IDS Forum

Re: likely database privilege problem

Posted By: Sathyanesh Krishnan
Date: Thursday, 27 January 2011, at 12:34 a.m.

Hi TJ,

The instruction you followed to setup the DRDA listening port on IDS se=
rver
is the right one.
I would like to take a look on trace output captured from client and I=
DS
server.

I will soon send you the information to capture the DRDA trace output f=
rom
IDS server.
Meanwhile can you please capture the trace output from the client and s=
end
it to me.

Information to take trace output from client:
1) Open a DB2 Command window at client computer
Then issue the following command to start capturing the trace.
db2trc on -i 16m -m "*.*.84.*.*" -t

2) Then run the client application connecting to IDS.

3) Dump the trace output to a file.
db2trc dmp db2trcout.dmp

4) Please send the output to me.

FYI:You can get more information about DB2TRC by going through the URL.=

http://www.ibm.com/developerworks/db2/library/techarticle/dm-0409melnyk=
/

The step3 of the testconn is trying to establish a connection.
To simplify the trace output we can use an application that try to
establish connection and close.
Please use the fooling source to build an application that try to estab=
lish
to server and close the connection.

static void Main(string[] args)
{

String ConnStr =3D "User
ID=3Dinformix;Password=3Dxxxxxx;Database=3Deloxnet;Server=3D192.168.57.=
72:9091";

DB2Connection Conn =3D new DB2Connection(ConnStr);

try

{

Conn.Open();

Console.WriteLine("Open Sucess");

}

catch (Exception e)

{

Console.WriteLine(e.ToString());

}

Conn.Close();

Console.WriteLine("Closed!");
}

Regards,
Satyan

Software Engineer
R&D - IBM Information Management Division
11200 Lakeview, Lenexa, KS 66219
Tel: 913 599 8792 (T/L: 337-8792)

|------------>
| From: |
|------------>
>--------------------------------------------------------------------=
-----------------------------------------------------------------------=
-------|
|"Throstur Jonsson" <tj@rational-network.com> =

=

|
>--------------------------------------------------------------------=
-----------------------------------------------------------------------=
-------|
|------------>
| To: |
|------------>
>--------------------------------------------------------------------=
-----------------------------------------------------------------------=
-------|
|Sathyanesh Krishnan/Lenexa/IBM@IBMUS =

=

|
>--------------------------------------------------------------------=
-----------------------------------------------------------------------=
-------|
|------------>
| Cc: |
|------------>
>--------------------------------------------------------------------=
-----------------------------------------------------------------------=
-------|
|Ardeshir Jamshidi/Oakland/IBM@IBMUS, <classics-bounces@iiug.org>, "d=
otNet Runtime Team" <dotNet_Runtime_Team%IBMUS@us.ibm.com>, <ids@iiug.o=
rg>, |
|<informix-list@iiug.org> =

=

|
>--------------------------------------------------------------------=
-----------------------------------------------------------------------=
-------|
|------------>
| Date: |
|------------>
>--------------------------------------------------------------------=
-----------------------------------------------------------------------=
-------|
|01/26/2011 03:47 AM =

=

|
>--------------------------------------------------------------------=
-----------------------------------------------------------------------=
-------|
|------------>
| Subject: |
|------------>
>--------------------------------------------------------------------=
-----------------------------------------------------------------------=
-------|
|Re: likely database privilege problem =

=

|
>--------------------------------------------------------------------=
-----------------------------------------------------------------------=
-------|

Hi Satyan,
First of all those where the grant commands I ran against the database:=

grant connect to public;
grant resource to public;
Where there any more to run?

Yes the DRDA port is 9091, otherwise the same testconn40.exe command wo=
uld
not work when run from the local IDS server. But it does work there. It=
is
only when run from another machine on the Local Area Network that it fa=
ils,
as described in my previous post. Please note that the IBM .Net provide=
r is
correctly configured on that client machine. This is an IDS security
problem when trying to access the IDS over LAN via the DRDA. I can with=
out
problems access the same IDS from the same client computer using Server=

Studio or ODBC. It is only the DRDA connection that is giving me this
security issue.

There is no firewall running at the IDS server, so that is not the prob=
lem
either.

Actualy I configured the DRDA following my own guidance that I created =
last
summer as it was pritty difficult finding out from the IBM documentatio=
n.
Find the guidance attached.

