IBM Support

LI75169: DB2IMIGR SETS INCORRECT PERMISSIONS FOR KERBEROS CATALOG DIRECTORIES IN SQLDBDIR (SQLKRB)

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When we have a database catalogued as using Kerberos
    authentication, the migration from v8 to v9.x will render the
    catalog directory unusable
    
    To reproduce:
    1.
    $ db2 catalog tcpip node thost remote thost server 50000
    DB20000I  The CATALOG TCPIP NODE command completed successfully.
    DB21056W  Directory changes may not be effective until the
    directory cache is
    refreshed.
    $ db2 catalog database tkerb as tkerb at node thost
    authentication kerberos target principal db2@thost.db2lab.com
    DB20000I  The CATALOG DATABASE command completed successfully.
    DB21056W  Directory changes may not be effective until the
    directory cache is
    refreshed.
    $
    
    /home/db2inst9/sqllib/sqldbdir
    
    $ ls -al
    total 16
    drwxrwxr-x   3 db2inst9 db2iadm9     512 Dec  3 13:29 .
    drwxrwxr-t  18 db2inst9 db2iadm9    1024 Dec  3 13:29 ..
    -rw-rw-r--   1 db2inst9 db2iadm9    1512 Dec  3 13:29 sqldbbak
    -rw-rw-r--   1 db2inst9 db2iadm9    1512 Dec  3 13:29 sqldbdir
    -rw-rw-r--   1 db2inst9 db2iadm9     540 Dec  3 13:29 sqldbins
    drwxrwxr-x   2 db2inst9 db2iadm9     512 Dec  3 13:29 sqlkrb
    
    $ ls -al sqlkrb
    total 6
    drwxrwxr-x   2 db2inst9 db2iadm9     512 Dec  3 13:29 .
    drwxrwxr-x   3 db2inst9 db2iadm9     512 Dec  3 13:29 ..
    -rw-rw-r--   1 db2inst9 db2iadm9      32 Dec  3 13:29 TKERB
    
    2.
    After running db2imigr the permissions show incorrect. In
    certain cases this directory could be corrupt
    
    /home/db2inst9/sqllib/sqldbdir
    $ ls -al
    total 22
    drwxrwxr-x   3 db2inst9 db2iadm9     512 Dec  3 13:36 .
    drwxrwxr-t  19 db2inst9 db2iadm9    1024 Dec  3 13:36 ..
    -rw-rw-r--   1 db2inst9 db2iadm9    1512 Dec  3 13:36 sqldbbak
    -rw-rw-r--   1 db2inst9 db2iadm9    1512 Dec  3 13:36 sqldbdir
    -rw-rw-r--   1 db2inst9 db2iadm9     540 Dec  3 13:36 sqldbins
    -rw-rw-r--   1 db2inst9 db2iadm9    2148 Dec  3 13:36
    sqldddir.bak
    drw-rw-r--   2 db2inst9 db2iadm9     512 Dec  3 13:29 sqlkrb
    
    3. Running db2 list database directory will throw error
    SQL10004C  and db2diag.log will show access permission errors on
    sqlkrb
    
    $ db2 list database directory
     System Database Directory
     Number of entries in the directory = 1
    SQL10004C  An I/O error occurred while accessing the database
    directory.
    SQLSTATE=58031
    
    FUNCTION: DB2 Common, OSSe, ossErrorIOAnalysis, probe:100
    CALLED  : OS, -, open
    OSERR   : EACCES (13) "Permission denied"
    DATA #1 : String, 141 bytes
    A total of 2 analysis will be performed :
     - User info
     - Path access permission
    
     Target file = /home/db2inst9/sqllib/sqldbdir/sqlkrb/TKERB
    DATA #2 : String, 184 bytes
      Real user ID of current process       = 221
      Effective user ID of current process  = 221
      Real group ID of current process      = 111
      Effective group ID of current process = 111
    DATA #3 : String, 328 bytes
    Information of each subdirectory leading up to the first
    inaccessible one is shown in the format below :
       <UID>:<GID>:<permissions> (subdirectories)
    
