jpsst34
(member)
06/12/02 02:07 PM
AS400 shared directory connection outages

This is an issue with the 400, not OW itself, but I thought I'd post it here anyway. It affects OW, as I have TC's that won't run when this problem manifests itself.

We have a directory on the 400 under root called /myDir/mySubDir/. Using Ops Nav, I have shared this direcotry (created an SMB share) at the mySubDir level. This allows one to type "\\AS400MachineName\mySubDir\" -or- "\\xxx.xxx.xxx.xxx\mySubDir\" into the Address Bar in explorer and browse this directory. All is good up to this point.

The problem resides in the fact that sometimes, at apparently random intervals, some users cannot access this shared directory through Windows Explorer. For each user affected, the outage is only temporary. What's more, it doesn't affect all users at once. It will affect one person now, two people later, nobody for a week and a half, then three people in one day, but at different times during the day.

When anyone is seeing this, their AS400 account has _not_ been varied off. For instance, right this minute I cannot access the 400 through Explorer, but I can still use telnet from the command line, Client Access Green Screen (which is just telnet), FTP, and Ops Nav. None of those give me any problems. I only can't access the machine through Explorer. I'm using NT5.1 (XP pro to the laymen <g>), but it's not a Windows problem, becuase I've tested this using OS X and FreeBSD with Samba. In all instances with all OS's, I can't connect to the SMB share. This says to me that the problem resides on the 400 end of the connection.

Any thoughts? Has anyone else ever had fun like this?


milliron
(member)
06/14/02 10:37 AM
Re: AS400 shared directory connection outages

Hi Jack,

We have this happen periodically but cannot find any pattern to it. We do see message CPIB682 on QSYSOPR message queue. I've looked on some IBM web sites and this is all the information that I can find on this message:
__________________________________
Users may be unable to use AS/400 NetServer if they attempt to connect to iSeries with an incorrect password too many times. If this occurs, then iSeries sends a message (CPIB682) to the QSYSOPR message queue. This message indicates that the user profile has been disabled for AS/400 NetServer access. This does not disable the user profile for iSeries or Client Access, but it does stop the user profile from accessing AS/400 NetServer.

How to tell if a user has been disabled:
-Check the QSYSOPR message queue (DSPMSG QSYSOPR) for message CPIB682
-Disabled Users dialog in V5R1AS/400 Operations Navigator Possible actions to resolve:
1. Restart NetServer (reenable all users) or CHGUSRPRF userid (reenable a userid)
2. Increase value for QMAXSIGN
3. Change password on the client to match
4. In V5R1, use the new Disabled Users dialog from OpsNav!
In V5R1, multiple signon attempts in quick succession by the client will only be logged as one password violation, greatly reducing the chance of users becoming disabled. This is handled in a way that does not compromise security.
_________________________

Since you are on V5R1, you should be able to see which users are disabled via Operations Navigator - it's just not intuitive how to get there. You need to click on the following:
Network
Servers
TCP/IP
Then right click on AS/400 NetServer and select Disabled User IDs. This window will give you the option of enabling them.

Do you have an AS/400 SupportLine contract so that you can call IBM for more help?

-mary


jpsst34
(member)
06/14/02 10:48 AM
Re: AS400 shared directory connection outages

Thanks for the tip, Mary!

So, what I gather from your post is that too many *successful* logons to the NetServer disables the user's access to the NetServer shares and only to the Netserver but not to the AS/400 in general.

This would explain our problem. Now, as for how to solve it...
I guess increasing QMAXSIGN would relieve it somewhat, but not solve it. Right now, my NT password and my Client Access password are the same, so I'm sure it's not an invalid password thing.

Unfortunately, we do not have an IBM software service contract. I'm not sure why, I just know we don't. Hrm.

Thanks again for the help,


milliron
(member)
06/14/02 11:05 AM
Re: AS400 shared directory connection outages

Hi Jack,

Our passwords are generally the same, too, so I don't know why we're getting the error messages either. I've submitted a question to the AS/400 SupportLine and I'll let you know if I get an answer.

-mary


milliron
(member)
06/14/02 01:58 PM
Re: AS400 shared directory connection outages

Here's the reply from IBM:
_____________________________________________
MSGCPIB682 means 'User profile &1 disabled for AS/400 Support for Windows Network Neighborhood access.'. This means that the user profile has become disabled for Netserver use.
.
When a profile becomes disabled for Netsever, it is not totally disabled. If you do a DSPUSRPRF on the profile, it will still show as *ENABLED. The user will be able to use that same profile to sign on the emulation session (green screen) or to run Client Access functions like data transfer, and so on and so on. The profile is ONLY disabled for Netserver.
.
A profile can become disabled for Netserver use based on the QMAXSIGN system value (this is the same system value that is used to totally disable a user profile for AS400 use). You can view the value by doing a DSPSYSVAL QMAXSIGN. Many companies have this value set to 3 and at that setting profiles can become disabled for Netserver use very easily. A value of 5 works much better for Netserver.
.
Here's how it happens. When a user attempts to connect a Netserver drive, Windows will automatically send up a User ID and password. Windows actually sends this same User ID and password UNDER THE COVERS several times, before ever prompting the user for a different User ID and/or password. Some PC's will send the User ID and password only a couple of times, then prompt, and the user can enter the correct information and can connect the drive. Other PC's will send the User ID and password 4, 5, or even 10 or more times, before ever prompting the
user. If that happens, the User ID is disabled for Netserver before the user ever has a chance to send the correct information.
.
If the PC user signs on a Network when they boot up the PC, that is the User ID and password that Windows will send when they attempt to connect the netserver drive. If the user does not sign on a network but does sign on the PC desktop, that is the User ID and password that Windows will send. If the user does not sign on either a network or the PC desktop, then it's anyone’s guess what Windows will send to the AS400.
.
Profiles can be reset (renabled for Netserver use) in any of three different ways.
.
1) IPL the system - Not an action that you would want to take just to reset a profile but it does reset every profile on the system.
.
2) End and restart Netserver (either from Operations Navigator or by running ENDTCPSVR *NETSVR then STRTCPSVR *NETSVR). Like doing an IPL, this resets every profile on the system for Netserver use.
.
3) For individual profiles, this is the best way to reset: From the AS400 command line run CHGUSRPRF ProfileName (substituting in the actual profile name). You don't actually have to change anything. Just the process of running the CHGUSRPRF on the profile will reset it.
.
There is a very good Knowledgebase document that talks about Netserver Security which you might want to view. I won't email it to you, because it has a table that gets kind of messed up when it is emailed. Instead, I'd suggest that you view it online. It is in the Support Line Registered Knowledgebase. The registered Knowledgebase is available to customers who have a Support Line contract, but if you have not already done so, you will need to register as a Knowledgebase user online (at the site given above), at which time you will be sent a password. To get to the Registered Knowledgebase, go to the iSeries Technical Database website at http://www-912.ibm.com/supporthome.nsf/document/20300257 and take the link for 'Registered Software Knowledge Base'. Once there, use the search function and search on the Knowledgebase Document ID which is 17714937 or on the Document name which is 'AS/400 NetServer Security'.
______________________________________________

And, here's something from another IBM document that might explain why it doesn't work one time but it does the next:

"Any user ID will be re-enabled for NetServer access any time the NetServer user cache detects a change in the user profile. For example, the user creates a new object and becomes the owner of an object which updates the owned object list causing the last access date on the user profile to be updated. The user profile has been changed so it is re-enabled for NetServer access."


-mary



JDELIST Support | Privacy statement JDELIST.com

*
UBB.threads™ 6.4.1

The legal restrictions and terms of use applicable to this site are available here.
Use of this site signifies your agreement to the terms of use.
JDELIST is NOT affiliated with JD Edwards® & Company, Oracle or Peoplesoft. Contents of this site are neither
endorsed nor approved by JD Edwards® & Company, Oracle or Peoplesoft.

This page best viewed with Netscape 4 or Microsoft Explorer 4 or above in 800 x 600 resolution.