Kalvin Weaver
asked on
QNTC link
We have our server connected to our I-series (5.4) the other day it dropped our server information. QNTC/AACFILE01/AS400 Where the AS400 is our folder/share. The AS400 dropped and when we try and put it back we get an error stating the system failed due to an unknown error. I cannot find why it dropped or why I cannot reconnect it. PS. they dropped IBM support several years ago. Yea....
CPE3474 "Unknown System State"
Also, when I place a 5 on AACFILE01(our server name) the next screen is blank. Via WRKLNK /
CPE3474 "Unknown System State"
Also, when I place a 5 on AACFILE01(our server name) the next screen is blank. Via WRKLNK /
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are there any errors in your joblog prior to the CPE3474?
ASKER
No sir. It spins like it's working and drops off with that error. It's like the I-series cannot see our server. I had the controllers checked by our hardware guys. We can see the path from our network manager, but cannot see anything past the AACFILE01(server name)
This could happen if the Windows OS was upgraded to a version not supported with IBM i V5R4.
ASKER
Last upgrade to OS was 2 years ago
Then next most likely issue is authority. If you haven't configured for Kerberos, then you need a matching user name and password on the iSeries initiating the connection and on Windows.
Windows server name gets advertised without authentication.
You need to authenticate to Windows to see shares. If you're auditing security failures on your domain controllers (or standalone server if target isn't a member of a domain, you'll probably see an authorization failure on one of your DC logs (if you have multiple you need to check them all) at the precise time you try to access the share from the iSeries.
Still having problems? Post Windows version of target machine for more specific help.
You need to authenticate to Windows to see shares. If you're auditing security failures on your domain controllers (or standalone server if target isn't a member of a domain, you'll probably see an authorization failure on one of your DC logs (if you have multiple you need to check them all) at the precise time you try to access the share from the iSeries.
Still having problems? Post Windows version of target machine for more specific help.
ASKER
Gary, this might be it. I sign on with QSECOFR and try and make a directory. It tells me I am not authorized. We will check when my server guy gets here. Thanks for all your help.
If you sign on to the ISeries as QSECOFR, you need a Windows profile called QSECOFR, too, and the Windows ID needs to have adequate rights to the share and NTFS rights to the folders and files under the share.
Passwords need to match on both systems, and sometimes password case matters. Just remember that the job that does the CRTDIR needs to be running under a profile that has a match on Windows, and any jobs that use the QNTC share need to be running under a profile that has a match on Windows.
Passwords need to match on both systems, and sometimes password case matters. Just remember that the job that does the CRTDIR needs to be running under a profile that has a match on Windows, and any jobs that use the QNTC share need to be running under a profile that has a match on Windows.
ASKER
We checked it, Doesn't seem to be the problem. What would you charge to remote in?
ASKER
Both Systems have a user profile call "AS400" I log in as AS400. I do a MKDIR DIR(qntc/aacfile01) and it creates the directory. If I do MKDIR DIR('qntc/aacfile01/as400/ ) it says not authorized to object.
ASKER
We checked the passwords, I can't see the password on the server, but we tried to change it to match the I-series (All Caps) and it would not let us. It hasn't made a difference before.
You generally wouldn't do that if the as400 folder already exists. Verify that the iSeries user ID you are using maps to a Windows user with adequate authority to the share and adequate NTFS permissions. That's usually what "not authorized to object" means.
Is the AS400 profile expired or locked out on Windows?
Can you log on to Windows using the AS400 profile and access the share? IF not, you'll never get to it from qntc.
Is the AS400 profile expired or locked out on Windows?
Can you log on to Windows using the AS400 profile and access the share? IF not, you'll never get to it from qntc.
ASKER
No sir, Not expired and Ricardo was able to log into windows using the AS400 profile.
And access the share?
ASKER
Yes, sir
On Windows, enable authority failure logging in Event Viewer on your domain controllers, and attempt to connect (browse into qntc/aacfile0). Once you get the error, check the Windows event log, and post here. Also, what's the OS version on the Windows file server, and on your Windows DCs?
ASKER
Let Garry know that we can browser to \\10.21.1.10\qntc and see the folder called aacfile01 but we can’t create any folders within aacfile01. No authority. Also our Corp IT has access to our DCs which I don’t have access to them here locally.
