSSD cache based on the appropriate procedure defined by the operating system vendor, then restarting the queue manager.
Problem conclusion
The First-failure data capture (FDC) record with probe id ZF225050 has been improved to give a hint to the true root cause of the issue, which is outside the MQ code, and probably within the operating system's SSSD cache. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.2 LTS 9.2.0.25 v9.3 LTS 9.3.0.20 v9.4 LTS 9.4.0.0 The latest available maintenance can be obtained from 'IBM MQ Recommended Fixes' https://www.ibm.com/support/pages/recommended-fixes-ibm-mq If the maintenance level is not yet available information on its planned availability can be found in 'IBM MQ Planned Maintenance Release Dates' https://ibm.biz/mqplannedmaintenance ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT45247
Reported component name
MQ BASE V9.2
Reported component ID
5724H7281
Reported release
920
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-01-10
Closed date
2024-02-02
Last modified date
2024-05-14
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MQ BASE V9.2
Fixed component ID
5724H7281
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"920","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Document Information
Modified date:
14 May 2024