• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10895
  • Last Modified:

How to grant permissions to an AS/400 directory share...

    I am able to map a drive to the AS400\QDLS shared folder from a Win2k box using the QSECOFR username and password.  Most of our users get an access denied error when they attempt to map to it with their AS/400 username and passwords.  What do I need to do to grant other user accounts access to this shared drive?
0
cpfister
Asked:
cpfister
  • 10
  • 10
  • 2
  • +1
1 Solution
 
dedy_djajapermanaCommented:
Most likely public don't have object level authority to /QDLS:
From command line, WRKLNK, then put option 9 on  QDLS to check the assigned permission.
0
 
theo kouwenhovenCommented:
You can use CHGAUT for that.
0
 
cpfisterAuthor Commented:
Here is what is displayed when I check the Authority to /qdls:    
             Data     --Object Authorities--
 Opt  User        Authority  Exist  Mgt  Alter  Ref
       *PUBLIC     *RWX                              

I'm really just trying to give permissions to an additional SINGLE individual.  Am I correct in thinking that the above means that all users have read write and execute permissions to /QDLS?  

Another thought:  Someone here has mentioned a need to match the NT username and password to the AS/400 username and password.  Would the NT side really have anything to do with this permissions issue?
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
dedy_djajapermanaCommented:
Yes, that's correct,all users have read/write/execute authority to /Qdls.

Synchronizing NT username & password to AS/400 is only when you don't want AS/400 to prompt you for user and password.

Another possibility is that there's some system objects authority that's modified.
Please check joblog of QZLSSERVER job, this is server job that handles file server connection.
1
 
theo kouwenhovenCommented:
Our Network and AS/400 User-ID's are not the same, so I had the same problem. For this purpose, I created 1 same user account on the network and on the AS/400 and set the right authorities.

When linking to the QDLS dir, this is connected by clicking the "Connect using a different user name" option and specify the special created user-ID.

0
 
cpfisterAuthor Commented:
<dedy_djajapermana, I'm fairly inexperienced with AS400 commands so step by step is probably necessary with me.  I did my best to dig up the joblog of QZLSSERVER job but ended up with 11 pages of completion messages.  All from 11/07/03.  None of which offered an insight as to chages to system object authority.

<Murphey2, I will likely do as you have done with the same user accounts, however my issue still remains.  I need to know how to set the correct authorities on the AS400 side for a given user to allow permissions to map the drive.
0
 
TgerdesCommented:
Do you have Operations Navigator on your PC, it comes on the client access cd!  If you do, create a connection (File, connection to servers, add connection).  Once you have created a connection double click on it to open that connection!  probably best to signon with a QSECOFR level signon.  double click on "file systems"!  double click on "integrated file system"!  Right click on /QDLS and select "sharing..."!  Select "new share"!  Once the share is created users will be able to access the share your PC network!  You can also right click on /QDLS and select "permissions" this will allow you to edit user authority the same as the EDTOBJAUT command!  Operations Navigator is a much easier way to make this work!
0
 
cpfisterAuthor Commented:
Tgerdes, I actually have put some effort into working via the Ops Navigator.  Unfortunately, the only options it gives me are USE and CHANGE permissions for PUBLIC.  Public already has change permissions but there is something else at work here as only 3 accounts seem to be able to succcessfully map the drive.  One being QSECOFR.  

Does anyone have more info on how to work with QZLSSERVER to check object authority as was mentioned by dedy_djajapermana above?
0
 
dedy_djajapermanaCommented:
hi again cpfister...

i tried to simulate your failure here, but also couldn't find anything in QZLSSERVER joblog, so let's don't talk about the job for now.
Let's analyze the problem all over again... Some possibilities of the failure are:
1. Not sufficient object authority:
It has been checked, and verified that *PUBLIC has enough authority.
2. User disabled.
Profile for system user profile and netserver user profile are stored in different repository. One of common problem is profile for netserver is disabled (although at system level, profile still able to signon) To check, from ops nav. expand  System>Network>Servers>TCP/IP, and right click Disable User IDs
3. user conflict (xp or w2k with AS/400)
I've heard some issue about it too, but not too sure what exactly is the problem. However, you can try this to "force" use AS/400 profile you selected instead of sending current window user:
a. from windows, go to command prompt
b. type: NET USE \\system /user:userA
    note: system=AS/400 IP address and userA=AS/400 profile
c. If it says "The command completed successfully", then you can browse \\system (type START  \\SYSTEM from command prompt.)

Please let me know the result...
0
 
cpfisterAuthor Commented:
No users were show as disabled under as\400netserver
I tried to force the drive mapping using a user account that I just created called QDLSUSER and got these results:

C:\Documents and Settings\cpfister>net use i: \\x.x.x.x\qdls /user:qdlsuser
System error 1219 has occurred.
The credentials supplied conflict with an existing set of credentials.

Then I tried using qsecofr and it worked (Without even supplying a password, which scares me):
C:\Documents and Settings\cpfister>net use i: \\x.x.x.x\qdls /user:qsecofr
The command completed successfully.