Ricardo
Ricardo
That's confusing.
What is 10.21.1.10? Windows server or iSeries?
Browse from where? Windows or iSeries.
Look, this should be pretty simple. If it worked before, it should probably work now.
You should only access QNTC from the iSeries:
MATCHING PROFILES AND PASSWORDS
1) Verify that you have a profile called AS400 on the iSeries, and a matching profile on Windows.
2) Verify the passwords are the same on both systems - I'd suggest all lower case.
WINDOWS SIDE
3) Log onto Windows using the AS400 Windows user profile, and browse to \\AACFILE01 using Windows Explorer
4) Verify that you can access the \\AACFILE01\AS400 folder, and any files in there. Fix any Windows authority issues before you proceed.
ISERIES SIDE
5) Log onto a green-screen iSeries session using the AS400 iSeries user profile.
6) Go to a command line and issue WRKLNK '\qntc\aacfile01'
7) Take option 5 on the \qntc\aacfile01 link.
If everything is set up right, then you should see the AS400 folder, plus any other files or folders the AS400 Windows user id has access to.
If you can't access the AS400 folder, try changing the password of the AS400 user profile in both systems to all upper case.
If you keep getting authority errors, then you probably are going to need to get your Windows security team involved to help figure out why the AS400 Windows ID doesn't have rights to access the share.
If you still can't get it to work, post back, but if you can't post Windows security logs to help narrow down the problem, I don't know how much more I can help you.
What is 10.21.1.10? Windows server or iSeries?
Browse from where? Windows or iSeries.
Look, this should be pretty simple. If it worked before, it should probably work now.
You should only access QNTC from the iSeries:
MATCHING PROFILES AND PASSWORDS
1) Verify that you have a profile called AS400 on the iSeries, and a matching profile on Windows.
2) Verify the passwords are the same on both systems - I'd suggest all lower case.
WINDOWS SIDE
3) Log onto Windows using the AS400 Windows user profile, and browse to \\AACFILE01 using Windows Explorer
4) Verify that you can access the \\AACFILE01\AS400 folder, and any files in there. Fix any Windows authority issues before you proceed.
ISERIES SIDE
5) Log onto a green-screen iSeries session using the AS400 iSeries user profile.
6) Go to a command line and issue WRKLNK '\qntc\aacfile01'
7) Take option 5 on the \qntc\aacfile01 link.
If everything is set up right, then you should see the AS400 folder, plus any other files or folders the AS400 Windows user id has access to.
If you can't access the AS400 folder, try changing the password of the AS400 user profile in both systems to all upper case.
If you keep getting authority errors, then you probably are going to need to get your Windows security team involved to help figure out why the AS400 Windows ID doesn't have rights to access the share.
If you still can't get it to work, post back, but if you can't post Windows security logs to help narrow down the problem, I don't know how much more I can help you.
Gary,
My name is Ricardo Arteaga, Kalvin Weaver's co-worker, everything you've mentioned we have verified and seems to be configured correctly, Is there a way to verify that the AS400 account we use to try to access the Windows Server is a SMBv2/CIFS or higher?
My name is Ricardo Arteaga, Kalvin Weaver's co-worker, everything you've mentioned we have verified and seems to be configured correctly, Is there a way to verify that the AS400 account we use to try to access the Windows Server is a SMBv2/CIFS or higher?
What is 10.21.1.10? (IP Address for our AS400 iSeries)
Browse from where? (Windows)
Look, this should be pretty simple. If it worked before, it should probably work now.
You should only access QNTC from the iSeries:
MATCHING PROFILES AND PASSWORDS
1) Verify that you have a profile called AS400 on the iSeries, and a matching profile on Windows. (This has been verified)
2) Verify the passwords are the same on both systems - I'd suggest all lower case. (This has been verified)
WINDOWS SIDE
3) Log onto Windows using the AS400 Windows user profile, and browse to \\AACFILE01 using Windows Explorer (This has been verified)
4) Verify that you can access the \\AACFILE01\AS400 folder, and any files in there. Fix any Windows authority issues before you proceed. (This has been verified)
ISERIES SIDE
5) Log onto a green-screen iSeries session using the AS400 iSeries user profile. (This has been verified)
6) Go to a command line and issue WRKLNK '\qntc\aacfile01' (This has been verified)
7) Take option 5 on the \qntc\aacfile01 link. (this is empty, no folder or shares)
Browse from where? (Windows)
Look, this should be pretty simple. If it worked before, it should probably work now.
