Solved

How to grant permissions to an AS/400 directory share...

Posted on 2003-11-07
23
8,766 Views
Last Modified: 2007-12-19
    I am able to map a drive to the AS400\QDLS shared folder from a Win2k box using the QSECOFR username and password.  Most of our users get an access denied error when they attempt to map to it with their AS/400 username and passwords.  What do I need to do to grant other user accounts access to this shared drive?
0
Comment
Question by:cpfister
  • 10
  • 10
  • 2
  • +1
23 Comments
 
LVL 6

Expert Comment

by:dedy_djajapermana
Comment Utility
Most likely public don't have object level authority to /QDLS:
From command line, WRKLNK, then put option 9 on  QDLS to check the assigned permission.
0
 
LVL 16

Expert Comment

by:theo kouwenhoven
Comment Utility
You can use CHGAUT for that.
0
 
LVL 1

Author Comment

by:cpfister
Comment Utility
Here is what is displayed when I check the Authority to /qdls:    
             Data     --Object Authorities--
 Opt  User        Authority  Exist  Mgt  Alter  Ref
       *PUBLIC     *RWX                              

I'm really just trying to give permissions to an additional SINGLE individual.  Am I correct in thinking that the above means that all users have read write and execute permissions to /QDLS?  

Another thought:  Someone here has mentioned a need to match the NT username and password to the AS/400 username and password.  Would the NT side really have anything to do with this permissions issue?
0
 
LVL 6

Expert Comment

by:dedy_djajapermana
Comment Utility
Yes, that's correct,all users have read/write/execute authority to /Qdls.

Synchronizing NT username & password to AS/400 is only when you don't want AS/400 to prompt you for user and password.

Another possibility is that there's some system objects authority that's modified.
Please check joblog of QZLSSERVER job, this is server job that handles file server connection.
1
 
LVL 16

Expert Comment

by:theo kouwenhoven
Comment Utility
Our Network and AS/400 User-ID's are not the same, so I had the same problem. For this purpose, I created 1 same user account on the network and on the AS/400 and set the right authorities.

When linking to the QDLS dir, this is connected by clicking the "Connect using a different user name" option and specify the special created user-ID.

0
 
LVL 1

Author Comment

by:cpfister
Comment Utility
<dedy_djajapermana, I'm fairly inexperienced with AS400 commands so step by step is probably necessary with me.  I did my best to dig up the joblog of QZLSSERVER job but ended up with 11 pages of completion messages.  All from 11/07/03.  None of which offered an insight as to chages to system object authority.

<Murphey2, I will likely do as you have done with the same user accounts, however my issue still remains.  I need to know how to set the correct authorities on the AS400 side for a given user to allow permissions to map the drive.
0
 
LVL 1

Expert Comment

by:Tgerdes
Comment Utility
Do you have Operations Navigator on your PC, it comes on the client access cd!  If you do, create a connection (File, connection to servers, add connection).  Once you have created a connection double click on it to open that connection!  probably best to signon with a QSECOFR level signon.  double click on "file systems"!  double click on "integrated file system"!  Right click on /QDLS and select "sharing..."!  Select "new share"!  Once the share is created users will be able to access the share your PC network!  You can also right click on /QDLS and select "permissions" this will allow you to edit user authority the same as the EDTOBJAUT command!  Operations Navigator is a much easier way to make this work!
0
 
LVL 1

Author Comment

by:cpfister
Comment Utility
Tgerdes, I actually have put some effort into working via the Ops Navigator.  Unfortunately, the only options it gives me are USE and CHANGE permissions for PUBLIC.  Public already has change permissions but there is something else at work here as only 3 accounts seem to be able to succcessfully map the drive.  One being QSECOFR.  

Does anyone have more info on how to work with QZLSSERVER to check object authority as was mentioned by dedy_djajapermana above?
0
 
LVL 6

Expert Comment

by:dedy_djajapermana
Comment Utility
hi again cpfister...

i tried to simulate your failure here, but also couldn't find anything in QZLSSERVER joblog, so let's don't talk about the job for now.
Let's analyze the problem all over again... Some possibilities of the failure are:
1. Not sufficient object authority:
It has been checked, and verified that *PUBLIC has enough authority.
2. User disabled.
Profile for system user profile and netserver user profile are stored in different repository. One of common problem is profile for netserver is disabled (although at system level, profile still able to signon) To check, from ops nav. expand  System>Network>Servers>TCP/IP, and right click Disable User IDs
3. user conflict (xp or w2k with AS/400)
I've heard some issue about it too, but not too sure what exactly is the problem. However, you can try this to "force" use AS/400 profile you selected instead of sending current window user:
a. from windows, go to command prompt
b. type: NET USE \\system /user:userA
    note: system=AS/400 IP address and userA=AS/400 profile
c. If it says "The command completed successfully", then you can browse \\system (type START  \\SYSTEM from command prompt.)

Please let me know the result...
0
 
LVL 1

Author Comment

by:cpfister
Comment Utility
No users were show as disabled under as\400netserver
I tried to force the drive mapping using a user account that I just created called QDLSUSER and got these results:

C:\Documents and Settings\cpfister>net use i: \\x.x.x.x\qdls /user:qdlsuser
System error 1219 has occurred.
The credentials supplied conflict with an existing set of credentials.

Then I tried using qsecofr and it worked (Without even supplying a password, which scares me):
C:\Documents and Settings\cpfister>net use i: \\x.x.x.x\qdls /user:qsecofr
The command completed successfully.

