Here are the answers to some frequently asked questions related to DB2 UDB for Windows NT and security. Excerpted from "The universal guide to DB2 for Windows NT," published by Prentice Hall PTR.
1. All my accounts are domain accounts. I do not want the Windows NT Domain Administrator controlling the definition and membership of groups that by DB2 DBA will use in the granting of DB2 privileges. What can I do?
In this case, you should create local groups on the DB2 UDB server and in these local groups explicitly specify the domain accounts that you want to include (that is domainnameuserid). You can include global groups if you choose, but then you are affected by any changes made to those global groups by the Windows NT Domain Administrator.
Once you create your local groups, you should set the DB2 registry variable DB2_GRP_LOOKUP=local and restart your DB2 instance. All group enumeration will now be performed on the local machine (this includes the definition of DB2 authority levels).
2. How do I get someone other than a local administrator or a domain administrator to be an administrator or DB2?
In this situation you should create another group, for example ADMDB2, and include in it the user accounts you want to have administer DB2 UDB. You should then update the DB2 database manager configuration file to set the SYSADM_GROUP parameter to ADMDB2.
3. I log onto a domain account, but DB2 UDB cannot find the groups I am a member of. What is the problem?
You must remember that DB2 does not qualify the name of a user with the domain name! When the account is presented to the DB2 server, DB2 first searches the local SAM, then the domain SAM and finally the SAM of any trusted domains. Once the user account is found, the groups are enumerated at that machine. A common problem is to have a local account the same as a domain account. DB2 finds the account on the local machine first and searches the local SAM for the groups that the user belongs to. In this case, delete the local account.
4. My domain account is a member of the local Administrator's group. I cannot administer DB2 however. Why?
There are two possibilities here. The most likely is that since DB2 has found your account on the domain controller, it is going to the domain controller to determine if you are an Administrator. Since you are not a domain Administrator, you are not (by default) a DB2 administrator. To get around this situation, you can tell DB2 to look on the local machine for its group definitions (use DB2_GRP_LOOKUP=local). You could also define an alternate group to be used as the SYSADM_GROUP and update the DB2 database manager configuration file parameter appropriately. The second possibility is that you are not a member of the group defined in the DB2 database manager configuration file SYSADM_GROUP field. This field will override the use of the Windows NT Administrator's group.
5. I define all my domain accounts in local groups, but DB2 does not seem to recognize them. What should I do?
You should set DB2_GRP_LOOKUP=local to have DB2 UDB look on the local machine for group definitions. By default, DB2 looks on the machine where it finds the definition of the account (userid), in this case, the domain controller.
For More Information
- Feedback: E-mail the editor with your thoughts about this tip.
- More tips: Hundreds of free DB2 tips and scripts.
- Tip contest: Have a DB2 tip to offer your fellow DBAs and developers? The best tips submitted will receive a cool prize -- submit your tip today!
- Ask the Experts: Our SQL, database design, Oracle, SQL Server, DB2, metadata, and data warehousing gurus are waiting to answer your toughest questions.
- Forums: Ask your technical DB2 questions--or help out your peers by answering them--in our active forums.
- Best Web Links: DB2 tips, tutorials, and scripts from around the Web.
This was first published in July 2003