When I am mapping an IFS folder to a Windows network drive I know that there are times where I will perform a typo on my password and the IBM i operating system will block me. This is where it gets interesting, I have disabled the user id I use trying to perform this connection, but I can still signon to the same IBM i.
When I create a user profile the command appears to create two:
- What I call the "IBM i" that I use to signon to a 5250 ("green screen") session.
- A NetServer user profile, that is used when I use the NetServer functions like mapping a Windows network drive to an IFS share.
I do not have to do anything extra to create the NetServer user profile, it appears to be created at the same time the "IBM i" profile is.
How can I tell if my NetServer profile is disabled?
How about when I try to map the IFS share to a Microsoft Windows network drive using the Batch file:
C:\>NET USE R: \\dev730.rzkh.de\RPGPGM /user:9220.127.116.11\SIMON Enter the password for '918.104.22.168\SIMON' to connect to 'dev730.rzkh.de': System error 5 has occurred. Access is denied. C:\>PAUSE Press any key to continue . . .
A message is also sent to the QSYSOPR message queue:
User profile SIMON disabled for IBM i Support for Windows Network Neighborhood access.
Which I can prompt upon to see more of the message:
Message ID . . . . : CPIB682 Severity . . . : 00 Message type . . . : Information Message . . . . : User profile SIMON disabled for IBM i Support for Windows Network Neighborhood access. Cause . . . . . : User profile SIMON exceeded the maximum number of incorrect sign-on attempts when connecting to IBM i Support for Windows Network Neighborhood (IBM i NetServer). This user profile has been disabled for IBM i NetServer access. The latest failure was received from workstation ::ffff:922.214.171.124 at IP address ::ffff:9126.96.36.199.
Now I have the bad news, what do I need to do to re-enable my NetServer user id?
I have used two ways:
I have to get to the "File Shares" which means:
I click on the plus ( + ) next to "My Connections".
Click on the plus next to the IBM i partition's name.
Click on the plus next to "File Systems".
Right click on "File Shares".
Select "Open i5/OS Net Server" (yours might be named slightly differently depending upon the version of Operations Navigator you are using).
Click on "File".
Select "Disabled User IDs".
There might be other profiles shown here.
Click on the ID, then click on the "Enable User ID" button.
My NetServer id has been re-enabled, as it is no longer displayed in this window.
The issue with enabling NetServer user ids using Operations Navigator means that this can only be done by someone with a full version of Operation Navigator and the necessary security authorizations. The average user cannot do this for themselves.
I was heartened to discover that there is an IBM i API, QZLSCHSI, that can be called to do the same as I just did using Operation Navigator. IBM is even kind enough to give an example in their documentation for this API of a program to re-enable the NetServer id.
I took the example, made a few minor changes, and put my program on a menu so that any user can re-enable their NetServer id for themselves. The program is just ten lines long:
01 PGM PARM(&USER) 02 DCL VAR(&USER) TYPE(*CHAR) LEN(10) 03 DCL VAR(&RQSVAR) TYPE(*CHAR) LEN(14) 04 DCL VAR(&RQSLEN) TYPE(*INT) VALUE(14) 05 DCLPRCOPT USRPRF(*OWNER) 06 IF COND(&USER = ' ') THEN(RTVJOBA USER(&USER)) 07 CHGVAR VAR(&RQSVAR) VALUE(' ' *CAT &USER) 08 CHGVAR VAR(%BINARY(&RQSVAR 1 4)) VALUE(&RQSLEN) 09 CALL PGM(QSYS/QZLSCHSI) PARM(&RQSVAR &RQSLEN + 'ZLSS0200' X'00000000') 10 ENDPGM
Line 1: I may want to write another program to call this one and pass to it a user id I want to re-enable. For now the call on the menu passes a blank parameter.
Lines 2: This variable will contain the user id of the person who wants to re-enable their id.
Lines 3 and 4: These are parameters that are passed to the API when it is called.
Line 5: If the user does not have *IOSYSCFG and *JOBCTL special authority they will not be able to run the API. I need the program to adopt the authority of the program's owner, in this case the profile of who created the program object. I do this using the Declare Processing Options command, DCLPRCOPT with the USRPRF parameter of object owner.
Lines 7 and 8: I build the parameters that will be passed to the API. The first is the user id, and the second is the length of the first variable's contents.
Line 9: The API is called with four parameters:
- Request variable, i.e. the user id
- Length of request variable, as binary
- Format, ZLSS0200 indicates to the API that I want to re-enable the NetServer id passed in the first parameter
- Error code, don't care about this so I pass a value of hexadecimal zeros to the API
I have to be careful how I compile this program. If I compile use my usual programmer profile, which has neither *IOSYSCFG nor *SECADM authorities when the program is called I receive the following message:
Message ID . . . . : CPFB684 Severity . . . : 40 Message type . . . : Diagnostic Message . . . . : User does not have the correct authority for API QZLSCHSI. Cause . . . . . : Error occurred for reason code 2. See explanation of the reason codes below: 1 - User does not have *IOSYSCFG authority. 2 - User does not have *IOSYSCFG and *SECADM authority. 3 - File system directory or output queue does not exist and the user does not have *IOSYSCFG authority. 4 - File system directory or output queue does exist, but the user does not have *IOSYSCFG authority or is not the owner of the file system directory or output queue. Recovery . . . : Complete the recovery for the specified reason code and call the API again.
This time I compiled the program using a profile that is the same as QSECOFR. Now when I run this program it enables my NetServer id without error.
I did find a mention, in IBM's documentation, of an option on the NETS menu that would allow me to re-enable my NetServer id, but I was unable to find a menu called NETS on any of the IBM i I use.
You can learn more about this from the IBM website:
Other posts in this trilogy:
- Making copy a file to the IFS easier
- Create and share IFS folder with Windows
- Re-enable disabled IFS user profile (this post)
This article was written for IBM i 7.3, and should work for some earlier releases too.