Troubleshooting
Problem
Getting SQL0443N while querying admin stored procedure if GSS authentication is used. Below GSS authentication types are in effect: KERBEROS, GSSPLUGIN, KRB_SERVER_ENCRYPT, GSS_SERVER_ENCRYPT
Symptom
For Eg while calling admin stored procedure SYSIBMADM.DBPATHS you may see error like below, if GSS authentication is used:
C:\Program Files\IBM\SQLLIB\bin>db2 SELECT type, path FROM SYSIBMADM.DBPATHS where type in ('LOCAL_DB_DIRECTORY','LOGPATH', 'DBPATH')
TYPE PATH
. . .
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------
SQL0443N Routine "SYSPROC.ADMIN_LIST_DB_PATHS" (specific name
"ADMIN_LIST_DB_PATHS") has returned an error SQLSTATE with diagnostic text "".
SQLSTATE=38553
Cause
Admin stored procedure may internally call another stored procedure or table function. You may able to see it in error message. For eg SYSIBMADM.DBPATHS internally calls SYSPROC.ADMIN_LIST_DB_PATHS table function, and you can see it in error message:
C:\Program Files\IBM\SQLLIB\bin>db2 SELECT type, path FROM SYSIBMADM.DBPATHS where type in ('LOCAL_DB_DIRECTORY','LOGPATH', 'DBPATH')
TYPE PATH
. . .
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------
SQL0443N Routine "SYSPROC.ADMIN_LIST_DB_PATHS" (specific name
"ADMIN_LIST_DB_PATHS") has returned an error SQLSTATE with diagnostic text "".
SQLSTATE=38553
This initiates another trusted connection with server, for which authentication fails if GSS authentication is used. This problem is similar to the one addressed in APAR LI73376.
Diagnosing The Problem
1) This happens only while calling admin stored procedure from client, where client and server are located on the same machine. Or while calling admin stored procedure directly on server.
2) If you change GSS authentication to 'SERVER', you will not see the problem.
3) Example db2diag.log message for SYSIBMADM.DBPATHS looks like below:
2013-08-28-14.28.35.563000-300 I120040F495 LEVEL: Error
PID : 5400 TID : 5500 PROC : db2syscs.exe
INSTANCE: DB2 NODE : 000 DB : TEMP
APPHDL : 0-88 APPID: *LOCAL.DB2.130828192837
AUTHID : DB2INST1
EDUID : 5500 EDUNAME: db2agent (TEMP) 0
FUNCTION: DB2 UDB, bsu security, sqlexLogPluginMessage, probe:20
DATA #1 : String with size, 45 bytes
InitializeSecurityContext returned 0x8009030c
2013-08-28-14.28.35.563000-300 E120537F627 LEVEL: Severe
PID : 5400 TID : 5500 PROC : db2syscs.exe
INSTANCE: DB2 NODE : 000 DB : TEMP
APPHDL : 0-88 APPID: *LOCAL.DB2.130828192837
AUTHID : DB2INST1
EDUID : 5500 EDUNAME: db2agent (TEMP) 0
FUNCTION: DB2 UDB, bsu security, sqlexSlcGssPluginSecchk, probe:200
MESSAGE : ADM13000E Plug-in "IBMkrb5" received error code "983040" from the
GSS (Generic Security Service) API "gss_init_sec_context" with the
error message "The logon attempt failed ".
2013-08-28-14.28.35.595000-300 I121166F591 LEVEL: Error
PID : 4064 TID : 4640 PROC : ClDb2Agent.exe
INSTANCE: DB2 NODE : 000
APPID : *LOCAL.DB2.130828192837
EDUID : 4640
FUNCTION: DB2 UDB, database utilities, sqluCheckSqlca, probe:2136
MESSAGE : SQL0443N Routine "SYSPROC.ADMIN_LIST_DB_PATHS" (specific name
"ADMIN_LIST_DB_PATHS") has returned an error SQLSTATE with diagnostic
text "".
DATA #1 : String, 12 bytes
sqluexpm.SQC
DATA #2 : String, 44 bytes
Error from Import/Export or Load Processing.
Resolving The Problem
The ALLOW_LOCAL_FALLBACK feature allows the DB2 server to fallback to use SERVER authentication for local implicit connects. The work around is to set DB2AUTH registry variable to ALLOW_LOCAL_FALLBACK and restart the instance.
db2set DB2AUTH=ALLOW_LOCAL_FALLBACK
db2stop
db2start
Related Information
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21654277