How can I configure the Ingres service to run as a windows domain user?

Document ID : KB000055219
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This document decribes how to configure the Ingres service to run as a windows domain user for both Ingres r3 and Ingres r2.6

For each of the versions multiple detailed steps are provided.

Solution:

You can configure any windows domain administrator to start the Ingres service. There is a slightly different process that needs to be followed for Ingres r3 and Ingres 2.6. They are:

Ingres 2.6:

These are the steps that need to be performed:

  1. Ensure that the user has standard administrative rights to start any Windows service on the machine.

  2. Ensure that the user has equivalent read/write/execute rights as the LocalSystem account to everything within the Ingres installation directory.

  3. The user account has the following rights within the security policy:


    • Log on as a service
    • Log on locally
    • Act as a part of the operating system

  4. Configure the user as an authorized user within the Ingres RDBMS.

  5. Change the Ingres Intelligent Database service log on credentials.

  6. Edit the Ingres configuration file: config.dat

1. Configuring Windows Administrative Rights

Once you have defined the domain user account on the directory server, the domain user must be given administrative rights on the directory server.

To do this, right click on the My Computer icon and select manage .

Figure 1

When the Computer Management utility appears, expand the Local Users and Groups item and left click on the Groups icon.

Figure 2

Right click on the Administrators group in the right hand pane, and select the Add to Group option.

Type in the domain name of the user you wish to add to the local administrators group and click OK.

2. Ensure the user has sufficient access to the Ingres filesystem

By default, the Administrators group has the following access rights to the Ingres filesystem. Below is the default level of access the user requires to the Ingres filesystem:

  • Modify
  • Read & Execute
  • List Folder Contents
  • Read
  • Write
  • Full Control

3. Configuring Security Access Policy

Once the domain user has been granted Administrator status on the directory server, the following security policies need to be modified.

  • Log on as a service
  • Log on locally
  • Act as a part of the operating system

To modify the security policy, navigate to the User Access Rights by selecting:

Control Panel -> Administrative Tools -> Local Security Policy->Local Policies->User Rights Assignment .

Figure 3

From the right hand pane, double click on the Act as part of the operating system policy, click the Add User or Group button and type in the domain name of the user in the following format:

username@cosineDomainComponent

Once the username has been defined, click the OK button twice.

Figure 4

Perform the same function for the Log on as a service and Log on locally (or Allow log on locally for Windows 2003 Server) security policies.

4. Add the user to the Ingres RDBMS

To add the domain user account to the ingres RDBMS, follow the process below:

  1. Type in: dxadduser username@cosineDomainComponent

  2. Type in: accessdb

  3. Press Shift & F3 to edit the Users access list

    Figure 5

  4. Arrow down the to the domain user account you just added and press Shift & F2 to edit the user account.

  5. Tab through the form, until you get to the Maintain Users item. Change the N to a Y . These are additional privileges that are normally granted to the ingres system user (LocalSystem in Windows). All permissions should now have a ?Y' against them.

    Figure 6

  6. Press Shift & F5 to edit the preferences for the user, and ensure that all the options up to maintain users have a 'y' beside them.

    Figure 7

  7. Press F10 to exit the preferences screen.

  8. Press F3 to save the changes.

  9. Press F10 twice to exit out of accessdb .

    At this point you will need to stop and restart Ingres.

  10. From the Windows services applet, select the Ingres Intelligent Database service
    and stop it.

5. Change The Service Log on Credentials

  1. Double click on the Ingres Intelligent Database and select the Log On tab and ensure that the This account option is clicked, then type in the domain username and password in the spaces provided.

    Figure 8

    Then click OK to save the credential change.

    All that remains is for you to restart the Ingres Intelligent Database service from the Windows services applet.

Ingres r3:

These are the steps that need to be performed:

  1. Ensure that the user has standard administrative rights to start any Windows service on the machine.

  2. Ensure that the user has equivalent read/write/execute rights as the LocalSystem account to everything within the Ingres installation directory.

  3. The user account has the following rights within the security policy:

    • Log on as a service
    • Log on locally
    • Act as a part of the operating system

  4. Configure the user as an authorized user within the Ingres RDBMS.

  5. Change the Ingres Intelligent Database service log on credentials.

  6. Edit the Ingres configuration file: config.dat

1. Configuring Windows Administrative Rights

Once you have defined the domain user account on the directory server, the domain user must be given administrative rights on the directory server.

