DB2 crash / core dump on AIX 7.2 TL 5 systems running DB2 11.5 and Safeguard Authentication Services (SAS).
A back trace of the corresponding core file shows that the crash occurs in the nss_vas_str_to_group or nss_vas_gns_strs function in the getgrgid() call.
Example: 0x09000000016A5148 nss_vas_str_to_group + 0x3CC
In may also show up further down in the trace as follows without the nss line:
1) 268477 - Crash in certain edge cases due to thread safety issues.
2) 302187 - Certain memory calls caused segfaults on busy systems.
3) 307979 - DB2 segfault in nss_vas_str_to_group
The fix for product defect 268477 is available in version 5.0.3 of Safeguard Authentication Services and up.
The fix for product defect 302187 is available in version 5.0.6 of Safeguard Authentication Services and up.
The fix for product defect 307979 is in version 188.8.131.5204 of Safeguard Authentication Services and up.
Upgrade to version 5.0.7 and DB2set -> DB2_ALTERNATE_GROUP_LOOKUP to GETUSERATTR
Restart all DB2 instances post upgrading to version 5.0.7. This restart is needed because the change is in the LAM module that's loaded into memory.
It may suffice as a temporary workaround to only DB2set -> DB2_ALTERNATE_GROUP_LOOKUP to GETUSERATTR however upgrading to version 5.0.7 and setting GETUSERATTR is the recommended fix:Please note that it is per instance therefore if multiple DB2 instances are being hosted on a system the change needs to be made on all of the instances.
NOTE: The information below this line is only needed if there are permissions issues when applying the above noted DB2set.
If DB2_ALTERNATE_GROUP_LOOKUP can be set to GETUSERATTR without issue then no further changes are required.
In order to make the above change DB2 requires that the DB2 instance owner be a direct member of the instance group. If the owner is only implied, meaning their PGID is that of the instance group but they are not actually in that group it will fail to set the value.
The fix for this is to either make the instance owner a direct member of the group or use the following setting:
1) run the following command to update the vas.conf file with the needed configuration:
/opt/quest/bin/vastool configure vas nss_vas include-implicit-members true
Then run the following command which will tell the Authentication Services vasd daemon to implement the change.
2) /opt/quest/libexec/vas/sugi/asdcom SendEntFlush
© 2022 One Identity LLC. ALL RIGHTS RESERVED. Feedback 使用条款 隐私