× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2017

RE: V7R1 - Production LPAR not working for a 5250 session enabled for Kerberos

My QRMTSIGN was set to blanks.

Changed to *VERIFY, all working.

Note: When using the 5250 emulator in IBM i Access Client Solutions with Kerberos Authentication, you
need to change the Remote sign-on (QRMTSIGN) system value to *VERIFY to enable you to bypass the
sign-on. To change the Remote sign-on system value, follow these steps:

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Sunday, March 12, 2017 7:26 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: V7R1 - Production LPAR not working for a 5250 session enabled for Kerberos

Just as a test, I deleted the target on the EIM identifier.
Now getting this error message, as expected.

CWBSY1018

The connection is configured to use your Kerberos principal name for security authentication; however, your Kerberos principal name could not be successfully mapped to an IBM i user profile.
201 -- Kerberos principal name could not be mapped to an IBM i user profile. Either the Kerberos principal has not been mapped to an IBM i user profile with EIM configuration, or the Kerberos principal has been mapped to an IBM i user profile that does not exist.

This implies Kerberos is active, and failing for a missing association.

I added the target association back in.
Message gone.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Sunday, March 12, 2017 6:36 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: V7R1 - Production LPAR not working for a 5250 session enabled for Kerberos

Evan,

QUSER status enabled.
Good links, everything suggested checks ok.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Evan Harris
Sent: Sunday, March 12, 2017 6:18 PM
To: Midrange Systems Technical Discussion
Subject: Re: V7R1 - Production LPAR not working for a 5250 session enabled for Kerberos

Still no real information.
What is the status of QUSER ?
I am just plucking stuff I seem to remember causing issues out of the air.

Have you looked at these documents ?
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzalv/rzalv_trouble_mappings.htm
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzalv/rzalvtrbleimwizard.htm


On Mon, Mar 13, 2017 at 11:05 AM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
wrote:

I checked QUSRDIR joblog, nothing there.
A very similar config on R&D LPAR is working.
NTP is running, clock time ok.
NAS tested and working.

Paul


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Evan Harris
Sent: Sunday, March 12, 2017 5:39 PM
To: Midrange Systems Technical Discussion
Subject: Re: V7R1 - Production LPAR not working for a 5250 session
enabled for Kerberos

There's no log data or error messages or anything that would provide a
hint as to what is wrong, so it's hard to provide any advice.
Where have you actually looked and what (if anything) have you seen ?

Here is a WAG: Do you have NTP running and what are the clock times on
production and the AD Servers providing credentials ?


On Mon, Mar 13, 2017 at 9:20 AM, Steinmetz, Paul
<PSteinmetz@xxxxxxxxxx>
wrote:

I totally deleted LDAP and reconfigured.
Also redid EIM.
NAS, LDAP, EIM configured and started.
Testing an EIM identifier successful.

Same results - Production LPAR not working for a 5250 session enabled
for Kerberos

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf
Of Steinmetz, Paul
Sent: Sunday, March 12, 2017 12:43 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: V7R1 - Production LPAR not working for a 5250 session
enabled for Kerberos

Out of options.
I'm thinking of doing the LDAP cleanup and reconfigure.

http://www-01.ibm.com/support/docview.wss?uid=nas8N1012689

Any thoughts from the group.
Can't hurt.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf
Of Steinmetz, Paul
Sent: Saturday, March 11, 2017 8:57 PM
To: 'Midrange Systems Technical Discussion'
Subject: V7R1 - Production LPAR not working for a 5250 session
enabled for Kerberos

R&D LPAR configured and working for a 5250 session enabled for
Kerberos, no issues.

Production LPAR configured, identity created and tested, no issues.
NAS, LDAP, EIM all configured.

Kerberos not working for a 5250 session enabled for Kerberos.

Any thoughts from the group?

Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx
http://www.pencor.com/



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD




--

Regards
Evan Harris
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD





As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.