Today I had problem with account name length between Linux and Active Directory.

Environment:

• Linus RHEL 7.6
• MQ 9103
• no SSL

Users are checked by the OS via AD (on a Windows server).
MQ administrators belong to an AD group (MQADM), and ALL rights were given to this group via SET AUTHRECs.
This type of configuration works perfectly on other Linux servers.

Here the account "abc" belongs to the group "MQADM".
From the Linux command line, I can do a su - abc. But a runmqsc fails "no rights".
Via MQ Explorer (specifying a user / password), same error.

In /var/mqm/errors, there are many FDCs, and in AMQERR01.LOG, I got:

Obviously the AD query retrieves the long name of the user, which is too long for MQ.
Any ideas to avoid this problem?

Thanks !

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
------------------------------

I believe the answer is: Have you looked at what you need to do to configure your AD to retrieve the short name only?

------------------------------
Francois Brandelik
Madison CT
630-235-3023
------------------------------

Original Message:
Sent: Thu August 22, 2019 01:37 PM
From: Luc-Michel Demey
Subject: xcsGetpwuid got password entry with user name too long

Today I had problem with account name length between Linux and Active Directory.

Environment:

• Linus RHEL 7.6
• MQ 9103
• no SSL

Users are checked by the OS via AD (on a Windows server).
MQ administrators belong to an AD group (MQADM), and ALL rights were given to this group via SET AUTHRECs.
This type of configuration works perfectly on other Linux servers.

Here the account "abc" belongs to the group "MQADM".
From the Linux command line, I can do a su - abc. But a runmqsc fails "no rights".
Via MQ Explorer (specifying a user / password), same error.

In /var/mqm/errors, there are many FDCs, and in AMQERR01.LOG, I got:

08/22/2019 03:09:40 PM - Process (27493.1) User (abc@) Program (runmqsc)

Host (xxxxxx) Installation (Installation1)

VRMF (9.1.0.3)

Time (2019-08-22T13: 09: 40.179Z)

RemoteHost (.)

ArithInsert1 (1082155384)

CommentInsert1 (xcsGetpwuid got password entry with user name too long (more than 13 characters).)

CommentInsert2 (Details: getuid () returned 1657201500; getpwuid_r (1657201500) found user name "abc@department.company.corp".)

CommentInsert3 (A user name of "UNKNOWN" will be used, which will likely cause later authorization failures.) Note this FFST can be turned off by exporting env AMQ_NOFFST_PROCESS_UID.)

AMQ6125E: An internal IBM MQ error has occurred.

Obviously the AD query retrieves the long name of the user, which is too long for MQ.
Any ideas to avoid this problem?

Thanks !

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
------------------------------

We have no control over AD configuration and how the names are retrieved.
Is there a parameter at MQ level that allows to force the short name to be retrieved instead of the long one?

Thank you.

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
------------------------------

Original Message:
Sent: Fri August 23, 2019 03:36 AM
From: Francois Brandelik
Subject: xcsGetpwuid got password entry with user name too long

I believe the answer is: Have you looked at what you need to do to configure your AD to retrieve the short name only?

------------------------------
Francois Brandelik
Madison CT
630-235-3023

Original Message:
Sent: Thu August 22, 2019 01:37 PM
From: Luc-Michel Demey
Subject: xcsGetpwuid got password entry with user name too long

Today I had problem with account name length between Linux and Active Directory.

Environment:

• Linus RHEL 7.6
• MQ 9103
• no SSL

Users are checked by the OS via AD (on a Windows server).
MQ administrators belong to an AD group (MQADM), and ALL rights were given to this group via SET AUTHRECs.
This type of configuration works perfectly on other Linux servers.

Here the account "abc" belongs to the group "MQADM".
From the Linux command line, I can do a su - abc. But a runmqsc fails "no rights".
Via MQ Explorer (specifying a user / password), same error.

In /var/mqm/errors, there are many FDCs, and in AMQERR01.LOG, I got:

08/22/2019 03:09:40 PM - Process (27493.1) User (abc@) Program (runmqsc)

Host (xxxxxx) Installation (Installation1)

VRMF (9.1.0.3)

Time (2019-08-22T13: 09: 40.179Z)

RemoteHost (.)

ArithInsert1 (1082155384)

CommentInsert1 (xcsGetpwuid got password entry with user name too long (more than 13 characters).)

CommentInsert2 (Details: getuid () returned 1657201500; getpwuid_r (1657201500) found user name "abc@department.company.corp".)

CommentInsert3 (A user name of "UNKNOWN" will be used, which will likely cause later authorization failures.) Note this FFST can be turned off by exporting env AMQ_NOFFST_PROCESS_UID.)

AMQ6125E: An internal IBM MQ error has occurred.

Obviously the AD query retrieves the long name of the user, which is too long for MQ.
Any ideas to avoid this problem?

Thanks !

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
------------------------------

There is a way to get MQ to use the shortname *if* you had configured MQ to use AD directly as it's identity provider. However, you have asked MQ to use the OS. Therefore, you are dependent on the OS settings and therefore, you need to find a way to get the OS to use the AD shortname. I don't know of a way to do this - it's an OS question, not an MQ question, I believe.
Sorry, I can't be of more help.

