Re: odd profile swap in QAUDJRN

Jim,

How about using the network apis to determine the remote host?

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Jim Franz
Sent: Tuesday, March 17, 2015 12:07 PM
To: Midrange Systems Technical Discussion
Subject: Re: odd profile swap in QAUDJRN

Gary,

but user is not actively doing anything. In fact, when 1st started,
computer on, but user not in the building.
Malwarebytes shows clean (as far as network staff can tell).
That's why I'm trying to determine if a normal map drive issue (like saved
credentials but not updated on last pwd chg) or some printer mapping, or
some client app.
I do see netserver ptfs related to security we don't have.
I guess what I'm looking for is a Netserver code that indicates "what" is
it attempting to do?
btw - the attempts (VP) are about 5 minutes apart, but not exact.
The job stack of the pc is pages of stuff.
Jim

On Tue, Mar 17, 2015 at 2:46 PM, Monnier, Gary <Gary.Monnier@xxxxxxxxx>
wrote:

Jim,



Doesn't the contents of the VP entry give you the information you need?



JE J4 J5 Field Format Description

156 224 610 Error Type Char(1) The type of error that occurred. P =
Password error

157 225 611 Server Name Char(10) The name of the network server
description that registered the event.

167 235 621 Server Date Char(6) The date the event was logged on the
network server.

173 241 627 Server Time Zoned(6,0) The time the event was logged on the
network server.

179 247 633 Computer Name Char(8) The name of the computer initiating
the request.

187 255 641 User Char(10) The name of the user who attempted

to

log on.



-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Jim Franz
Sent: Tuesday, March 17, 2015 11:14 AM
To: Midrange Systems Technical Discussion
Subject: Re: odd profile swap in QAUDJRN



It's not getting that far. The VP code indicates pwd error.

Trying to determine if this is a mapped drive trying to reconnect
(over &

over)?

Jim



On Tue, Mar 17, 2015 at 1:50 PM, <rob@xxxxxxxxx> wrote:

Methinks thou art correct.

QZLSFILET

Servicing user profile A from client 10.17.8.33.

Servicing user profile B from client 10.10.2.96.

Ended service for user A on client 10.17.8.33.

Ended service for user B on client 10.10.2.96.

Servicing user profile B from client 10.17.8.33.

Servicing user profile C from client 10.10.9.22.

Servicing user profile A from client 10.10.8.237.

Servicing user profile D from client 10.17.9.92.

Rob Berendt

--

IBM Certified System Administrator - IBM i 6.1

Group Dekko

Dept 1600

Mail to: 2505 Dekko Drive

Garrett, IN 46738

Ship to: Dock 108

6928N 400E

Kendallville, IN 46755

http://www.dekko.com

From: Charles Wilt <charles.wilt@xxxxxxxxx>

To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx

Date: 03/17/2015 01:41 PM

Subject: Re: odd profile swap in QAUDJRN

Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>

Rob,

I don't think the connections are actually serviced under that job...

Instead it is QZLSFILET or QZLSFILE

https://www-304.ibm.com/support/docview.wss?uid=nas8N1015061

Charles

On Tue, Mar 17, 2015 at 12:03 PM, <rob@xxxxxxxxx> wrote:

QZLSSERVER is IBM Net Server. This basically serves up shares on
your

IBM

i. So if someone maps a drive to /youribmi/yourshare it should
appear

in

these.

However, I have a drive mapped and I only have one QZLSSERVER job
and

it's

"current user" is QPGMR

Current user profile . . . . . . . . . . . : QPGMR

Job user identity . . . . . . . . . . . . . : QPGMR

So apparently it's not swapped all the time. IDK if the swap is
done

very

quickly.

On a side note, there's also a way to set up a "guest" account so
that

users who do not have access to your IBM i will also use a generic

account

for drive mapping.

Rob Berendt

--

IBM Certified System Administrator - IBM i 6.1

Group Dekko

Dept 1600

Mail to: 2505 Dekko Drive

Garrett, IN 46738

Ship to: Dock 108

6928N 400E

Kendallville, IN 46755

http://www.dekko.com

From: Jim Franz <franz9000@xxxxxxxxx>

To: Midrange Systems Technical Discussion <

midrange-l@xxxxxxxxxxxx

Date: 03/17/2015 11:41 AM

Subject: odd profile swap in QAUDJRN

Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>

How can I determine what was being executed when this Profile Swap

occurred?

Profile NETTST (not a test account, it's part of a name)

QZLSSERVER doesn't log much (I changed jobd to log all before this

occurred)

No activity immed before or after this time for this user.

Nothing in QHST for this user.

User does use a client based app (package) to access our system
and was

active till about 20 minutes before this swap.

1660700 T 0 'PNETTST M '

0 PS QZLSSERVER QPGMR 776279 0

0 QLESPI QSECOFR 0 0

0 03/16/15 18:06:58 0

Jim Franz

--

This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx

To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx

Before posting, please take a moment to review the archives

at http://archive.midrange.com/midrange-l.

--

This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx

To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx

Before posting, please take a moment to review the archives

at http://archive.midrange.com/midrange-l.

--

This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx

To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx

Before posting, please take a moment to review the archives

at http://archive.midrange.com/midrange-l.

--

This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx

To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx

Before posting, please take a moment to review the archives

at http://archive.midrange.com/midrange-l.

--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx

To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx

Before posting, please take a moment to review the archives

at http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.