group in the password file

[flashgordon]

Hi,

Our large organization is using a new Unix password authentication called VAS. With VAS you have no entry you can see in /etc/passwd. VAS uses windows authentication to find the password - single uid/pw. This VAS id allows me to logon to putty on the machine. I got my userid added to the equivalent of the dsadm group.

grep 104 /etc/group
psoftprda::104:gordonxx

In terms of the primary and secondary groups you can see in /etc/passwd I have no useful groups in terms of Datastage. When I tried to sign in with Datastage I get "Invalid Userid/pw ...". I think I could get 104 added as secondary group to my Unix id. Is that what I need to do to get this to work with the Datastage GUI's?

... Flash

[ray.wurlod]

No idea. Why not try it and let us know?

[flashgordon]

Ok Ray,

I was just hoping you'd give me some hints. I have a great deal of faith in your knowledge of all things Datastage and Unix. It's just perplexing. On any other box, if I add the userid to the dsadm group, they can use datastage and save jobs, even if they don't have a primary or secondary group that is datastage related. It's not working on this box with this new authentication. I will find the answer and report back!

... Tom

[rleishman]

What do you get when you type "groups" at the Unix prompt?

[flashgordon]

Ross,

I tried to reply to your posting earlier but the site failed. Thank you for the groups suggestion, it was a command I didn't know existed. With a telnet login, groups said I was in the needed datastage group. I think the problem here is the Windows Datastage gui is using some c++ routine to authenticate on the Datastage unix server and that is short of a full telnet login.

At any rate. I have resolution to this but no solution. Peoplesoft support who told me they consulted heavily with Ascential said that VAS id's are not supported by Datastage. So if it works, fine, if it doesn't they're not going to try to make it work. There were some bizarre new developments to this story. If you have a VAS id you can run bin/uvsh and bin/dssh and they work. I even was able to run Datastage jobs with a VAS id using dsjob. But when this same id tries to sign on to Datastage designer, you get a userid/pw error.

So this is the informal status. I was told that VAS id's on an AIX platform work with the Datastage GUI tools but I didn't witness that personally. I tried very hard to get a VAS id to work with the Datastage Windows tool on a very current release Solaris box and couldn't get it to work. This effort included having a very knowledgable Datastage Administator loosen permissions on things like the license file, in case that was the problem.

... Tom

[ray.wurlod]

Client authentication is actually managed by the DataStage RPC daemon (dsrpcd). However, how it does this internally is knowledge denied to us, the great unwashed. I suspect even the ATS group (advanced technical support) in IBM would have to ask Engineering.

[lgharis]

We had a similar issue when we moved to an authentication tool called Keon. Here is what we found out. The DataStage logon daemon reads the /etc/passwd file to get the password for the id that is attempting to logon. The password from the /etc/passwd file is then used to logon, not the password that was entered in the DS client, and is intercepted by Keon for logon. If the password in the /etc/passwd file gets out of sync with the password in Keon, then we are not able to logon. Somehow that situation occurred as there was a bug in Keon. Once the passwords were synchronized we were able to logon.

Just thought I would share this in case you may have a similar situation with using the VAS authentication tool.

[flashgordon]

Leroy,

Thanks for the tip. You have definitely clarified something for me. With VAS there is no userid entry in the password file although VAS id's can be referred to in groups. So this gives us an important perspective on the problem, thanks.

... Flash