IT41390: SPECTRUM CONTROL PRIORITIZES DOMAIN USER WITHOUT PERMISSIONS OVER LOCAL USER WITH PERMISSIONS

IBM Spectrum Control 5.4.8 - performance patch
IBM Spectrum Control 5.4.8 - Windows Server
IBM Spectrum Control 5.4.8 - Linux Server
IBM Spectrum Control 5.4.8 - AIX Server
IBM Spectrum Control 5.4.8 - Agents
IBM Spectrum Control 5.4.8 (August 2022)

APAR status

• Closed as program error.

Error description

• When attempting to login using a local administrator user
  account the administrator user is stopped because there is a
  domain user account with the same username, but the domain user
  account does not have local host permissions in the DB2ADMNS or
  Administrators user groups and thus login fails without
  attempting to use local user account.
  
  Example: attempting to login to Spectrum Control GUI using the
  installation user account of db2admin which is also a domain
  user:
  
  [Default Executor-thread-69753]
  [TPCManagerCreator.checkValidRole] [ERROR] No role found for
  user: ABC\db2admin groups: [ABC\Domain Users]
  
  When the user attempts to login to the Spectrum Control GUI with
  scserver\db2admin Spectrum Control will wrongly interpret the
  hostname as a domain name, and it will issue the following
  error:
  
  com.ibm.tpc.authentication.os.OSUserRegistry
  FINE: The login failed for the username scserver\db2admin
  com.ibm.tpc.authentication.os.data.PasswordCheckFailedException:
  The specified domain, scserver, does not match the domain of the
  server, ABC.
  
  ____________________________________________________
  DB2 Version used for Server: 11.5
  The defect is against component: Web Server
  Server/Manager (OS): Microsoft Windows Server 2019
  Problem as described by customer: User not authorized to use
  administration console
  Initial customer impact (low/med/high): med
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * IBM Spectrum Control Users, who have Spectrum Control        *
  * installed on Windows systems in domains.                     *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * When attempting to login using a local Administrator user    *
  * account, the Administrator user is stopped because there is  *
  * a                                                            *
  * domain user account with the same username, but the domain   *
  * user account does not have local host permissions in the     *
  * DB2ADMNS or Administrators user groups, and thus login       *
  * fails without attempting to use local user account.          *
  *                                                              *
  * Example: attempting to login to Spectrum Control GUI using   *
  * the installation user account of db2admin which is also a    *
  * domain user:                                                 *
  *                                                              *
  * [Default Executor-thread-69753]                              *
  * [TPCManagerCreator.checkValidRole] [ERROR] No role found for *
  * user: ABC\db2admin groups: [ABC\Domain Users]                *
  *                                                              *
  * When the user attempts to login to the Spectrum Control GUI  *
  * with                                                         *
  * scserver\db2admin Spectrum Control will wrongly interpret    *
  * the                                                          *
  * hostname as a domain name, and it will issue the following   *
  * error:                                                       *
  *                                                              *
  * com.ibm.tpc.authentication.os.OSUserRegistry                 *
  * FINE: The login failed for the username scserver\db2admin    *
  * com.ibm.tpc.authentication.os.data.PasswordCheckFailedExcept *
  * ion:                                                         *
  * The specified domain, scserver, does not match the domain of *
  * the                                                          *
  * server, ABC.                                                 *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  This APAR fixed the code to allow <computername>\username
  for logging into Spectrum Control.
  
  This format is needed when the user is defined both locally and
  in the domain, but Spectrum Control has roles only for the local
  
  user's groups.
  

Problem conclusion

• The fix for this APAR is targeted for the following release:
  
  IBM Spectrum Control 5.4.8   [ 5.4.8-IBM-SC ]
  ( release target 3Q 2022 / August )
  https://www.ibm.com/support/pages/node/359939
  
  The target dates for future releases do not represent a formal
  commitment by IBM. The dates are subject to change without
  notice.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  TPC

• Fixed component ID

  5608TPC00

Applicable component levels