To assure the DRDA is correctly setup, is there any standard method oth=
er
than using the testconn40.exe?
At least here is a result run from the IDS server to gurantee that the =
port
is there open and working (connected with Visual Studio installed on th=
e
local IDS server)
C:\Program Files\Informix\Client-SDK>netstat -an | findstr 9091
TCP 0.0.0.0:9091 0.0.0.0:0 LISTENING
TCP 192.168.57.72:1143 192.168.57.72:9091 ESTABLISHED
TCP 192.168.57.72:9091 192.168.57.72:1143 ESTABLISHED
If I disconnect Visual Studio on the Iocal IDS server I get:
C:\Program Files\Informix\Client-SDK>netstat -an | findstr 9091
TCP 0.0.0.0:9091 0.0.0.0:0 LISTENING
TCP 192.168.57.72:1143 192.168.57.72:9091 TIME_WAIT
So it seems to be the correct DRDA port and working properly.

Hope this helps you helping me :-)

Regards
TJ
----- Original Message -----
From: Sathyanesh Krishnan
To: Throstur Jonsson
Cc: Ardeshir Jamshidi ; classics-bounces@iiug.org ; dotNet Runtime Tea=
m ;
ids@iiug.org ; informix-list@iiug.org
Sent: Tuesday, January 25, 2011 7:59 PM
Subject: Re: likely database privilege problem

Hi TJ,

Unfortunately the reason code 25 of the error doesn't give much clue,

IDS server support multiple protocols (SQLI and DRDA).
This .NET provider uses DRDA protocol to connect to IDS database.
Can you please verify the port number you are using (9091) is configur=
ed
at IDS to use DRDA protocol.

Regards,
Satyan

Software Engineer
R&D - IBM Information Management Division
11200 Lakeview, Lenexa, KS 66219
Tel: 913 599 8792 (T/L: 337-8792)

Inactive hide details for "Throstur Jonsson" ---01/25/2011 01:02:04
PM---Hi Sathyanesh, This helped me on the local server, the"Throstur
Jonsson" ---01/25/2011 01:02:04 PM---Hi Sathyanesh, This helped me on =
the
local server, the testconn40.exe now finish with success. Howev

=

=

From: "Throstur Jonsson" <tj@rational-network.com> =

=

=

To: Sathyanesh Krishnan/Lenexa/IBM@IBMUS =

=

=

Cc: Ardeshir Jamshidi/Oakland/IBM@IBMUS, <classics-bounces@iiug.org=
>,

"dotNet Runtime Team" <dotNet_Runtime_Team%IBMUS@us.ibm.com>, =

<ids-bounces@iiug.org> =

=

=

Date: 01/25/2011 01:02 PM =

=

=

Subjec Re: likely database privilege problem =

t: =

=

Hi Sathyanesh,
This helped me on the local server, the testconn40.exe now finish with=

success. However when run from another computer on the LAN against the=

same server I get this:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
Step 3: Connecting using "User
ID=3Dinformix;Password=3Dxxxxxx;Database=3Deloxnet;Serv
er=3D192.168.57.72:9091"

Server located, but security error:

ERROR [08001] [IBM] SQL30082N Security processing failed with reason
"25" ("CON
NECTION DISALLOWED"). SQLSTATE=3D08001
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
No matter if I try to run testconn40.exe against the sysuser database =
I
get that error too there.
The IBM .Net provider is correctly setup at this computer as I'm using=
it
against another IDS 11.5 server without problems. It only fails when I=
try
to run it against the IDS 11.7 server.

Regards
TJ

----- Original Message -----
From: Sathyanesh Krishnan
To: Throstur Jonsson
Cc: Ardeshir Jamshidi ; classics-bounces@iiug.org ; dotNet Runtime Tea=
m ;
ids-bounces@iiug.org
Sent: Tuesday, January 25, 2011 3:53 PM
Subject: Re: likely database privilege problem

Hi TJ,

Forgot you include you in the mail :)

Regards,
Satyan

Software Engineer
R&D - IBM Information Management Division
11200 Lakeview, Lenexa, KS 66219
Tel: 913 599 8792 (T/L: 337-8792)

Inactive hide details for Sathyanesh Krishnan---01/25/2011 09:48:54
AM---Hi TJ, I am redirecting the question to the IDS; ThisSathyanesh
Krishnan---01/25/2011 09:48:54 AM---Hi TJ, I am redirecting the questi=
on
to the IDS; This problem is likely something to do with datab

=

=

From: Sathyanesh Krishnan/Lenexa/IBM =

=

=

To: ids-bounces@iiug.org, classics-bounces@iiug.org =

=

=

Cc: Ardeshir Jamshidi/Oakland/IBM@IBMUS, dotNet Runtime Tea=
m

=

=

Date: 01/25/2011 09:48 AM =

=

=

Subject: likely database privilege problem =

=

Hi TJ,

I am redirecting the question to the IDS;
This problem is likely something to do with database privilege at IDS
server.
Most probably the problem will resolve once you GRANT appropriate righ=
t to
the database.
Just for verifying you may issue the following command to the database=
you
are trying to connect.
grant connect to public;
grant resource to public;

If this doesn't solve the problem then IDS folks can help you better h=
ere.

