× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Some more information. First, I've opened a PMR with IBM. I've
gathered a bunch of traces and IBM is checking it out. The issue seems
to be with the REPLACE(*YES) parameter on the CPY command. If I sign
on as the <special> user (the user with the same credentials on both
the i and the Windows server), I'm able to copy files with no problem.
If I sign on as a different user (including one with *ALLOBJ) and run
a CL program that sets the effective user ID to the <special> user,
the first file is copied and all other files fail with insufficient
authority. An interesting point - if I run the command a second time,
every file copy fails with insufficient authority, even if I clear the
target directory. I almost think that last thing is an activation
group issues, but I don't think it's my activation group.

Here are answers to questions that Dan and Pat asked:

1. How are the directories being created on the target Windows machine?
A. I created the directory being copied into on the Windows. I have
*ALLOBJ authority on the i and am a domain user on the target system.
I am the owner of the target directory.

2. Is the UID a member of a group that has Traverse Folder / Execute
File permission on that directory?
A: Strictly speaking, no. Permissions for this folder are user based,
not group based. Therefore, group membership does not apply. Effective
permissions show that the domain user and the <special> user both have
Traverse Folder / Execute File permissions on the directories.

3. Does the user have Full Control permissions in the net share within
which the directory exists?
A. Yes.

4. Authority to the directory to which the file is supposed to be copied
(when empty and after the first copy)
A. Full control to the <special> user for folder, subfolders, and files.

5. Authority the profile (and any groups) under which the program begins
running has to the directory and any objects in the directory .(if it has
*allobj then no more info is needed, if not, is the profile the owner, or
primary group, or does it have a private authority to the directory)
A: *ALLOBJ

6. Authority the profile represented by the UID to which you are setting
the eUID has to the directory and to any objects in the directory.
A: Full control to the <special> user for folder, subfolders, and files.

Thanks!


On Mon, Jul 18, 2011 at 1:24 PM, Michael Ryan <michaelrtr@xxxxxxxxx> wrote:
Dan and Patrick...I'm gathering the answers to the questions. The
network guy will be getting back to me. Thanks!

On Fri, Jul 15, 2011 at 4:28 PM, Patrick Botz
<botz@xxxxxxxxxxxxxxxxxxxxx> wrote:
Can you give me the following information:

  - Authority to the directory to which the file is supposed to be copied
  (when empty and after the first copy)
  - Authority the profile (and any groups) under which the program begins
  running has to the directory and any objects in the directory .(if it has
  *allobj then no more info is needed, if not, is the profile the owner, or
  primary group, or does it have a private authority to the directory)
  - Authority the profile represented by the UID to which you are setting
  the eUID has to the directory and to any objects in the directory.


If you have *AUTFAIL auditing turned on, then do "CPYAUDJRNE AF".  Run an
SQL query (select the failing object path name, the program name and
library, the current userID and current groupID(s).  Make sure the program
getting the error is the one you expect. Make sure the path and object are
the ones you expect.

If you don't have auditing turned on, do a PF9 on the error message to get
more information.

Contact me offline if you want more help.

Patrick Botz

Botz & Associates, Inc.
pcbotz@xxxxxxxxx
Office 507 319 5206
Cell 507 250 5644
http://www.botzandassociates.com

President, Valid Technologies
pcbotz@xxxxxxxxxxxxx
http://www.validtech.com



On Thu, Jul 14, 2011 at 7:58 AM, Michael Ryan <michaelrtr@xxxxxxxxx> wrote:

Pat...the profile under which the job is initially running has
*ALLOBJ. I'm seeing something interesting. If the target directory is
empty, the first copy works successfully. Every copy after that fails
with an authority issue. If the target directory is not empty, every
copy fails with insufficient authority. Any ideas about that?

On Wed, Jul 13, 2011 at 10:23 PM, Patrick Botz
<botz@xxxxxxxxxxxxxxxxxxxxx> wrote:
The profile under which the job is initially running, must have *use
authority to the profile with the UID to which you want to "seteuid" to.
 You can use adopted authority to get the authority to the user profile.
In
other words, the program that calls the qsyseteuid() api can be owned by
a
profile that has *allobj or a profile that has *use to the profile
represented by the UID you are trying to change to.  Only grant a profile
*use to another profile if it is a "service profile" that cannot be
logged
into.

The qsyseteuid() api essentially does the same thing as the profile
handle
APIs, but it only changes the profile udner which the job runs (not the
groups).  Note you could also accomplish the same thing by doing a
qsysetegid(), and you wouldn't lose the audit thread for the real profile
making the change.


Patrick Botz

Botz & Associates, Inc.
pcbotz@xxxxxxxxx
Office 507 319 5206
Cell 507 250 5644
http://www.botzandassociates.com

President, Valid Technologies
pcbotz@xxxxxxxxxxxxx
http://www.validtech.com



On Wed, Jul 13, 2011 at 2:33 PM, Michael Ryan <michaelrtr@xxxxxxxxx>
wrote:

Hello all...I'm trying to copy files from the IFS to a QNTC share. If
I sign on as a specific user, I have the authority to copy. I'm trying
to use qsyseteuid so I can run the program as any user. I do a WRKJOB
and see this:

Current user profile  . . . . . . . . . . . :   <special user>
Job user identity . . . . . . . . . . . . . :   <special user>
 Set by  . . . . . . . . . . . . . . . . . :     *DEFAULT

So I would think that I have the authority, but I get an 'insufficient
authority' message when attempting the copy. Is qsyseteuid not the
right procedure?

Thanks in advance...
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.