DB2: SQL30082N Security processing failed with reason “15″

honza — Mon, 11 May 2009 21:51:04 +0000

If you are getting

SQL30082N Security processing failed with reason „15“ („PROCESSING FAILURE“)

when connecting to the db2 database using db2 CONNECT TO dbname USER username or

Connection authorization failure occurred. Reason: Local security service non-retryable error. ERRORCODE=-4214, SQLSTATE=28000

when connecting remotely (via JDBC driver) read on. I finally found what causes this error and a solution!

[ad]

Environment

OS: Fedora Core 10 64bit
DB2: version 9.5, Express edition
See lower for the solution for Ubuntu

Problem

Tho whole problem is in the format of the passwords in /etc/shadow. DB2 doesn't seem to like the passwords generated when changing password using the standard passwd command. In Fedora Core 10 the password is hashed using sha-512 and the entry for user username looks like:

username:$6$efWWOYRY$z5DNL1kLQU4AmPkFBqbQh6LOh0Qjxq654dS9jE46iPNp8Zces8I4bP8GLZ3G3RWLo/6o.LYOV5neYSKxXbL.M1:14375:0:99999:7:::

Solution

DB2 works fine with passwords hashed with standard crypt function. Password in the desired format can be obtained by calling openssl passwd desiredPassword. The output of openssl can be passed to usermod --password The complete command to change user's password then look like:

usermod --password `openssl passwd desiredPassword` usename

Bigger image

I tried to hand-edit /etc/shadow and insert salted MD5 password, which can be obtained by openssl passwd -1 desiredPassword and the connection was sucessfuly established. To sum it up, the whole problem in the end seems to be that DB2 doesn't like SHA-512 hashes in /etc/shadow. On the other hand, it works fine with hashes generated by crypt and MD5.

Changing default algorithm in Fedora Core

Fedora Core contains a nice tool authconfig. To change the default hashing algorithm to MD5 run

authconfig –passalgo md5 –update

All the passwords inserted in the password database will be stored in MD5 from now on. It will, of course, not change the hashes of the current passwords.

Ubuntu

Ubuntu ships with sha512 as default hash algorithm for passwords in /etc/shadow. The easiest way to change the default algorithm is to edit the file /etc/pam.d/common-password and change the line that reads

password [success=1 default=ignore] pam_unix.so obscure sha512

password [success=1 default=ignore] pam_unix.so obscure md5

The information about the algorith is also included in the file /etc/login.defs, which is used by chpasswd for example. Therefore change the line

ENCRYPT_METHOD SHA512

ENCRYPT_METHOD MD5

Debian Lenny VIM broken dependency

honza — Sat, 28 Jun 2008 00:47:38 +0000

Today I ran apt-get update && apt-get dist-upgrade on my Debian Lenny installed on WD MyBook as I ussually do. It removed VIM (I let it as I thought it was just replaced by another package). I tried to run vim after the upgrade but it was really uninstalled. Trying to install it again by apt-get install I got

The following packages have unmet dependencies:
  vim: Depends: vim-runtime (= 1:7.1.293-3)
         but 1:7.1.293-3+lenny1 is to be installed
E: Broken packages

I tried to uninstall vim-runtime. It didn't help. I don't have time to solve it now so I can't give a solution. If you encountered the same problem and have a solution to this problem, I'd really appretiate your comment.

It's quite sad that Debian repository is not consistent and one gets errors using apt-get.

Honza's perspective » problem