       0:0:755 (home)
       221:111:755 (db2inst9)
       221:111:1775 (sqllib)
       221:111:775 (sqldbdir)
       221:111:664 (sqlkrb)
    

Local fix

  • Uncatalog databases that use Kerberos authentication previous to
    running db2imigr and catalog them again afterwards.
    If already have run db2imgr and the directory sqlkrb shows wrong
    permissions run chmod ug=rwx,o=rx.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * ALL                                                          *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * DB2IMIGR SETS INCORRECT PERMISSIONS FOR KERBEROS             *
    * CATALOGDIRECTORIES IN SQLDBDIR (SQLKRB)                      *
    *                                                              *
    * When we have a database catalogued as using Kerberos         *
    *                                                              *
    * authentication, the migration from v8 to v9.x will render    *
    * the                                                          *
    * catalog directory unusable                                   *
    *                                                              *
    *                                                              *
    *                                                              *
    * To reproduce:                                                *
    *                                                              *
    * 1.                                                           *
    *                                                              *
    * $ db2 catalog tcpip node thost remote thost server 50000     *
    *                                                              *
    * DB20000I  The CATALOG TCPIP NODE command completed           *
    * successfully.                                                *
    * DB21056W  Directory changes may not be effective until the   *
    *                                                              *
    * directory cache is                                           *
    *                                                              *
    * refreshed.                                                   *
    *                                                              *
    * $ db2 catalog database tkerb as tkerb at node thost          *
    *                                                              *
    * authentication kerberos target principal                     *
    * db2@thost.db2lab.com                                         *
    * DB20000I  The CATALOG DATABASE command completed             *
    * successfully.                                                *
    * DB21056W  Directory changes may not be effective until the   *
    *                                                              *
    * directory cache is                                           *
    *                                                              *
    * refreshed.                                                   *
    *                                                              *
    * $                                                            *
    *                                                              *
    *                                                              *
    *                                                              *
    * /home/db2inst9/sqllib/sqldbdir                               *
    *                                                              *
    *                                                              *
    *                                                              *
    * $ ls -al                                                     *
    *                                                              *
    * total 16                                                     *
    *                                                              *
    * drwxrwxr-x  3 db2inst9 db2iadm9    512 Dec  3 13:29 .        *
    * drwxrwxr-t  18 db2inst9 db2iadm9    1024 Dec  3 13:29 ..     *
    *                                                              *
    * -rw-rw-r--  1 db2inst9 db2iadm9    1512 Dec  3 13:29         *
    * sqldbbak                                                     *
    * -rw-rw-r--  1 db2inst9 db2iadm9    1512 Dec  3 13:29         *
    * sqldbdir                                                     *
    * -rw-rw-r--  1 db2inst9 db2iadm9    540 Dec  3 13:29 sqldbins *
    *                                                              *
    * drwxrwxr-x  2 db2inst9 db2iadm9    512 Dec  3 13:29 sqlkrb   *
    *                                                              *
    *                                                              *
    *                                                              *
    * $ ls -al sqlkrb                                              *
    *                                                              *
    * total 6                                                      *
    *                                                              *
    * drwxrwxr-x  2 db2inst9 db2iadm9    512 Dec  3 13:29 .        *
    * drwxrwxr-x  3 db2inst9 db2iadm9    512 Dec  3 13:29 ..       *
    *                                                              *
    * -rw-rw-r--  1 db2inst9 db2iadm9      32 Dec  3 13:29 TKERB   *
    *                                                              *
    *                                                              *
    *                                                              *
    * 2.                                                           *
    *                                                              *
    * After running db2imigr the permissions show incorrect. In    *
    *                                                              *
    * certain cases this directory could be corrupt                *
    *                                                              *
    *                                                              *
    *                                                              *
    * /home/db2inst9/sqllib/sqldbdir                               *
    *                                                              *
    * $ ls -al                                                     *
    *                                                              *
    * total 22                                                     *
    *                                                              *
    * drwxrwxr-x  3 db2inst9 db2iadm9    512 Dec  3 13:36 .        *
    * drwxrwxr-t  19 db2inst9 db2iadm9    1024 Dec  3 13:36 ..     *
    *                                                              *
