Can you migrate to linux I might be more helpful then? I don't know
anything about window domain issues.

There should be no difference in authentication behaviour between 7 and 10.0.

Domain users do not need to be recreated locally.

Do the domain users have "logon locally" rights on the server machine? This is required for both IDS 7 and 10.

Does it make any difference at all if you start the IDS service as the localsystem user instead of the informix user? I don't expect it to, but if it did it would help with the troubleshooting.

Failing this I suggest you log a support call.

Regards
Guy

----- Original Message ----
From: rotor <rotor@navigator.lv>
To: informix-list@iiug.org
Sent: Tuesday, January 29, 2008 1:13:31 AM
Subject: Problem with Windows domain users

Good day.

Product Name and Version: IBM Informix Dynamic Server Version
10.00.TC7
Operating System and Version: Windows
Problem Description:
We are using Informix version 7.x as a platform of our information
system wich is used by xxx of xxx. Due to end of service we are
thinking about migration to version 10.x, but have faced with
different behaviour in versions mentioned. All our 7th servers are
installed on different host machines. All this host machines are in
one Windows domain. All Informix servers on this host machines are
installed locally (during installation "Install In Domain" check box
was not selected). After executing "grant connect" command all
domain users can connect to Informix database. Now I have tried to
install IDS 10.00 TC7 on one of the machines using the same manner
(locally), but can't connect to the server - Informix gives the
error "-- [Informix][isqct03a.dll] SQL Error (-951) : Incorrect
password or user <xxx> is not known on the database server." So, I
don't understand what I should do now:
1. Manually dublicate all domain users locally? (There is about 2000
users in that domain!)
or
2. Install IDS "In Domain"? (Also is not good solution - now every
local informix-admin has different password on all machines.)
Also please explain why this behaviour is changed so radically,
where such change is described? Or maybe I don't understand
something and there is another way of problem resolving?

Unfortunately the difference exists. I have 3 clear instances on my
computer installed locally - 7th, 9th and 10th. First two give me
connect as domain user (using short name without domain and
backslash), but third one - not. Try yourself - it is very simple to
reproduce...

No difference.

If you all know IBM's support is very bad in comparing with
Informix. I can quota to you two answers from support.

First one:

I am writing to inform you that I have been assigned the PMR you
logged earlier regarding getting error 951 after migration.
I am currently researching the issue but to help investigate the
problem further please can you tell me:-
1) How did you migrate from version 7 to 10?
2) Did you run oncheck -cDI and -cc after migrating? If so, did they
report any errors?
3) Check the owner of oninit in directory \INFORMIXDIR/bin. It
should be root and not Informix.
4) Possible other cause maybe the password expiry. Expiration is
checked in function __osgetpwnam() by a system call passwdexpired():
so reset that if it has expired and that should resolve it.
5) Also check with the OS system administrator for any trust or
password errors or warnings.

And the second (a week! later):

Yes good point, I don't know why I was thinking about UNIX.
I have researched further and here are my findings:
The following situations can cause error -951:
   * Informix user account was deleted and recreated
   * Windows server membership has changed from domain to workgroup
   * Windows server membership has changed from workgroup to domain
   * Change in domain default policy for informix domain user
   * User ‘informix’ is not a member of administrator group at the
server
   * Check the service started using the local informix account and
password.
   * Are you using role separation?
   * Can connect locally on this box? Verify that  /etc/hosts.equiv
and /hosts file contain  information about each of the windows
machines
   * It may be necessary to remove the IDS registry entries and
remove and recreate the user informix and group Informix-Admin.
The following is a list of steps that you can use to resolve -951
errors for Informix users in your environment.  
1 - Connection attempts fail with error -951 when Informix Dynamic
Server is installed in a Windows domain and the domain controller
name is greater than 13 characters. If the Domain Install option is
selected when installing    (IDS), and the Primary Domain
Controller's machine name is greater than 13 characters in length,
attempts to connect to the database server fail with error -951.
2- Run the following:
                d:/informix/astools/addrights informix
    to add the following rights to the user:
                Adds the following user rights to the local account
specified:
                  SeTcbPrivilege
                  SeServiceLogonRight
                  SeIncreaseQuotaPrivilege
                  SeAssignPrimaryTokenPrivilege
   Note: This could also be accomplished by reinstalling the
engine. Suggest increasing quota
3- Insure that the Local and Effective Settings are correct on the
box
running IDS.  Under the Control Panel -> Administrative Tools ->
Local Security
Settings - make sure that the local Informix user, or the group
Informix-Admin
is added both the Local and Effective Settings.
                Policy
                - Access this computer from the network
                - Act as part of the operating system
                - Increase quotas
                - Log on as a batch job
                - Log on as a service
                - Log on locally
                - Replace a process level token
4- Log into the Domain Controller and use the 'User Rights for
Domains' tool
to add the user Informix, or the group Informix-Admin to the 'Access
this
computer from the network' policy.
5- Bounce the local server to have these changes take effect and
verify security policies.
Also create the user informix in the domain controller and make user
informix a member of the Global Domain Admin group. Then log in as
domain_name\informix from individual computers to enable domain
installation.
Choose the Domain install option when prompted by the installation
wizard when you run the installation program.
Hope that helps.

How do you think, Is it good help from support for about million
dollars a year?