Regards,
Satyan

Software Engineer
R&D - IBM Information Management Division
11200 Lakeview, Lenexa, KS 66219
Tel: 913 599 8792 (T/L: 337-8792)

----- Forwarded by Sathyanesh Krishnan/Lenexa/IBM on 01/25/2011 09:40 =
AM
-----

=

=

From: Ardeshir Jamshidi/Oakland/IBM =

=

=

To: dotNet Runtime Team =

=

=

Date: 01/25/2011 06:23 AM =

=

=

Subject: Team, really need to give this customer some response, Ple=
ase

advise/re: beta question. =

=

----- Forwarded by Ardeshir Jamshidi/Oakland/IBM on 01/25/2011 04:21 A=
M
-----

=

"Throstur Jonsson" <tj@rational-network.com> =

=

=

01/25/2011 03:45 AM =

=
To

=

Ardeshir=

Jamshidi=
/Oa

kland/IB=
M@I

BMUS =

=

=
cc

=

=

Subj=
ect

=

Re: beta=

question=
.

=

=

=

=

=

=

Hi Ardeshir,
I'm geting totaly frusturated with this. Now I have spent a day on thi=
s
and little progress. So your help would realy be appreciated.

Just to add to this. If I change the Database=3Deloxnet to Database=3D=
sysuser
or Database=3Dsysutils or Database=3Dsysmaster the testconn40.exe pass=
es
throuhg gracefully.

It is only with Database=3Dsysadmin and Database=3Deloxnet (my databas=
e) where
it fails as described below. So this has definately something to do wi=
th
different security among those databases in my Informix Online Server
Instance.
Where is that controlled?

Regars
TJ
----- Original Message -----
From: Throstur Jonsson
To: Ardeshir Jamshidi
Sent: Monday, January 24, 2011 6:35 PM
Subject: beta question.

Hi,
I have for few months been using the beta version of the IBM .Net Data=

Provider version 9.7fp3a. All has been working very well in my
testenvironment with IDS Developer 11.5 on Windows XP. Now I installed=
IDS
Developer 11.7 on a W2003 machine and the same IBM data provider.
Unfortunately I get some security problems when I test a connection wi=
th
Dbconnect40.exe from the W2003 machine:

C:\Program Files\IBM\IBM DATA SERVER DRIVER\bin>testconn40.exe "User
ID=3Dinformix
;Password=3Dxxxxxx;Database=3Deloxnet;Server=3D192.168.57.72:9091"

Step 1: Printing version info
.NET Framework version: 4.0.30319.1
DB2 .NET provider version: 9.0.0.4
DB2 .NET file version: 9.7.3.4
Capability bits: ALLDEFINED
Build: 20100929
Factory for invariant name IBM.Data.DB2 verified
Factory for invariant name IBM.Data.Informix verified
IDS.NET from DbFactory is Common IDS.NET
Warning, failed load of DbFactory for:IBM.Data.DB2.9.7.3
Warning, failed load of DbFactory for:IBM.Data.Informix.9.7.3
VSAI assembly version: 9.1.0.0
VSAI file version: 9.7.3.0
Elapsed: 2,359375

Step 2: Validating db2dsdriver.cfg against db2dsdriver.xsd schema file=

File C:\Documents and Settings\All Users\Application Data\IBM\DB2\IBMD=
BC
L1\cfg\db2dsdriver.cfg missing. Nothing to validate
Elapsed: 0,09375

Step 3: Connecting using "User
ID=3Dinformix;Password=3Dxxxxxx;Database=3Deloxnet;Serv
er=3D192.168.57.72:9091"
ERROR [08004] [IBM] SQL30060N "INFORMIX" does not have the privilege t=
o
perform operation "0x2203". SQLSTATE=3D08004

Test failed.

As I Google this on the net I only get some basic informatoin regardin=
g
some security plugin, etc. The DRDA setup is exactly the same in regis=
try
(SQLHSTS, etc.). I have this aliasis in my onconfig file.
DBSERVERALIASES svc_drda_1 # List of alternate dbserver names
Ant the port number in the services file is set to 9091 by this line:
svc_drda_1 9091/tcp
The DRDA listener seems to be active and listening. However this seems=
to
be a kind of security problem that I have no clue what can be the reas=
on.

Regards
TJ

[attachment "drda_setup.pdf" deleted by Sathyanesh Krishnan/Lenexa/IBM=
]
=

IDS Forum is maintained by Administrator with WebBBS 5.12.