------------------------------
John Hawkins
CTO
Lightwell
------------------------------

Original Message:
Sent: Fri August 23, 2019 04:29 AM
From: Luc-Michel Demey
Subject: xcsGetpwuid got password entry with user name too long

We have no control over AD configuration and how the names are retrieved.
Is there a parameter at MQ level that allows to force the short name to be retrieved instead of the long one?

Thank you.

------------------------------
Luc-Michel Demey
DEMEY CONSULTING

Original Message:
Sent: Fri August 23, 2019 03:36 AM
From: Francois Brandelik
Subject: xcsGetpwuid got password entry with user name too long

I believe the answer is: Have you looked at what you need to do to configure your AD to retrieve the short name only?

------------------------------
Francois Brandelik
Madison CT
630-235-3023

Original Message:
Sent: Thu August 22, 2019 01:37 PM
From: Luc-Michel Demey
Subject: xcsGetpwuid got password entry with user name too long

Today I had problem with account name length between Linux and Active Directory.

Environment:

• Linus RHEL 7.6
• MQ 9103
• no SSL

Users are checked by the OS via AD (on a Windows server).
MQ administrators belong to an AD group (MQADM), and ALL rights were given to this group via SET AUTHRECs.
This type of configuration works perfectly on other Linux servers.

Here the account "abc" belongs to the group "MQADM".
From the Linux command line, I can do a su - abc. But a runmqsc fails "no rights".
Via MQ Explorer (specifying a user / password), same error.

In /var/mqm/errors, there are many FDCs, and in AMQERR01.LOG, I got:

08/22/2019 03:09:40 PM - Process (27493.1) User (abc@) Program (runmqsc)

Host (xxxxxx) Installation (Installation1)

VRMF (9.1.0.3)

Time (2019-08-22T13: 09: 40.179Z)

RemoteHost (.)

ArithInsert1 (1082155384)

CommentInsert1 (xcsGetpwuid got password entry with user name too long (more than 13 characters).)

CommentInsert2 (Details: getuid () returned 1657201500; getpwuid_r (1657201500) found user name "abc@department.company.corp".)

CommentInsert3 (A user name of "UNKNOWN" will be used, which will likely cause later authorization failures.) Note this FFST can be turned off by exporting env AMQ_NOFFST_PROCESS_UID.)

AMQ6125E: An internal IBM MQ error has occurred.

Obviously the AD query retrieves the long name of the user, which is too long for MQ.
Any ideas to avoid this problem?

Thanks !

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
------------------------------

Thanks John, I will check the way Linux is using AD with the OS team.

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
------------------------------

Original Message:
Sent: Tue August 27, 2019 03:35 AM
From: John Hawkins
Subject: xcsGetpwuid got password entry with user name too long

There is a way to get MQ to use the shortname *if* you had configured MQ to use AD directly as it's identity provider. However, you have asked MQ to use the OS. Therefore, you are dependent on the OS settings and therefore, you need to find a way to get the OS to use the AD shortname. I don't know of a way to do this - it's an OS question, not an MQ question, I believe.
Sorry, I can't be of more help.

------------------------------
John Hawkins
CTO
Lightwell

Original Message:
Sent: Fri August 23, 2019 04:29 AM
From: Luc-Michel Demey
Subject: xcsGetpwuid got password entry with user name too long

We have no control over AD configuration and how the names are retrieved.
Is there a parameter at MQ level that allows to force the short name to be retrieved instead of the long one?

Thank you.

------------------------------
Luc-Michel Demey
DEMEY CONSULTING

Original Message:
Sent: Fri August 23, 2019 03:36 AM
From: Francois Brandelik
Subject: xcsGetpwuid got password entry with user name too long

I believe the answer is: Have you looked at what you need to do to configure your AD to retrieve the short name only?

------------------------------
Francois Brandelik
Madison CT
630-235-3023

Original Message:
Sent: Thu August 22, 2019 01:37 PM
From: Luc-Michel Demey
Subject: xcsGetpwuid got password entry with user name too long

Today I had problem with account name length between Linux and Active Directory.

Environment:

• Linus RHEL 7.6
• MQ 9103
• no SSL

Users are checked by the OS via AD (on a Windows server).
MQ administrators belong to an AD group (MQADM), and ALL rights were given to this group via SET AUTHRECs.
This type of configuration works perfectly on other Linux servers.

Here the account "abc" belongs to the group "MQADM".
From the Linux command line, I can do a su - abc. But a runmqsc fails "no rights".
Via MQ Explorer (specifying a user / password), same error.

In /var/mqm/errors, there are many FDCs, and in AMQERR01.LOG, I got:

08/22/2019 03:09:40 PM - Process (27493.1) User (abc@) Program (runmqsc)

Host (xxxxxx) Installation (Installation1)

VRMF (9.1.0.3)

Time (2019-08-22T13: 09: 40.179Z)

RemoteHost (.)

ArithInsert1 (1082155384)

CommentInsert1 (xcsGetpwuid got password entry with user name too long (more than 13 characters).)

CommentInsert2 (Details: getuid () returned 1657201500; getpwuid_r (1657201500) found user name "abc@department.company.corp".)

CommentInsert3 (A user name of "UNKNOWN" will be used, which will likely cause later authorization failures.) Note this FFST can be turned off by exporting env AMQ_NOFFST_PROCESS_UID.)

AMQ6125E: An internal IBM MQ error has occurred.

Obviously the AD query retrieves the long name of the user, which is too long for MQ.
Any ideas to avoid this problem?

Thanks !

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
------------------------------