Password Validation Messages in db2diag.log

Technote (FAQ)


Question

How do I troubleshoot the password validation messages that are written to the db2diag.log ?

Answer

DB2 makes calls to the OS API in order to delegate authentication to the operating system. The only exception to this rule is when security plug-ins are used with DB2, in which case the security plug-ins perform authentication. Though most authentication errors are actually due to a problem at the operating system or within the security plug-in code, DB2 will usually throw a SQL30082N error with a particular return code. Examining the db2diag.log can provide more information to better troubleshoot the problem. Messages similar to the following could be found in the db2diag.log file:

2012-11-01-08.02.28.448318-240 I1687539A439 LEVEL: Warning
PID : 14483466 TID : 21275 PROC : db2sysc 0
INSTANCE: Instance NODE : 000 DB : Database
APPHDL : 0-26072
EDUID : 21275 EDUNAME: db2agent (Database) 0
FUNCTION: DB2 UDB, bsu security, sqlexLogPluginMessage, probe:20
DATA #1 : String with size, 67 bytes
Password validation for user db2user1 failed with rc = -2146500316

The following table outlines other such return codes, corresponding SQL30082N return codes, explanation as to what they mean, and action plans to potentially resolve the problem. If the table doesn't help in resolving the problem, please follow the instructions at the bottom of this page to collect the necessary diagnostics prior to engaging IBM Support for faster resolution.

    rc
    Corresponding SQL30082N rc
    Explanation
    Notes
    -2146500508
    1
    Password has expired
    1. Check that DB2 user ID
    naming conventions are
    followed.

    2. Check that password rules are followed.

    3. Check that user ID is not
    revoked/suspended

    4. Check that password has not expired. Reset if it has expired.
    -2146500507
    2
    The password is not valid for the specified user id
    -2146500290
    3
    Password missing
    -2146500504
    15, 24, 26, 36
    Password length is greater than the supported password length
    -2146500289
    5
    User ID missing
    -2146500502
    6
    Bad User
    -2146500316
    7
    User ID is revoked
    -2146500483
    19
    User ID suspended
    -2146500315
    24
    Invalid User ID or password
    -2146500271
    4
    Security protocol violation
    Collect diagnostics mentioned below.
    -2146499492
    15, 24
    Encryption types do not match
    For DB2 v9.5 FP4 and above, only the following encryption algorithms are supported:

    Crypt
    MD5
    SHA1
    SHA256
    SHA512
    Blowfish

    Note that these are the encryption algorithms used by the OS to encrypt user passwords. See following link for details.
    -2146500270
    17
    Authentication types do not match
    Ensure that both client and server authentication types are same.
    -2146500288
    17
    Unsupported function
    The security mechanism specified by the client is invalid for this server. Some typical examples:

    1. The client sent a new password value to a server that does not support the change password function.

    2. The client sent SERVER_ENCRYPT authentication information to a server that does not support password encryption.

    3. Authentication type catalog information must be the same at the server and the client.

    4. The client sent a user ID (but no password) to a server that does not support authentication by user ID only.

    5. The client has not specified an authentication type, and the server has not responded with a supported type. This might include the server returning multiple types from which the client is unable to choose.
    -2146500301
    20
    Mutual authentication failed
    Kerberos Authentication: The server being contacted failed to pass a mutual authentication check. The server is either an imposter, or the ticket sent back was damaged.
    -2146499529
    41
    A trusted connection was not established, so switch user request is invalid
    The client is configured to request a trusted connection and switch user in the trusted connection. A trusted connection must be established prior to switching user.
    -2146499506
    42
    Root capability required
    1. db2stop

    2. Login as ROOT

    3. From the instance home directory, run:
    db2iupdt -k <instance name>

    4. Retry connection

    *For non-root installation, need to run db2rfe
    See following link for details.
    -2146500252
    N/A
    The specified node or server is not available
    The server where authentication takes place is unavailable. For example, domain controller could not be reached, or a communication failure may have occurred in an LDAP or Kerberos environment.
    -2146500307
    N/A
    Unable to authenticate because of system error
    Collect diagnostics mentioned below.
    -2146500234
    25
    The security plugin has disallowed the connection
    If the problem takes place with the IBM provided LDAP or Kerberos plugins, set diaglevel to 4 by running the following command in your DB2 command prompt:

    db2 update dbm cfg using DIAGLEVEL 4

    Thereafter, also collect the requested diagnostics as per instructions below.

    If you are using a non-IBM security plug-in and the root cause is determined to be within this plug-in code, you must contact your plug-in vendor for support.

    Please see the DB2 v9.7 Information Center for general information on security plug-ins.
    -2146500233
    26
    The server security plugin encountered an unexpected error
    -2146500232
    27
    The server security plugin encountered an invalid server credential
    -2146500231
    28
    The server security plugin encountered an expired server credential
    -2146500230
    29
    The server security plugin encountered an invalid security token sent by the client
    -2146500229
    30
    The client security plugin is missing a required API
    -2146500228
    31
    The client security plugin is of the wrong plugin type
    -2146500227
    32
    The client security plugin does not have a matching GSS-API security plugin available for connection to the database
    -2146500226
    33
    The client security plugin cannot be loaded
    -2146500225
    34
    The client security plugin name is invalid
    -2146500224
    35
    The client security plugin reports an API version that is incompatible with DB2
    -2146500223
    36
    The client security plugin encountered an unexpected error
    -2146500222
    37
    The server security plugin encountered an invalid principal name
    -2146500221
    38
    The client security plugin encountered an invalid client credential
    -2146500220
    39
    The client security plugin encountered an expired client credential
    -2146500219
    40
    The client security plugin encountered an invalid security token sent by the server

Prior to contacting IBM Support, please ensure that you've collected the following diagnostics:


1. DB2 Support

In your DB2 command prompt, execute the following command:

db2support . -s

A db2support.zip file will be dumped.


2. DB2 Trace

In your DB2 command prompt, execute the following commands at the database server to capture the problem:

db2trc on -t -f trace.dmp
<reproduce the problem from command line to hit SQL30082N>
db2trc off
db2trc fmt trace.dmp trace.fmt
db2trc flw -t trace.dmp trace.flw
db2trc fmt -c trace.dmp trace.fmtc

Please place the .flw, .fmt, and .fmtc files into a folder and zip it.

3. File Upload Instructions

http://www-01.ibm.com/support/docview.wss?rs=71&&uid=swg21243808

    Related information

    SQL30082N

    Rate this page:

    (0 users)Average rating

    Add comments

    Document information


    More support for:

    DB2 for Linux, UNIX and Windows

    Software version:

    9.5, 9.7, 9.8, 10.1

    Operating system(s):

    AIX, HP-UX, Linux, Solaris, Windows

    Reference #:

    1623221

    Modified date:

    2013-05-03

    Translate my page

    Machine Translation

    Content navigation