To do this, right click on the My Computer icon and select manage .

Figure 9

When the Computer Management utility appears, expand the Local Users and Groups item and left click on the Groups icon.

Figure 10

Right click on the Administrators group in the right hand pane, and select the Add to Group option.

Type in the domain name of the user you wish to add to the local administrators group and click OK.

2. Ensure the user has sufficient access to the Ingres filesystem

By default, the Administrators group has the following access rights to the Ingres filesystem. Below is the default level of access the user requires to the Ingres filesystem:

  • Modify
  • Read & Execute
  • List Folder Contents
  • Read
  • Write
  • Full Control

3. Configuring Security Access Policy

Once the domain user has been granted Administrator status on the directory server, the following security policies need to be modified.

  • Log on as a service
  • Log on locally
  • Act as a part of the operating system

To modify the security policy, navigate to the User Access Rights by selecting:

Control Panel -> Administrative Tools -> Local Security Policy->Local Policies->User Rights Assignment .

Figure 11

From the right hand pane, double click on the Act as part of the operating system policy, click the Add User or Group button and type in the domain name of the user in the following format:

username@cosineDomainComponent

Once the username has been defined, click the OK button twice.

Figure 12

Perform the same function for the Log on as a service and Log on locally (or Allow log on locally for Windows 2003 Server) security policies.

4. Add the user to the Ingres RDBMS

To add the domain user account to the ingres RDBMS, follow the process below:

  1. Type in: dxadduser username@cosineDomainComponent

  2. Type in: accessdb

  3. Press Shift & F3 to edit the Users access list

    Figure 13

  4. Arrow down the to the domain user account you just added and press Shift & F2 to edit the user account.

  5. Tab through the form, until you get to the Maintain Users and Security Administrator items. Change the N to a Y . These are additional privileges that are normally granted to the ingres system user (LocalSystem in Windows).

    Figure 14

  6. Press Shift & F5 to edit the preferences for the user, and ensure that all the options have a 'y' beside them.

    Figure 15

  7. Press F10 to exit the preferences screen.

  8. Press F3 to save the changes.

  9. Press F10 twice to exit out of accessdb .

    At this point you will need to stop and restart Ingres.

  10. From the Windows services applet, select the Ingres Intelligent Database service
    and stop it.

5. Change The Service Log on Credentials

  1. Double click on the Ingres Intelligent Database and select the Log On tab and ensure that the This account option is clicked, then type in the domain username and password in the spaces provided. Then click OK to save the credential change.

    Figure 16

6. Edit The Config.dat Ingres Configuration File

  1. Backup the $II_SYSTEM\ingres\files\config.dat file to an alternate secure location.

  2. Edit the $II_SYSTEM\ingres\files\config.dat file.

    Locate the line in the file that reads:

    ii.{hostname}.privileges.user.{username}:SERVER_CONTROL,NET_ADMIN,MONITOR,TRUSTED

    Copy this line and paste one line directly beneath it.
    Modify the copied line to contain the username that you're intending to use to start the service. e.g.

    ii.{hostname}.privileges.user.hanch02:SERVER_CONTROL,NET_ADMIN,MONITOR,TRUSTED

    Please note: The cosineDomainComponent is not required, only the username is required.

    Once the new user has been added to the file, save the file.

    All that remains is for you to restart the Ingres Intelligent Database service from the Windows services applet.

Additional Information

Defining users with their User Principal Name (UPN)

Using a User Principal name (UPN) in the form <username>@<cosineDomainComponent> is normal.

The.<cosineDomainComponent> section is used to uniquely identify users within Microsoft 's Trees & Forests hierarchy. It is the same as specifying the domain credentials as: <NETBIOS DOMAIN NAME>\<username>.

32 Character Ingres Username Limit

There is a 32 character limit to ingres usernames, so ensure that the username of the credentials that is being used to control the ingres service is less than 32 characters. This includes the domain extension.

e.g. dxadduser abcdefghijklmnopqrstuvqxy@ca.com

Other examples include:

To demonstrate this:

Figure 17

Figure 18

Special Character Restrictions For Ingres Usernames

Ingres names have the character restrictions listed within the CA Directory README - see ftp://ftp.ca.com/pub/etrust/Directory/DXserver/r81-GA-update/readme_eTrustDirectory.html