Technote (troubleshooting)
Problem(Abstract)
This technote explains why setting the IBM® Rational® ClearCase® variable CLEARCASE_PRIMARY_GROUP to an invalid group no longer shows that the group is invalid, rather it defaults to the primary group set on the Windows® domain controller (Domain Users by default) when viewed from the creds or credmap utility.
Symptom
In ClearCase 2002.05.00 and 2003.06.00, setting the CLEARCASE_PRIMARY_GROUP to an invalid group no longer shows that the group is invalid when viewed from creds or credmap.
Creds defaults to the users primary group on the Domain Controller (which is Domain Users by default).
Note: For both of the following creds outputs the CLEARCASE_PRIMARY_GROUP variable is set to test1 which the user does not belong:
In 4.x versions of ClearCase when an invalid group (one that the user is not a member of) was set as the users CLEARCASE_PRIMARY_GROUP the creds output was as follows:
**********************************************************************************************
C:\Program Files\Rational\ClearCase\etc\utils>creds
Login name: DOMAIN\user1
USID: NT:S-1-5-21-141845252-1443263951-584457872-2056
*** Can't get primary group SID
*** You may not be a member of the "test1" group.
*** Can't get group info for current process primary group SID "NOBODY"
Groups: (10)
DOMAIN\user (NT:S-1-5-21-141845252-1443263951-584457872-1023)
Everyone (NT:S-1-1-0)
BUILTIN\Users (NT:S-1-5-32-545)
BUILTIN\Administrators (NT:S-1-5-32-544)
DOMAIN\Domain Users (NT:S-1-5-21-141845252-1443263951-584457872-513)
DOMAIN\Domain Admins (NT:S-1-5-21-141845252-1443263951-584457872-512)
DOMAIN\clearcase (NT:S-1-5-21-141845252-1443263951-584457872-1022)
LOCAL (NT:S-1-2-0)
NT AUTHORITY\INTERACTIVE (NT:S-1-5-4)
NT AUTHORITY\Authenticated Users (NT:S-1-5-11)
You do not have ClearCase administrative privileges.
**********************************************************************************************
In ClearCase 2002.05 patched up to 15 or higher the creds output appears as follows:
**********************************************************************************************
C:\Program Files\Rational\ClearCase\etc\utils>creds
Login name: DOMAIN\user1
USID: NT:S-1-5-21-141845252-1443263951-584457872-2056
Primary group: DOMAIN\Domain Users (NT:S-1-5-21-141845252-1443263951-584457872-1023)
Groups: (10) Everyone (NT:S-1-1-0)
HOST1\Debugger UsersT(:S-1-5-21-329068152-287218729-682003330-1006)
BUILTIN\Administrators (NT:S-1-5-32-544)
BUILTIN\Users (NT:S-1-5-32-545)
DOMAIN\users (NT:S-1-5-21-141845252-1443263951-584457872-513)
DOMAIN\Domain Admins (NT:S-1-5-21-141845252-1443263951-584457872-512)
DOMAIN\clearcase (NT:S-1-5-21-141845252-1443263951-584457872-1022)
LOCAL (NT:S-1-2-0)
NT AUTHORITY\INTERACTIVE (NT:S-1-5-4)
NT AUTHORITY\Authenticated Users (NT:S-1-5-11)
You have ClearCase administrative privileges.
**********************************************************************************************
In the above examples the primary group on the domain controller was Domain Users.
So it appears that in ClearCase 2002.05.00 patch 15 and later, creds is defaulting to the users primary domain group if the group that is set is invalid.
Cause
Defect APAR IC45699 has been submitted to investigate this issue.
Diagnosing the problem
Review technote 1135509 for more information about the CLEARCASE_PRIMARY_GROUP variable.
Resolving the problem
The decision was made by Product Management to exclude the resolution of this defect from future upgrades and releases.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.