-
Title
DB2 crash / core dump on AIX 7.2 TL 5 systems running DB2 11.5 and Safeguard Authentication Services (SAS). -
Description
DB2 crash / core dump on AIX 7.2 TL 5 systems running DB2 11.5 and Safeguard Authentication Services (SAS).
A back trace of the corresponding core file shows that the crash occurs in the nss_vas_str_to_group or nss_vas_gns_strs function in the getgrgid() call.
Example: 0x09000000016A5148 nss_vas_str_to_group + 0x3CC
In may also show up further down in the trace as follows without the nss line:
0x090000000077031C nss_vas_str_to_group + 0x3B4
0x090000000076D158 vas_sysid_getgrgid_r + 0xF0
0x090000000076ABF8 vasaix_getgrgid + 0x84
0x0900000000117184 _getgrgid_r + 0xCE4
0x090000000011BF9C getgrgid_r + 0x1C
0x0900000000114D58 _posix_getgrgid_r + 0x118
0x0900000011B2B7DC sqloGetGroupAttribById + 0x33C
0x09000000193DA6B0 secGetGroups__FPcPvPCciPPcPiT3N24 + 0x330
0x090000000073F678 osplugin_get_groups__FPcPvPCciPPcPiT3N24 + 0xB8
0x09000000007400E8 get_groups_external__FPCciT1T2T1N22T1T2PvN22T1T2PPvPiPPcT16_ + 0x808
0x0900000011DBA58C getgroupsforuser__FPciT1T2T1N22T1T2PvN22T1T2P14sqlo_mem_descrP17group_functions_1 + 0x2EC
0x0900000011DBB48C sqlexGetGroupsForUser__FPciT1T2T1N22T1T2PvN22T1T2P14sqlo_mem_descrP9sqlf_kcfd + 0x42C0x090000001905F548 sqlexSlsSystemAccrdb__FP14db2UCinterface + 0x248
0x0900000012235CA0 sqlexEngAuthenticate__FP14db2UCinterface + 0x1700
0x0900000012EC0DD0 AppLocalStart__14sqeApplicationFP14db2UCinterface + 0x410
0x0900000012732C04 sqlelostWrp__FP14db2UCinterface + 0x44
0x090000001272C818 sqleUCengnInit__FP14db2UCinterfaceUs + 0x958
0x090000001272D060 sqleUCagentConnect + 0x6A0 -
Cause
Product Defects:
1) 268477 - Crash in certain edge cases due to thread safety issues.
2) 302187 - Certain memory calls caused segfaults on busy systems.
3) 307979 - DB2 segfault in nss_vas_str_to_group
4) 325461 - Move the AIX LAM Module from v1 to v2
-
Resolution
Fix:
The fix for product defect 268477 is available in version 5.0.3 of Safeguard Authentication Services and up.
The fix for product defect 302187 is available in version 5.0.6 of Safeguard Authentication Services and up.
The fix for product defect 307979 is in version 5.0.7.10004 of Safeguard Authentication Services and up.
The fix for product defect 325461 is in version 5.0.8, 5.1.1, and up.
Upgrade to version 5.0.8 or 5.1.1 or above and DB2set -> DB2_ALTERNATE_GROUP_LOOKUP to GETUSERATTR
Please note that it is per instance therefore if multiple DB2 instances are being hosted on a system the change needs to be made on all of the instances.Restart all DB2 instances post-upgrading. This restart is needed because the change is in the LAM module that's loaded into memory.
It may suffice as a temporary workaround to only DB2set -> DB2_ALTERNATE_GROUP_LOOKUP to GETUSERATTR however upgrading and setting GETUSERATTR is the fix:
NOTE: The information below this line is only needed if there are permissions issues when applying the above-noted DB2set.
If DB2_ALTERNATE_GROUP_LOOKUP can be set to GETUSERATTR without issue then no further changes are required.
In order to make the above change DB2 requires that the DB2 instance owner be a direct member of the instance group. If the owner is only implied, meaning their PGID is that of the instance group but they are not actually in that group it will fail to set the value.
The fix for this is to either make the instance owner a direct member of the group or use the following setting:
1) run the following command to update the vas.conf file with the needed configuration:
/opt/quest/bin/vastool configure vas nss_vas include-implicit-members trueThen run the following command which will tell the Authentication Services vasd daemon to implement the change.
2) /opt/quest/libexec/vas/sugi/asdcom SendEntFlush
-
Change Request
302187