OK, now aside from the need to grant drive mapping permissions to QDLSUSER I now need to figure out how to prevent people from gaining access using qsecofr without a password.  I'll throw in 100 aditional points to whoever can tell me how to remedy this apparent security hole. :(  
0
 
LVL 6

Expert Comment

by:dedy_djajapermana
Comment Utility
i think before you tried to connect using QDLSUSER, your PC was already connected (and password entered before). That's the reason why it's not asking for QSECOFR password, same reason for the credential conflict.

To do a clean, fresh connection, please disconnect the netserver connection before you issue net use command by:
net use \\x.x.x.x\qdls /delete

to ensure that it's no longer connected, see the status with:
net use

then try the connection again with either QDLSUSER or QSECOFR, it should prompt for the password, alternatively, you can use:
net use \\x.x.x.x\qdls password /user:user

0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:cpfister
Comment Utility
Ok Dedy_ I'm a dill hole.  You've got yourself 100 points for that... QSECOFR does actually need a password.  QDLSUSER is still getting access denied though (and nearly all the other users as well).  So my initial problem remains.  Are there any other permissions that have to be granted to allow users access to a network share?  Or is granting change permissions for QDLS to PUBLIC all that needs to be done to allow access?  Is there a LINK object that could have deny permissions, which are countering the PUBLICs change permissions?  
0
 
LVL 6

Expert Comment

by:dedy_djajapermana
Comment Utility
hi again cpfister....

i think i almost run out of idea.... :)
have you tried to connect to \\x.x.x.x instead of \\x.x.x.x\qdls ?
e.g., Start -> Run -> type \\x.x.x.x ENTER
can QDLSUSER see the list of folders (but get 'access denied' when opening /QDLS)?
If QDLSUSER is able to see list of folders but unable to go into QDLS, then maybe *PUBLIC authority of QDOC library is exclude.

Any other information? QSECURITY level?

0
 
LVL 1

Author Comment

by:cpfister
Comment Utility
Yes, you are correct.
     qdlsuser is able to see the list of folders but gets 'access denied' when attempting to open /QDLS.  How do I check the authority on the QDOC library?  Or better yet what do I do to grant change permissions to QDOC for QDLSUSER?  
0
 
LVL 6

Expert Comment

by:dedy_djajapermana
Comment Utility
EDTOBJAUT QDOC *LIB (enter)
0
 
LVL 1

Author Comment

by:cpfister
Comment Utility
Here's the current settings.  Does public need more than "USE" permissions?                                                                                
   Object secured by authorization list  . . . . . . . . . . . .   *NONE      
                                                                               
                          Object    ----------Object-----------                
 User        Group       Authority  Opr  Mgt  Exist  Alter  Ref                
 QDOC                    *ALL           X     X      X      X       X                
 *PUBLIC                 *USE          X                                        
                                                                               
0
 
LVL 6

Accepted Solution

by:
dedy_djajapermana earned 200 total points
Comment Utility
No, that seems to be correct...

Does your QDLSUSER enrolled in system directory? (WRKDIRE)
It should be in system directory entry
0
 
LVL 1

Author Comment

by:cpfister
Comment Utility
Yer one patient person dedy :)  Thanks for sticking it out.  This has to be it.  How do I add him to a system directory?
0
 
LVL 6

Expert Comment

by:dedy_djajapermana
Comment Utility
:)
It's good to sharpen my remote-troubleshooting skill too

To add to system directory:
WRKDIRE then take option 1, or:
ADDDIRE USRID(QDLSUSER SYSNAME) USRD(DESCRIPTION) USER(QDLSUSER) SYSNAME(SYSNAME)

0
 
LVL 1

Author Comment

by:cpfister
Comment Utility
Please tell me what I am doing by enrolling Qdlsuser in a system directory.  What is the minimum amount of info I have to add to complete the enrollment?  There are alot of blanks to fill in.

                              Add Directory Entry                              
                                                                               
 Type choices, press Enter.                                                    
                                                                               
   User ID/Address . . . .                                                      
   Description . . . . . .                                                      
   System name/Group . . .   ACN400                 F4 for list                
   User profile  . . . . .                          F4 for list                
   Network user ID . . . .                                                      
                                                                               
   Name:                                                                        
     Last  . . . . . . . .                                                      
     First . . . . . . . .                                                      
     Middle  . . . . . . .                                                      
     Preferred . . . . . .                                                      
     Full  . . . . . . . .                                                      
                                                                               
   Department  . . . . . .                          F4 for list                
   Job title . . . . . . .                                                      
   Company . . . . . . . .                                                      
                                                                        More...
0
 
LVL 6

Expert Comment

by:dedy_djajapermana
Comment Utility
a user profile has to be listed in directory entry for some purpose:
- the profile need to use client access
- the profile need to send (or receive) network message/file
- the profile need to send/receive email

minimum entry for your directory entry is:
ADDDIRE USRID(QDLSUSER ACN400) USRD(DESCRIPTION) USER(QDLSUSER) SYSNAME(ACN400)
you can press F4 from there to see more parameters
0
 
LVL 1

Author Comment

by:cpfister
Comment Utility
I'm in!.... :)

    Dedy,  your help has been greatly appreciated!  I was wondering if there is any way I could contact you directly in the future on problems like this?  Have you ever considered doing consulting for cash rather than points?  If you are at all interested call me!  I don't want to post the number here but you can contact me at Arrival Communications of Bakersfield (CA)  the contact number should be on our website: Arrival.com.  Just ask for Charlie.  

THANK YOU!
0
 
LVL 6

Expert Comment

by:dedy_djajapermana
Comment Utility
You're most welcome, Charlie

Sure, i am interested in $, who doesn't anyway? :) but i think it's not too feasible i guess, i'm far far away from CA

my email address is dedy_djajapermana@yahoo.com.sg

cheers!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now