DB2 -- ADM13001E "IBMOSauthclient" received error code in .nfy log and diag log

-
DB2 version → Checked on v8.1 and v9.7, think it is same on other versions.

OS → AIX 5

In one of our db2 databases there was a sudden growth of space usage in db2 instance home. This was due to huge .nfy log being creted on db2dump folder. This .nfy log was repeating same error below and was growing very fast, reached 10G within 4 hrs in our case.

2014-12-23-09.38.48.685598 Instance:idsldap Node:000
PID:1695766(db2aud) TID:1 Appid:none
bsu security sqlexGetDefaultLoginContext Probe:15

ADM13001E Plug-in "IBMOSauthclient" received error code "-2" from the DB2
security plug-in API "db2secGetDefaultLoginContext" with the error message " ".

There were some errors related access violation in diag log as well,

2014-12-23-09.40.41.094246+330 I137165939A396 LEVEL: Error
PID : 1609906 TID : 1 PROC : db2set
INSTANCE: idsldap NODE : 000
FUNCTION: DB2 UDB, bsu security, sqlex_write_log_record, probe:30
RETCODE : ZRC=0x840F0001=-2079391743=SQLO_ACCD "Access Denied"
DIA8701C Access denied for resource "", operating system return code
was "".

The db connection were allowed and initially we didn't identify any effect due to these errors.
But to stop the huge log generation we deactivated the db2audit (since the file was written by audit process).

Checking further we have noticed that our db backups were failing as well, the script simply couldn't create the backup file since it didn't have permission to write to backup location from os level.

Then we identified what was going on,

So the db2 instance should be running from idsldap user, but it shows the uid number 220 instead.
But when checking the passwd file there is no entry for uid 220.
In password file idsldap user is given the uid 120

This has cause all these problems. When the db2 instance was started the instance user idsldap had the uid 220. 

But while the instance was running the unix admin has changed the uid to 120 by editing the password file manually causing all these authentication and privilege related errors.

For us the resolution was to just edit the password file manually and change the uid of idsldap user 220 back again, and every thing was back to normal. Please not this might not be the resolution in every occurrence of this error.

We could recreate the same on db2 9.7 as well.

Comments

Post a Comment

Popular posts from this blog

ORA-16433: The database or pluggable database must be opened in read/write

-
Image
ORA-16433 is an error returned when a database cannot be opened. This can be a result of multiple conditions including, The inconsistency of the database Physical corruption Loss of dependent files or access issues etc.. More often than not the solution is to recover from available backups, but there can be situations where backups are not available, specially on UAT or Test setups. Although not the ideal scenario, in this type of situation you might want to open the databases even with inconsistency.  In Comes --> _ALLOW_RESETLOGS_CORRUPTION First, if you are in a position to use _ALLOW_RESETLOGS_CORRUPTION=TRUE, that means it has to be a critical moment, and when you come across more ora- errors while you are trying to reopen the databsae, that can be annoying. Note - _ALLOW_RESETLOGS_CORRUPTION=TRUE must only be used after Oracle support confirmation as a last resort. Also make sure to take cold backup before proceeding. Basic steps to be followed to resolve ORA 16433 after
Read more

Oracle Multitenant - Create new service for PDB using DBMS_SERVICE

-
Image
When an Oracle PDB is created it starts up a default service with the PDB name. For direct connections to    PDB this service can be used. But there are situations where new service name is required in PDB level, common example is after a PDB restoration/clone, in order to enable application connections without changes in connection string. Setting service_names parameter in PDB level is not possible hence it is not an option in multitenant setup. How to create a new PDB service on Oracle 12C Check the current services, here only the default service is running, SQL> show pdbs; CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 3 NFACTORPDB READ WRITE NO SQL> select service_id, name, pdb from dba_Services; SERVICE_ID NAME PDB ---------- ---------------------------------------- ---------- 7 nfactorpdb NFACTORPDB SQL> Create
Read more

Wait for unread message on broadcast channel - Blocking Sessions

-
Image
What is Wait for unread message on broadcast channel wait event? Wait for unread message on broadcast channel is a wait event where source destination communication is involved and the database is waiting for a reply from remote party. Mostly this wait is seen related to data pump export (expdp) or import (impdp) operations. Although categorized in idle wait class "Wait for unread message on broadcast channel" can become the blocking session for some other sessions. Common causes for stuck sessions waiting on this wait event includes, Broken databases links, where remote database is not responding. Abnormally killed remote processes causing the sessions to wait. When a session is waiting on "Wait for unread message on broadcast channel" it can become a blocking session for dependent sessions. Most probably these sessions will be waiting on "library cache pin" or related concurrency wait events. The blocking_session column of (g)v$session view
Read more