× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2019

RE: Runaway QTVDEVICE job

We have users mapped to the IFS all over our organization. And typically we insist that they change their Windows password to match there IBM user profile. We have coordinated the password rules with the Network Group. The only thing we see if they don't keep them the same is their Network Neighborhood profile is disabled and it has to be enabled in Navigator for i for NetServer. By keeping the passwords the same we don't have a connection problem. Now if the mapping is made with specific id and password that is kept with the mapping a different scenario might occur especially should that profile change passwords.

I believe that Single Sign-on would solve this problem but I haven't attempted the change yet.

George R. Smith
Sr. JD Edwards Analyst

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx] On Behalf Of Michael Schutte
Sent: Tuesday, April 16, 2019 7:47 AM
To: Midrange Systems Technical Discussion
Subject: Re: Runaway QTVDEVICE job

Great research, I have experienced the same issue with profiles in the
past. I couldn't get to this point that you have. Hands in too many
things. I saw many of the same things you identified. Would love to know
what happened.

My thought was that these users mapped an IFS location to their PC and
configured it to log in with their Windows Password. Which was against my
step by step instructions. :-) I wasn't able to get it cleared up even
after disconnecting the map.

In the end, we deleted the profile and created them a new know. One user
had a new profile created, while the other was recreated with the same
name. Neither user has had an issue sense. I know its not the answer you
are looking for, its just what we did. I would love to know what happened.


On Tue, Apr 16, 2019 at 7:57 AM Rob Berendt <rob@xxxxxxxxx> wrote:

I had two users get disabled over the weekend due to too many invalid
signon attempts. We do NOT have QMAXSGNACN set to disable profiles, just
devices. Apparently non 5250 jobs don't care about the device and they'll
disable the user profile anyway.

I used the api's at http://ibm.biz/DB2foriServices to search the history
log for the date time when they were disabled (same minute in two different
countries, Mexico and Texas!!! On a Sunday...) Then I used another API at
that site to search the audit journal to find out the exact IP address
which disabled each profile. This also showed me the job. Both were using
a different QTVDEVICE job. This is not the actual interactive session but
a companion job which supports the device.

One user had 397,221 invalid sign on's. The other user had 359,365
invalid signon attempts.

I'm still gathering what version of what product they are using for 5250
before opening the ticket with IBM.

Trying to determine how this could happen. Might it be that both those
PC's down south were trying to reconnect to the IBM i lpar here in Indiana
after a comm drop or some such thing? Funny thing is both users have a
"last password change date" greater than their "previous sign on date". So
maybe it kept trying to reconnect using the old passwords? A comm drop
between El Norte and them would be the most likely explanation as to why
they both got disabled in the same minute.

Person "O"
Previous sign-on . . . . . . . . . . . . . : 03/29/19 10:04:22
Date password last changed . . . . . . . . : 04/04/19 10:49:26
Person "A"
Previous sign-on . . . . . . . . . . . . . : 04/04/19 17:41:31
Date password last changed . . . . . . . . : 04/05/19 09:48:42

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.