0

I have a Windows Server 2008 R2 running IBM DB2 using the local account .\DB2 for services. As I have to promote this server to domain controller, local users won't be available anymore and I need to substitute DB2 local service account with domain account.

Local DB2 service account belongs to these local groups: Administrators, DB2ADMNS and DB2USERS

So, can I substitute this account with a domain\DB2 user account? What about DB2ADMNS and DB2USERS local groups? What is the correct procedure to achive this migration?

Thank you all for help!!!

Danilo Brambilla
  • 1,031
  • 2
  • 15
  • 33
  • Is your database server becoming THE domain controller? Or you're just adding the machine to an existing domain? – Ian Bjorhovde Jul 22 '11 at 18:29
  • Yes it is going to became the second domain controller of an existing domain. I think this is not a good placement for a DC, but the customer does not want to buy another machine. Also having only one domain controller is not a best practice – Danilo Brambilla Jul 26 '11 at 14:28

1 Answers1

1

You can use MS Active Directory to store you db2 users and groups.

To do this you must configure the sqllib/cfg/IBMLDAPSecurity.ini file

LDAP_HOST = <ldap_ip_or_hostname>
USER_OBJECTCLASS = user
USER_BASEDN = <dc=domain,dc=local>
USERID_ATTRIBUTE = sAMAccountName
AUTHID_ATTRIBUTE = sAMAccountName


GROUP_OBJECTCLASS = group
GROUP_BASEDN = <dc=domain,dc=local>
GROUPNAME_ATTRIBUTE = cn
GROUP_LOOKUP_METHOD = USER_ATTRIBUTE
GROUP_LOOKUP_ATTRIBUTE  = memberOf

NESTED_GROUPS = TRUE

FOLLOW_REFERRALS=false

SEARCH_DN = binduser
SEARCH_PW = bindpassword

Then you have to configure your db2 instance

Client Userid-Password Plugin          (CLNT_PW_PLUGIN) = IBMLDAPauthclient
Group Plugin                             (GROUP_PLUGIN) = IBMLDAPgroups
Server Userid-Password Plugin        (SRVCON_PW_PLUGIN) = IBMLDAPauthserver

SYSADM group name                        (SYSADM_GROUP) = DB2ADMINISG

You have to put your instance owner and other db2 admins in DB2ADMINSG group Then in DB2 you can grant/revoke access to any of the users/groups in Active Directory

Aljaz Vidmar
  • 165
  • 4
  • What about DB2ADMNS and DB2USERS local groups file system permissions? I can see lot of permissions granted to these local groups at DB2 installation time over the file system. If I move these local groups to AD I'll lose permissions too – Danilo Brambilla Jul 15 '11 at 12:30
  • you have to add the local users/groups to AD...then you will only change the password (auth) method from system to active directory – Aljaz Vidmar Jul 18 '11 at 06:11
  • local users/groups cannot be 'added' to AD, I have to recreate them and grant the same file system permissions. So, as there isn't a exaustive list of this permission anywhere I think this is not a good way to go. – Danilo Brambilla Jul 26 '11 at 14:25