question about authorities

[jpotucek]

I've read about UDB security until my eyes are crossed and I'm still struggling to get this to work.. hoping someone can help me..

running DB2 V9.1 on Windows Server.

The security was originally built by creating lcoal users on the Server and then granting individual privileges to Databases and Tables.

I have been able to create a local test user and local test group and then grant privilege to the DB and authorities to the tables that way .

Shouldn't I be able to do the same with a Domain account??????

I created a test Domain account with no special access to the Server that is running DB2. I then created a local test Group on the Server and added the Test Domain account to the group. I gave this test group privileges (Grant Select) to the Database and it's tables but can't get it to work!!! what am I missing??

 

[martynh]

I've not really used DB2 on Windows, but I doubt what you are trying to do will work directly. When you create an instance, the default Authentication Type (in the database manager configuration file) is set to SERVER. This says to DB2 to allow clients to try to connect but then use the local server to do the authentication. From what you've written it sounds like this is the value you have as local server users can connect. Your domain controller isn't involved in this process at all.

To get your domain controller involved, I think you need to set the Authentication Type to KERBEROS. As I understand it, this means the authenticity of the user trying to log on is evaluated using a shared key. Although this isn't purely for Windows domain users, I think this is it's main use.

To achieve mixed logins, i.e. both local and domain users you can use KRB_SERVER_ENCRYPT. This requires you have the clients sending their passwords encrypted to the server if using a local server login. However, if you have that working the server will sort out the rest for you.

Hope this helps!