IBM Support

JR23272: DB2_GRP_LOOKUP=LOCAL RESULTS IN SLOW CONNECT/AUTHENTICATION IN V8.2 (V8.1 FP7+)

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • After upgrading to v8.2 (v8.1 FP7+) domain users (i.e.
    \\mydomain\jsmith) belonging to
    the to the local Windows Administrator's group will experience
    slow (i.e. ~25s) authentication time when DB2_GRP_LOOKUP=LOCAL.
    This is caused by the new Windows Security Enhancements
    introduced in v8.2 (v8.1 FP7+).
    

Local fix

  • Three possible workarounds:
    
    1) Add domain userids to Windows local group DB2ADMNS.
    
    2) db2set db2_grp_lookup=token
    
    Please be aware of the limitation below:
    
    
    Administration Guide: Implementation "Acquiring Windows users'
    group information using an access token"):
    
    "When enabling access token support, there are several
    limitations that affect your account management infrastructure.
    When this support is enabled, the DB2 database system collects
    group information about the user who is connecting to the
    database. Subsequent operations after a successful CONNECT or
    ATTACH request that have dependencies on other authorization IDs
    will still need to use conventional group enumeration. The
    access token advantages of nested global groups, domain local
    groups, and cached credentials will not be available. For
    example, if, after a connection, the SET SESSION_USER is used to
    run under another authorization ID, only the conventional group
    enumeration is used to check what rights are given to the new
    authorization ID for the session. You will still need to grant
    and revoke explicit privileges to individual authorization IDs
    known to the DB2 database system, as opposed to the granting and
    revoking of privileges to groups to which the authorization IDs
    belongs."
    
    3) Disable the Windows extended security features.
    
    DB2 Version 8.2 - Windows extended security installation
    restrictions
    http://www.ibm.com/support/docview.wss?rs=71&uid=swg21193255
    

Problem summary

  • USERS AFFECTED:  Windows users
    
    PROBLEM DESCRIPTION:
    After upgrading to v8.2 (v8.1 FP7+) domain users (i.e.
    \\mydomain\jsmith) belonging to
    the to the local Windows Administrator's group will experience
    slow (i.e. ~25s) authentication time when DB2_GRP_LOOKUP=LOCAL.
    This is caused by the new Windows Security Enhancements
    introduced in v8.2 (v8.1 FP7+).
    
    LOCAL FIX:
    
    Three possible workarounds:
    
    1) Add domain userids to Windows local group DB2ADMNS.
    
    2) db2set db2_grp_lookup=token
    
    Please be aware of the limitation below:
    
    
    Administration Guide: Implementation "Acquiring Windows users'
    group information using an access token"):
    
    "When enabling access token support, there are several
    limitations that affect your account management infrastructure.
    When this support is enabled, the DB2 database system collects
    group information about the user who is connecting to the
    database. Subsequent operations after a successful CONNECT or
    ATTACH request that have dependencies on other authorization IDs
    will still need to use conventional group enumeration. The
    access token advantages of nested global groups, domain local
    groups, and cached credentials will not be available. For
    example, if, after a connection, the SET SESSION_USER is used to
    run under another authorization ID, only the conventional group
    enumeration is used to check what rights are given to the new
    authorization ID for the session. You will still need to grant
    and revoke explicit privileges to individual authorization IDs
    known to the DB2 database system, as opposed to the granting and
    revoking of privileges to groups to which the authorization IDs
    belongs."
    
    3) Disable the Windows extended security features.
    
    DB2 Version 8.2 - Windows extended security installation
    restrictions
    http://www-1.ibm.com/support/docview.wss?rs=71&context=SSEPGG&q1
    =db2admns&uid=swg21193255&loc=en_US&cs=utf-8&lang=en
    
    
    
    PROBLEM SUMMARY: See PROBLEM DESCRIPTION.
    

Problem conclusion

  • Problem was first fixed in Version 8 FixPak 15 (s070720).
    At a minimum this fix should be applied on the server.
    

Temporary fix

  • See LOCAL FIX.
    

Comments

APAR Information

  • APAR number

    JR23272

  • Reported component name

    DB2 CPE WINDOWS

  • Reported component ID

    5724B5601

  • Reported release

    810

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2006-02-13

  • Closed date

    2007-08-17

  • Last modified date

    2008-06-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    JR26395

Fix information

  • Fixed component name

    DB2 CPE WINDOWS

  • Fixed component ID

    5724B5601

Applicable component levels

  • R810 PSN

       UP

  • R820 PSN

       UP

  • R910 PSN

       UP

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"810"}]

Document Information

Modified date:
06 October 2021