    * -rw-rw-r--  1 db2inst9 db2iadm9    1512 Dec  3 13:36         *
    * sqldbbak                                                     *
    * -rw-rw-r--  1 db2inst9 db2iadm9    1512 Dec  3 13:36         *
    * sqldbdir                                                     *
    * -rw-rw-r--  1 db2inst9 db2iadm9    540 Dec  3 13:36 sqldbins *
    *                                                              *
    * -rw-rw-r--  1 db2inst9 db2iadm9    2148 Dec  3 13:36         *
    *                                                              *
    * sqldddir.bak                                                 *
    *                                                              *
    * drw-rw-r--  2 db2inst9 db2iadm9    512 Dec  3 13:29 sqlkrb   *
    *                                                              *
    *                                                              *
    *                                                              *
    * 3. Running db2 list database directory will throw error      *
    *                                                              *
    * SQL10004C  and db2diag.log will show access permission       *
    * errors on                                                    *
    * sqlkrb                                                       *
    *                                                              *
    *                                                              *
    *                                                              *
    * $ db2 list database directory                                *
    *                                                              *
    * System Database Directory                                    *
    *                                                              *
    * Number of entries in the directory = 1                       *
    *                                                              *
    * SQL10004C  An I/O error occurred while accessing the         *
    * database                                                     *
    * directory.                                                   *
    *                                                              *
    * SQLSTATE=58031                                               *
    *                                                              *
    *                                                              *
    *                                                              *
    * FUNCTION: DB2 Common, OSSe, ossErrorIOAnalysis, probe:100    *
    *                                                              *
    * CALLED  : OS, -, open                                        *
    *                                                              *
    * OSERR  : EACCES (13) "Permission denied"                     *
    *                                                              *
    * DATA #1 : String, 141 bytes                                  *
    *                                                              *
    * A total of 2 analysis will be performed :                    *
    *                                                              *
    * - User info                                                  *
    *                                                              *
    * - Path access permission                                     *
    *                                                              *
    *                                                              *
    *                                                              *
    * Target file = /home/db2inst9/sqllib/sqldbdir/sqlkrb/TKERB    *
    *                                                              *
    * DATA #2 : String, 184 bytes                                  *
    *                                                              *
    *   Real user ID of current process      = 221                 *
    *                                                              *
    *   Effective user ID of current process  = 221                *
    *                                                              *
    *   Real group ID of current process      = 111                *
    *                                                              *
    *   Effective group ID of current process = 111                *
    *                                                              *
    * DATA #3 : String, 328 bytes                                  *
    *                                                              *
    * Information of each subdirectory leading up to the first     *
    *                                                              *
    * inaccessible one is shown in the format below :              *
    *                                                              *
    *   <UID>:<GID>:<permissions> (subdirectories)                 *
    *                                                              *
    *                                                              *
    *                                                              *
    *   0:0:755 (home)                                             *
    *                                                              *
    *   221:111:755 (db2inst9)                                     *
    *                                                              *
    *   221:111:1775 (sqllib)                                      *
    *                                                              *
    *   221:111:775 (sqldbdir)                                     *
    *                                                              *
    *   221:111:664 (sqlkrb)                                       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Upgrade to DB2 version 9.5FP6                                *
    ****************************************************************
    

Problem conclusion

  • Problem was first fixed in Version 9.5 Fix Pack 6
    

Temporary fix

Comments

APAR Information

  • APAR number

    LI75169

  • Reported component name

    DB2 UDE ESE LIN

  • Reported component ID

    5765F4104

  • Reported release

    950

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-12-07

  • Closed date

    2010-04-14

  • Last modified date

    2010-06-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IC65028 IC65030 IC68392

Fix information

  • Fixed component name

    DB2 UDE ESE LIN

  • Fixed component ID

    5765F4104

Applicable component levels

  • R950 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEPGG","label":"DB2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"950","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
29 June 2010