You should only access QNTC from the iSeries:
MATCHING PROFILES AND PASSWORDS
1) Verify that you have a profile called AS400 on the iSeries, and a matching profile on Windows. (This has been verified)
2) Verify the passwords are the same on both systems - I'd suggest all lower case. (This has been verified)
WINDOWS SIDE
3) Log onto Windows using the AS400 Windows user profile, and browse to \\AACFILE01 using Windows Explorer (This has been verified)
4) Verify that you can access the \\AACFILE01\AS400 folder, and any files in there. Fix any Windows authority issues before you proceed. (This has been verified)
ISERIES SIDE
5) Log onto a green-screen iSeries session using the AS400 iSeries user profile. (This has been verified)
6) Go to a command line and issue WRKLNK '\qntc\aacfile01' (This has been verified)
7) Take option 5 on the \qntc\aacfile01 link. (this is empty, no folder or shares)
Browsing from Windows, through an iSeries QNTC share, back to a different Windows server creates a whole complicated set of possible failure points. Not useful in troubleshooting this issue.
Going forward, suggest you browse to \\aacfile01 from Windows, and WRKLNK '\qntc\aacfile01' from the iSeries.
Suggest you restart NetServer. https://www.itjungle.com/2012/05/30/fhg053012-story03/
If that doesn't fix the problem, then we need to understand why you're getting an authority failure. Most of the time is is because of - wait for it - an authority issue.
If the server AACFILE01 is a domain server, the the next step is to enable Authority Failure auditing on your Windows DC's, and post the event log message that gets generated when the connection fails. If it is not a member of a domain, just enable authority failure auditing on AACFILE01 and review the event logs there.
I know you probably don't like that answer, but it is the next step in troubleshooting this.
Here are some more articles on troubleshooting QNTC problems.
http://www-01.ibm.com/support/docview.wss?uid=nas8N1018146
And you still haven't told me what Windows versions we're dealing with on the file server and DCs.
Going forward, suggest you browse to \\aacfile01 from Windows, and WRKLNK '\qntc\aacfile01' from the iSeries.
Suggest you restart NetServer. https://www.itjungle.com/2012/05/30/fhg053012-story03/
If that doesn't fix the problem, then we need to understand why you're getting an authority failure. Most of the time is is because of - wait for it - an authority issue.
If the server AACFILE01 is a domain server, the the next step is to enable Authority Failure auditing on your Windows DC's, and post the event log message that gets generated when the connection fails. If it is not a member of a domain, just enable authority failure auditing on AACFILE01 and review the event logs there.
I know you probably don't like that answer, but it is the next step in troubleshooting this.
Here are some more articles on troubleshooting QNTC problems.
http://www-01.ibm.com/support/docview.wss?uid=nas8N1018146
And you still haven't told me what Windows versions we're dealing with on the file server and DCs.
ASKER
Gary , looks like the Microsoft protocols were changed and we need to change the administrative protocols to SMB V2 or 3. Problem is, I've never done this. Can you give me a hint?
OK. Yesterday you said there were no Windows changes, so we eliminated this as a possibility.
What version of Windows is the file server running?
What version of Windows is the file server running?
Gary, This was a change that was done by our Corp IT in Winnipeg, Canada and we (locally) just found out about it yesterday. They installed a critical update to our servers due to the Ransom Ware that was hitting a lot of business throughout the world. It was update 17-010 which I believe eliminates the usage of SMB1.0/CIFS which seems to have caused our issues. Our current File Server is running on Windows Server 2012 Standard 64bit OS. Apparently now we have to use SMB v2 or higher in order for it to work like it used too. So our question is, is there a way to verify what version of SMB we are using and if so can it be changed to a higher version of SMB?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Or, of course, upgrade to V7R2 or later.
ASKER
Our Payroll is on Kronos and the version we have does not run past 5.4
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Wish I had better news.
Gary if we go the NFS route, can you give us some pointers or links that can guide us in moving in that direction? Once again Thank You so much for all the information you have shared with us on our issue so far.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER