Fixes are available
DB2 Version 9.7 Fix Pack 2 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 3 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 3a for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 4 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 5 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 6 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 7 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 8 for Linux, UNIX, and Windows
APAR status
Closed as fixed if next.
Error description
When DB2 is installed on a Windows system, all the configuration tasks are executed under the LocalSystem account, including creating the Tools Catalog db if the user selects it. Thus, for a database created during the install, its creating user account is always "SYSTEM" on windows platforms. Since DB2 authorization model has been enhanced to allow separation of duties in V9.7, a user who holds SYSADM authority no longer has implicit DBADM authority, so a SYSADM user has limited capabilities compared to those available in Version 9.5. http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.i bm.db2.luw.wn.doc/doc/c0054241.html Only the creator of the database has the DBADM, DATAACCESS, ACCESSCTRL, SECADM authorities.Since LocalSystem is not a normal user account that you can log in with, so the user is stuck when he/she tries to work on the db that was created during the install.
Local fix
(1). Drop Tools Catalog db that was created during install, and recreate it. The creator will have DBADM and SECADM access to this database. (2). If you do not want to recreate the db, follow the steps provided below to grant SECADM to a specified user after the install. What the customer needs to do is to start a command prompt window as LocalSystem and issue the grant from the window to the id of their choosing. 1). from a command window, issue 'at' command with a future time (say 1 min later), for example, C:\Documents and Settings\ at 10:35 /interactive cmd.exe 2). in the new cmd windows, issue db2cmd 3). connect to test -> it shows the auth id is SYSTEM. You can then grant.
Problem summary
**************************************************************** * USERS AFFECTED: * * ALL * **************************************************************** * PROBLEM DESCRIPTION: * * When DB2 is installed on a Windows system, all the * * configurationtasks are executed under the LocalSystem * * account, * * including creating the Tools Catalog db if the user * * selects * * it. Thus, for a database created during the install, its * * creating user accountis always "SYSTEM" on windows * * platforms. * * * * Since DB2 authorization model has been * * enhanced to allow separation of duties in V9.7, a user * * who holds SYSADM authority no longer has implicit DBADM * * authority, so a SYSADM user has limited capabilities * * compared * * to those available in Version 9.5. * * * * http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com * bm.db2.luw.wn.doc/doc/c0054241.html * * * * Only the creator of the database has the DBADM, DATAACCESS, * * * * ACCESSCTRL, SECADM authorities.Since LocalSystem is not a * * normaluser account that you can log in with, so the user is * * stuck whenhe/she tries to work on the db that was created * * during * * the install. * **************************************************************** * RECOMMENDATION: * * (1). Drop Tools Catalog db that was created during install, * * and recreate it. The creator will have DBADM and SECADM * * access to this database. * * * * (2). If you do not want to recreate the db, follow the steps * * provided below to grant SECADM to a specified user after the * * install. * * * * * * What the customer needs to do is to start a command prompt * * window as LocalSystem and issue the grant from the window to * * the id of their choosing. * * * * * * 1). from a command window, issue 'at' command with a future * * time (say 1 min later), for example, * * * * * * * * C:\Documents and Settings\ at 10:35 /interactive cmd.exe * * * * * * * * 2). in the new cmd windows, issue db2cmd * * * * * * * * 3). connect to test -> it shows the auth id is SYSTEM. You * * can then grant. * * * * Upgrade to DB2 V97 FP2 when available * ****************************************************************
Problem conclusion
Temporary fix
Comments
APAR Information
APAR number
IC64176
Reported component name
DB2 FOR LUW
Reported component ID
DB2FORLUW
Reported release
970
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-10-27
Closed date
2010-05-14
Last modified date
2010-05-14
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
IC67006
Fix information
Applicable component levels
R950 PSY
UP
R970 PSY
UP
Rate this page:
Average rating
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.