OK, now aside from the need to grant drive mapping permissions to QDLSUSER I now need to figure out how to prevent people from gaining access using qsecofr without a password.  I'll throw in 100 aditional points to whoever can tell me how to remedy this apparent security hole. :(  
0
 
dedy_djajapermanaCommented:
i think before you tried to connect using QDLSUSER, your PC was already connected (and password entered before). That's the reason why it's not asking for QSECOFR password, same reason for the credential conflict.

To do a clean, fresh connection, please disconnect the netserver connection before you issue net use command by:
net use \\x.x.x.x\qdls /delete

to ensure that it's no longer connected, see the status with:
net use

then try the connection again with either QDLSUSER or QSECOFR, it should prompt for the password, alternatively, you can use:
net use \\x.x.x.x\qdls password /user:user

0
 
cpfisterAuthor Commented:
Ok Dedy_ I'm a dill hole.  You've got yourself 100 points for that... QSECOFR does actually need a password.  QDLSUSER is still getting access denied though (and nearly all the other users as well).  So my initial problem remains.  Are there any other permissions that have to be granted to allow users access to a network share?  Or is granting change permissions for QDLS to PUBLIC all that needs to be done to allow access?  Is there a LINK object that could have deny permissions, which are countering the PUBLICs change permissions?  
0
 
dedy_djajapermanaCommented:
hi again cpfister....

i think i almost run out of idea.... :)
have you tried to connect to \\x.x.x.x instead of \\x.x.x.x\qdls ?
e.g., Start -> Run -> type \\x.x.x.x ENTER
can QDLSUSER see the list of folders (but get 'access denied' when opening /QDLS)?
If QDLSUSER is able to see list of folders but unable to go into QDLS, then maybe *PUBLIC authority of QDOC library is exclude.

Any other information? QSECURITY level?

0
 
cpfisterAuthor Commented:
Yes, you are correct.
     qdlsuser is able to see the list of folders but gets 'access denied' when attempting to open /QDLS.  How do I check the authority on the QDOC library?  Or better yet what do I do to grant change permissions to QDOC for QDLSUSER?  
0
 
dedy_djajapermanaCommented:
EDTOBJAUT QDOC *LIB (enter)
0
 
cpfisterAuthor Commented:
Here's the current settings.  Does public need more than "USE" permissions?                                                                                
   Object secured by authorization list  . . . . . . . . . . . .   *NONE      
                                                                               
                          Object    ----------Object-----------                
 User        Group       Authority  Opr  Mgt  Exist  Alter  Ref                
 QDOC                    *ALL           X     X      X      X       X                
 *PUBLIC                 *USE          X                                        
                                                                               
0
 
dedy_djajapermanaCommented:
No, that seems to be correct...

Does your QDLSUSER enrolled in system directory? (WRKDIRE)
It should be in system directory entry
0
 
cpfisterAuthor Commented:
Yer one patient person dedy :)  Thanks for sticking it out.  This has to be it.  How do I add him to a system directory?
0
 
dedy_djajapermanaCommented:
:)
It's good to sharpen my remote-troubleshooting skill too

To add to system directory:
WRKDIRE then take option 1, or:
ADDDIRE USRID(QDLSUSER SYSNAME) USRD(DESCRIPTION) USER(QDLSUSER) SYSNAME(SYSNAME)

0
 
cpfisterAuthor Commented:
Please tell me what I am doing by enrolling Qdlsuser in a system directory.  What is the minimum amount of info I have to add to complete the enrollment?  There are alot of blanks to fill in.

                              Add Directory Entry                              
                                                                               
 Type choices, press Enter.                                                    
                                                                               
   User ID/Address . . . .                                                      
   Description . . . . . .                                                      
   System name/Group . . .   ACN400                 F4 for list                
   User profile  . . . . .                          F4 for list                
   Network user ID . . . .                                                      
                                                                               
   Name:                                                                        
     Last  . . . . . . . .                                                      
     First . . . . . . . .                                                      
     Middle  . . . . . . .                                                      
     Preferred . . . . . .                                                      
     Full  . . . . . . . .                                                      
                                                                               
   Department  . . . . . .                          F4 for list                
   Job title . . . . . . .                                                      
   Company . . . . . . . .                                                      
                                                                        More...
0
 
dedy_djajapermanaCommented:
a user profile has to be listed in directory entry for some purpose:
- the profile need to use client access
- the profile need to send (or receive) network message/file
- the profile need to send/receive email

minimum entry for your directory entry is:
ADDDIRE USRID(QDLSUSER ACN400) USRD(DESCRIPTION) USER(QDLSUSER) SYSNAME(ACN400)
you can press F4 from there to see more parameters
0
 
cpfisterAuthor Commented:
I'm in!.... :)

    Dedy,  your help has been greatly appreciated!  I was wondering if there is any way I could contact you directly in the future on problems like this?  Have you ever considered doing consulting for cash rather than points?  If you are at all interested call me!  I don't want to post the number here but you can contact me at Arrival Communications of Bakersfield (CA)  the contact number should be on our website: Arrival.com.  Just ask for Charlie.  

THANK YOU!
0
 
dedy_djajapermanaCommented:
You're most welcome, Charlie

Sure, i am interested in $, who doesn't anyway? :) but i think it's not too feasible i guess, i'm far far away from CA

my email address is dedy_djajapermana@yahoo.com.sg

cheers!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 10
  • 10
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now