iSeries OS upgrade breaks QNTC

akobes05
akobes05 used Ask the Experts™
on
We had a client upgrade their AS400 OS from 5.4 to 7.1.  Their QNTC was writing to a 2003 server.  We have an AS400 routine that converts files to PDF, writes them  to a QNTC path and then the website reads them. It was working fine before the upgrade. Now it give a "file not found" error. When I open up iNavigator and use the same login as the website I cant see any QNTC paths and I was able to see them before the upgrade.  Any thoughts what might be wrong?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Scott SilvaNetwork Administrator
Commented:
Did they follow all upgrade instructions? Apply all relevant PTF's on 5.4 before the upgrade?
Can you have someone check permissions via a QSECOFR login to make sure the website login has permission to access QNTC?

There shouldn't be anything that could break that unless there was an error during the upgrade that no one addressed...
Gary PattersonVP Technology / Senior Consultant

Commented:
After an IPL, QNTC paths may need to be recreated for servers that aren't on the local subnet:

https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_61/ifs/rzaaxntmkdir.htm

- Gary

Author

Commented:
Doesnt 7.1 use different protocols? Can a 7.1 AS400 OS even write to Server 2003?
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

Scott SilvaNetwork Administrator

Commented:
I believe 7.1 still uses SMB V1 if I remember correctly.
Theo KouwenhovenApplication Consultant

Commented:
First try to use mono-case passwords, so WELKOM1 or welkom1  Instead of Welkom1
for some environments (especially Microsoft) mixed-case will give unpredictable results.

BTW, why upgrading to 7.1 while the life-cycle ends on 30-Apr-2018.
Gary PattersonVP Technology / Senior Consultant

Commented:
QNTC and NetServer only support SMB 1.0 in V7R1 and lower releases.  Support for SMB V2.0 is available in V7R2 and above.  As of V7R3 (current version), there is no support for SMB V3.0.

http://www-01.ibm.com/support/docview.wss?uid=nas8N1011878

For those of you on V7R2 and later, here is an important Technote related to SMB V2.0:

http://www-01.ibm.com/support/docview.wss?uid=nas8N1022198
Gary PattersonVP Technology / Senior Consultant

Commented:
I don't know of any reason V7R1 QNTC won't work with Windows 2003.  Lots of variable though, and troubleshooting QNTC can be difficult.  Post back if you are still having problems.  Did you try manually creating QNTC sub-directories as I outlined above?

Author

Commented:
I called IBM and ran through some troubleshooting with them.  Based on the errors messages we were getting on the AS400 its an issue exchanging security information between the AS400 and the windows server.  ALso they said the password should be all lowercase on the windows server since the password level on the AS400 is 1.

I dont know what the issue is.  I setup a test user on the AS400 and a local user on the windows server. Both have the same lowercase password.  In QNTC I can see the server but not the shares. I have verified that the share has the appropriate permissions.

Does windows log failed security requests somewhere.  Hopefully I can see what user/password its trying to connect with.
Theo KouwenhovenApplication Consultant
Commented:
"Also they said the password should be all lowercase...."

Correct All lower OR!!! all upper I prefer all Upper, because that is the Case that SecLevel 1 is working with.
VP Technology / Senior Consultant
Commented:
Yes, you'll need to check the Security Event Log on the target server (the one with the share you are accessing), and also possibly on each domain controller.  Make sure these servers are configured to log authority failures.  

Post back the following info:

Specific error messages you observed while troubleshooting with IBM.
Windows OS on each domain controller: ???
Full event log message for any authority failure messages logged.

IBM probably walked you though all of these, but at V7R1 with QPWDLVL=1, here are some items you should check.  Helpful if you posted back specifics on each item:

Have all recommended NetServer PTFs been applied after upgrade?  
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021541

Verify NetServer domain is configured the same as Windows:
Navigator - NEtwork - Servers - TCP/IP - IBM i NetServer (r click) - Configuration  (post config, please)

Verify Windows server and domain names are 15 characters or less in length, and verify Windows share names are 12 characters or less in length.

Verify that user IDs on IBM i and Windows have matching passwords (all lower case on Windows), are enabled, and that the Windows ID has adequate share permissions and NTFS permissions.  (Can't tell you how often someone has told me "nothing changed on Windows", and it had.)

Are the IBM i and Windows file server on the same subnet?  If not, you won't be able to browse from QNTC unless WINS is configured, and will have to manually configure your shares in QNTC.  What happens if you:
MKDIR '/QNTC/<NT server name>'
or
MKDIR '/QNTC/<IP address>'

From the Windows 2003 box, can you browse to NetServer using the IBM i DNS name or IP address in File Explorer?

================================================================================

If all else fails, run a QNTC Trace, and post the results.  Note that this could disclose information you prefer to keep private, so review the log before you post.  

CALL QZLCTRC (t x'FFFFFFFF') /* Starts Trace */
Attempt to access share via QNTC, wait for failure
CALL QZLCTRC (t x'00000000') /* Ends Trace */
CALL QZLCTRC (p)     /* Print trace - spooled file is QSYSPRT */
CALL QZLCTRC (c)     /* Clear trace data */

If you know how, or have someone who does, I'd also like to see a WireShark trace.  Same security considerations apply.  Look carefully before you share.

Consider setting up a new user profile and password for temporary use if you plan to post traces, and delete them after capture.
Theo KouwenhovenApplication Consultant

Commented:
no comment

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial