In part 1 of this series, we described how to configure DB2 Express-C on Linux and how to configure the Centrify DB2 Plugin. In this article we will focus on testing the installation and an example of how to troubleshoot if things aren't working as expected.
Testing the installation
Now that DB2 has been installed and Centrify's DB2 Plugin configured, we can perform some simple tests to validate that things like SSO and AD group enumeration are working as expected.
First, we can verify the DB2 plugin configuration using the following command:
db2 get dbm config |egrep -i "auth|gss|group|srvcon"
We can also test authentication using AD credentials (username and password) for AD users:
db2 connect to sample user dwirth
And we can test Single Sign-On (SSO) using Kerberos (note we omit the user parameter in the following command):
db2 connect to sample
And finally, we can enumerate AD groups with the following command:
db2 'select * from table (SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID (CURRENT U SER)) AS ST'
These are simple tests you can do to check that your DB2 installation is working correctly (if you have installed both the user and group plugins, e.g. as outlined in this community article).
However, what if things are not working as expected?
Troubleshooting the installation
First, some key log files that can provide clues:
- The DB2 diagnostic log in /home/db2inst1/sqllib/db2dump/db2diag.log
- Centrify debug logs (if required)
A practical example
Here is an issue trying to start the database:
[root@cent7 db2dump]# /opt/ibm/db2/V11.1_01/bin/db2 start database manager SQL1365N db2start or db2stop failed in processing the plugin "". Reason code = "".
A quick google of the DB2 error code SQL 1365N indicates "Processing failed for the server side security plug-in". Investigating further, let's examine the db2diag log for clues as to the issue:
# less /home/db2inst1/sqllib/db2dump/db2diag.log 2016-07-19-184.108.40.2066920-240 I9091E526 LEVEL: Error PID : 15235 TID : 140317365888768 PROC : db2sysc INSTANCE: db2inst1 NODE : 000 HOSTNAME: cent7.centrify.vms EDUID : 1 EDUNAME: db2sysc FUNCTION: DB2 UDB, bsu security, sqlexLogPluginMessage, probe:20 DATA #1 : String with size, 169 bytes File: gss_krb5.c, Line: 435, centrifydc_db2gsskrb5: gss_acquire_cred failed. Err or: "Miscellaneous failure" Detailed Error: "No principal in keytab matches desi red name"
A-ha! A Kerberos keytab issue.
It turns out the keytab for my db2 user was created incorrectly. If we examine the keytab using Centrify's klist binary (see below), we can see there is no entry for principal db2inst1/@CENTRIFY.VMS. This is the issue.
[root@cent7 db2dump]# /usr/share/centrifydc/kerberos/bin/klist -kt /home/db2inst1/db2inst1-cent7.keytab Keytab name: FILE:/home/db2inst1/db2inst1-cent7.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 6 07/19/16 11:27:51 db2inst1-cent7/cent7.centrify.vms@CENTRIFY.VMS 6 07/19/16 11:27:51 db2inst1-cent7/cent7.centrify.vms@CENTRIFY.VMS 6 07/19/16 11:27:51 db2inst1-cent7/cent7.centrify.vms@CENTRIFY.VMS 6 07/19/16 11:27:51 db2inst1-cent7/cent7.centrify.vms@CENTRIFY.VMS 6 07/19/16 11:27:51 db2inst1-cent7/cent7.centrify.vms@CENTRIFY.VMS 6 07/19/16 11:27:51 db2inst1-cent7@CENTRIFY.VMS 6 07/19/16 11:27:51 db2inst1-cent7@CENTRIFY.VMS 6 07/19/16 11:27:51 db2inst1-cent7@CENTRIFY.VMS 6 07/19/16 11:27:51 db2inst1-cent7@CENTRIFY.VMS 6 07/19/16 11:27:51 db2inst1-cent7@CENTRIFY.VMS
Re-creating the keytab with the correct principal solved this issue and I was then able to start DB2.
Here's how the new keytab was created in my environment using Centrify's adkeytab utility:
dzdo adkeytab --adopt --principal db2inst1/cent7.centrify.vms@CENTRIFY.VMS --upn db2inst1-cent7@CENTRIFY.VMS --user dwirth -V --keytab /home/db2inst1/db2inst1-cent7.keytab db2inst1-cent7
In general, the best way to troubleshoot issues with Centrify and DB2 is to:
- Clear the db2diag log file (rm /home/db2inst1/sqllib/db2dump/db2diag.log)
- Reproduce steps to recreate the error (e.g. start db2, try to login as user, etc)
- Examine logs for clues
- Take steps to resolve the issue and retest
Don't forget, if you are a paid customer of Centrify you can access all sorts of great information on the Centrify Customer Support Portal such as our extensive collection of Knowledge Base (KB) articles and also log a ticket with our Technical Support experts (by phone, email or through the portal) who can assist you in resolving issues with our products.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.