A fix is available
APAR status
Closed as program error.
Error description
After upgrading to v8.2 (v8.1 FP7+) domain users (i.e. \\mydomain\jsmith) belonging to the to the local Windows Administrator's group will experience slow (i.e. ~25s) authentication time when DB2_GRP_LOOKUP=LOCAL. This is caused by the new Windows Security Enhancements introduced in v8.2 (v8.1 FP7+).
Local fix
Three possible workarounds: 1) Add domain userids to Windows local group DB2ADMNS. 2) db2set db2_grp_lookup=token Please be aware of the limitation below: Administration Guide: Implementation "Acquiring Windows users' group information using an access token"): "When enabling access token support, there are several limitations that affect your account management infrastructure. When this support is enabled, the DB2 database system collects group information about the user who is connecting to the database. Subsequent operations after a successful CONNECT or ATTACH request that have dependencies on other authorization IDs will still need to use conventional group enumeration. The access token advantages of nested global groups, domain local groups, and cached credentials will not be available. For example, if, after a connection, the SET SESSION_USER is used to run under another authorization ID, only the conventional group enumeration is used to check what rights are given to the new authorization ID for the session. You will still need to grant and revoke explicit privileges to individual authorization IDs known to the DB2 database system, as opposed to the granting and revoking of privileges to groups to which the authorization IDs belongs." 3) Disable the Windows extended security features. DB2 Version 8.2 - Windows extended security installation restrictions http://www.ibm.com/support/docview.wss?rs=71&uid=swg21193255
Problem summary
USERS AFFECTED: Windows users PROBLEM DESCRIPTION: After upgrading to v8.2 (v8.1 FP7+) domain users (i.e. \\mydomain\jsmith) belonging to the to the local Windows Administrator's group will experience slow (i.e. ~25s) authentication time when DB2_GRP_LOOKUP=LOCAL. This is caused by the new Windows Security Enhancements introduced in v8.2 (v8.1 FP7+). LOCAL FIX: Three possible workarounds: 1) Add domain userids to Windows local group DB2ADMNS. 2) db2set db2_grp_lookup=token Please be aware of the limitation below: Administration Guide: Implementation "Acquiring Windows users' group information using an access token"): "When enabling access token support, there are several limitations that affect your account management infrastructure. When this support is enabled, the DB2 database system collects group information about the user who is connecting to the database. Subsequent operations after a successful CONNECT or ATTACH request that have dependencies on other authorization IDs will still need to use conventional group enumeration. The access token advantages of nested global groups, domain local groups, and cached credentials will not be available. For example, if, after a connection, the SET SESSION_USER is used to run under another authorization ID, only the conventional group enumeration is used to check what rights are given to the new authorization ID for the session. You will still need to grant and revoke explicit privileges to individual authorization IDs known to the DB2 database system, as opposed to the granting and revoking of privileges to groups to which the authorization IDs belongs." 3) Disable the Windows extended security features. DB2 Version 8.2 - Windows extended security installation restrictions http://www-1.ibm.com/support/docview.wss?rs=71&context=SSEPGG&q1 =db2admns&uid=swg21193255&loc=en_US&cs=utf-8&lang=en PROBLEM SUMMARY: See PROBLEM DESCRIPTION.
Problem conclusion
Problem was first fixed in Version 8 FixPak 15 (s070720). At a minimum this fix should be applied on the server.
Temporary fix
See LOCAL FIX.
Comments
APAR Information
APAR number
JR23272
Reported component name
DB2 CPE WINDOWS
Reported component ID
5724B5601
Reported release
810
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2006-02-13
Closed date
2007-08-17
Last modified date
2008-06-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
JR26395
Fix information
Fixed component name
DB2 CPE WINDOWS
Fixed component ID
5724B5601
Applicable component levels
R810 PSN
UP
R820 PSN
UP
R910 PSN
UP
[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"810"}]
Document Information
Modified date:
06 October 2021