When I am mapping an IFS folder to a Windows network drive I know that there are times where I will perform a typo on my password and the IBM i operating system will block me. This is where it gets interesting, I have disabled the user id I use trying to perform this connection, but I can still signon to the same IBM i.
When I create a user profile the command appears to create two:
- What I call the "IBM i" that I use to signon to a 5250 ("green screen") session.
- A NetServer user profile, that is used when I use the NetServer functions like mapping a Windows network drive to an IFS share.
I do not have to do anything extra to create the NetServer user profile, it appears to be created at the same time the "IBM i" profile is.
How can I tell if my NetServer profile is disabled?
How about when I try to map the IFS share to a Microsoft Windows network drive using the Batch file:
C:\>NET USE R: \\dev730.rzkh.de\RPGPGM /user:999.99.9.99\SIMON Enter the password for '999.99.9.99\SIMON' to connect to 'dev730.rzkh.de': System error 5 has occurred. Access is denied. C:\>PAUSE Press any key to continue . . . |
A message is also sent to the QSYSOPR message queue:
User profile SIMON disabled for IBM i Support for Windows Network Neighborhood access. |
Which I can prompt upon to see more of the message:
Message ID . . . . : CPIB682 Severity . . . : 00 Message type . . . : Information Message . . . . : User profile SIMON disabled for IBM i Support for Windows Network Neighborhood access. Cause . . . . . : User profile SIMON exceeded the maximum number of incorrect sign-on attempts when connecting to IBM i Support for Windows Network Neighborhood (IBM i NetServer). This user profile has been disabled for IBM i NetServer access. The latest failure was received from workstation ::ffff:999.99.9.99 at IP address ::ffff:999.99.9.99. |
Now I have the bad news, what do I need to do to re-enable my NetServer user id?
I have used two ways:
Via Operations Navigator
November 24, 2022: As Client Access is no longer supported you cannot use this method:
I have to get to the "File Shares" which means:
I click on the plus ( + ) next to "My Connections".
Click on the plus next to the IBM i partition's name.
Click on the plus next to "File Systems".
|
Right click on "File Shares".
Select "Open i5/OS Net Server" (yours might be named slightly differently depending upon the version of Operations Navigator you are using).
|
Click on "File".
Select "Disabled User IDs".
|
There might be other profiles shown here.
Click on the ID, then click on the "Enable User ID" button.
My NetServer id has been re-enabled, as it is no longer displayed in this window.
|
Using an IBM i API
The issue with enabling NetServer user ids using Operations Navigator means that this can only be done by someone with a full version of Operation Navigator and the necessary security authorizations. The average user cannot do this for themselves.
I was heartened to discover that there is an IBM i API, QZLSCHSI, that can be called to do the same as I just did using Operation Navigator. IBM is even kind enough to give an example in their documentation for this API of a program to re-enable the NetServer id.
I took the example, made a few minor changes, and put my program on a menu so that any user can re-enable their NetServer id for themselves. The program is just ten lines long:
01 PGM PARM(&USER)
02 DCL VAR(&USER) TYPE(*CHAR) LEN(10)
03 DCL VAR(&RQSVAR) TYPE(*CHAR) LEN(14)
04 DCL VAR(&RQSLEN) TYPE(*INT) VALUE(14)
05 DCLPRCOPT USRPRF(*OWNER)
06 IF COND(&USER = ' ') THEN(RTVJOBA USER(&USER))
07 CHGVAR VAR(&RQSVAR) VALUE(' ' *CAT &USER)
08 CHGVAR VAR(%BINARY(&RQSVAR 1 4)) VALUE(&RQSLEN)
09 CALL PGM(QSYS/QZLSCHSI) PARM(&RQSVAR &RQSLEN +
'ZLSS0200' X'00000000')
10 ENDPGM
|
Line 1: I may want to write another program to call this one and pass to it a user id I want to re-enable. For now the call on the menu passes a blank parameter.
Lines 2: This variable will contain the user id of the person who wants to re-enable their id.
Lines 3 and 4: These are parameters that are passed to the API when it is called.
Line 5: If the user does not have *IOSYSCFG and *JOBCTL special authority they will not be able to run the API. I need the program to adopt the authority of the program's owner, in this case the profile of who created the program object. I do this using the Declare Processing Options command, DCLPRCOPT with the USRPRF parameter of object owner.
Lines 7 and 8: I build the parameters that will be passed to the API. The first is the user id, and the second is the length of the first variable's contents.
Line 9: The API is called with four parameters:
- Request variable, i.e. the user id
- Length of request variable, as binary
- Format, ZLSS0200 indicates to the API that I want to re-enable the NetServer id passed in the first parameter
- Error code, don't care about this so I pass a value of hexadecimal zeros to the API
I have to be careful how I compile this program. If I compile use my usual programmer profile, which has neither *IOSYSCFG nor *SECADM authorities when the program is called I receive the following message:
Message ID . . . . : CPFB684 Severity . . . : 40
Message type . . . : Diagnostic
Message . . . . : User does not have the correct authority
for API QZLSCHSI.
Cause . . . . . : Error occurred for reason code 2. See
explanation of the reason codes below:
1 - User does not have *IOSYSCFG authority.
2 - User does not have *IOSYSCFG and *SECADM authority.
3 - File system directory or output queue does not exist
and the user does not have *IOSYSCFG authority.
4 - File system directory or output queue does exist,
but the user does not have *IOSYSCFG authority or is not
the owner of the file system directory or output queue.
Recovery . . . : Complete the recovery for the specified
reason code and call the API again.
|
This time I compiled the program using a profile that is the same as QSECOFR. Now when I run this program it enables my NetServer id without error.
I did find a mention, in IBM's documentation, of an option on the NETS menu that would allow me to re-enable my NetServer id, but I was unable to find a menu called NETS on any of the IBM i I use.
You can learn more about this from the IBM website:
Other posts in this trilogy:
- Making copy a file to the IFS easier
- Create and share IFS folder with Windows
- Re-enable disabled IFS user profile (this post)
This article was written for IBM i 7.3, and should work for some earlier releases too.
You can load the NETS menus form QUSRTOOL library. I loaded and created a command to run to menu option and allow all users to access and enable themselves.
ReplyDeletehttp://www-01.ibm.com/support/docview.wss?uid=nas8N1021773
As Dave mentioned, the NETS menu (option 12 I recall) makes it easy to re-enable the disabled users. Have given it to clients so they can do self-service. Presents them w/a simple list that they just use the option to re-enable.
ReplyDeleteI wrote a program that when the user takes the menu option it re-enables their NetServer profile.
Delete