MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » July 2014

RE: [Bulk] Re: [Bulk] RE: [Bulk] RE: [Bulk] Netserver profile being disable after IPL and/or password change - CPIB682



fixed

Mark,

Using MPLUS,
I created new event monitor under QSYSOPR

600 Netserver Disabled-renable
Action
SBMJOB CMD(RSTNETUSR USER('&1')) JOB(RSTNETUSR) JOBQ(QSYSNOMAX)
USER(PRODUCT)

QSYSOPR did not have authority to submit a job as this user, so I also had to grant authority to QSYSOPR for PRODUCT.

All working,
I may also add a page to go with the action.

I still have no idea why these users are getting disabled.
Our iSeries Userprofiles do not match our Windows domain accounts.
Could this be a Windows issue?

Paul


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Mark S Waterbury
Sent: Friday, July 11, 2014 5:10 PM
To: Midrange Systems Technical Discussion
Subject: Re: [Bulk] Re: [Bulk] RE: [Bulk] RE: [Bulk] Netserver profile being disable after IPL and/or password change - CPIB682

Hi, all:

A google search found this IBM support document:
:
http://www-01.ibm.com/support/docview.wss?uid=nas8N1010645

This is a nice document that shows how to use the "watch" capabilities introduced in V5R4 to watch for the message that says a NetServer user was disabled, and automatically re-enable it.

Mark

On 7/11/2014 4:19 PM, Mark S Waterbury wrote:
Paul:

I had not seen that document before, but just looked it up, and
downloaded the save file and looked at the source code. It uses the
same API (QLZSCHSI) to reset the NetServer user profile to "enabled".
But it only provides a command and you must do it one user profile at
a time.

The article by Carsten Flensburg uses the same API. This is also the
same API used by the old QUSRTOOL "GO NETS" tool.

Mark

On 7/11/2014 4:05 PM, Steinmetz, Paul wrote:
Mark,

MPLUS is currently monitoring for the CPIB682.
I was reviewing the possibility of adding an action to the event
monitor.
I found IBM doc N1010992 - CL Program and Command to Re-Enable
NetServer Users This doc will points to RSTNETUSRF savf, which
contains the source.

Has anyone used the RSTNETUSRF command?

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf
Of Mark S Waterbury
Sent: Friday, July 11, 2014 3:08 PM
To: Midrange Systems Technical Discussion
Subject: Re: [Bulk] RE: [Bulk] Netserver profile being disable after
IPL and/or password change - CPIB682

Paul:

I was thinking that Windows itself may have tried the password at
least once, automatically, without user intervention, depending on
how the user defined the "mapped drive" -- you can tell Windows to
remember the password and attempt to reconnect automatically whenever
Windows is re-started (boots up). So, that may have "used up" at
least one attempt, before prompting the user. Then, if the user "got
it wrong"
whenever Windows subseuqently prompted the user for that password,
they may have "used up" the remaining tries.

In any case, I think that article points the way to a "solution" --
if you can set up that program to run periodically, e.g. as a
scheduled job, at least once a day, perhaps more frequently, it seems
tome that you should be able to prevent this sort of thing.

Mark

> On 7/11/2014 2:53 PM, Steinmetz, Paul wrote:
Mark,

1) For second level text, do you mean this?
Cause . . . . . : User profile TPASKEIP exceeded the maximum
number of
incorrect sign-on attempts when connecting to IBM i Support for
Windows
Network Neighborhood (IBM i NetServer). This user profile has
been disabled
for IBM i NetServer access. The latest failure was received from
workstation ::ffff:10.5.47.54 at IP address ::ffff:10.5.47.54.

2) Also, based on the message, the user exceeded the maximum number
of attempts.
However, they only keyed their password once.
Does Netserver use sysval QMAXSIGN *SEC Maximum sign-on
attempts allowed?
We are set to 3.

Paul



-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf
Of Mark S Waterbury
Sent: Friday, July 11, 2014 11:37 AM
To: Midrange Systems Technical Discussion
Subject: Re: [Bulk] Netserver profile being disable after IPL and/or
password change - CPIB682

Paul:

Look at the second-level text for that message CPIB682 for an
explanation as to how or why those NetServer user IDs are getting
disabled.

See:
http://iprodeveloper.com/rpg-programming/apis-example-list-and-enabl
e-
disabled-netserver-users

for a nice article and tool by Carsten Flensburg that
addresses this issue.

HTH,

Mark S. Waterbury

> On 7/11/2014 10:18 AM, Steinmetz, Paul wrote:
I have a group of users that use mapped drives to the IFS.
Following an IPL, System save, restricted state and/or if user
changes their password, their Netserver profile becomes disabled
with a CPI8682.
Once the profile is re-enabled, every is fine, until next maint
and/or password change.

Is this normal behavior, or can anything be done to avoid these
nuisances?

Message ID . . . . . . : CPIB682
Date sent . . . . . . : 07/11/14 Time sent . . . . . . :
08:13:54
Message . . . . : User profile TPASKEIP disabled for IBM i
Support for
Windows Network Neighborhood access.

Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx
http://www.pencor.com/

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.






Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact