Pages

Thursday, January 10, 2019

Re-enable disabled IFS user id

enable disabled netserver ifs user id or profile

When I am mapping an IFS folder to a Windows network drive I know that there are times where I will perform a typo on my password and the IBM i operating system will block me. This is where it gets interesting, I have disabled the user id I use trying to perform this connection, but I can still signon to the same IBM i.

When I create a user profile the command appears to create two:

  1. What I call the "IBM i" that I use to signon to a 5250 ("green screen") session.
  2. A NetServer user profile, that is used when I use the NetServer functions like mapping a Windows network drive to an IFS share.

I do not have to do anything extra to create the NetServer user profile, it appears to be created at the same time the "IBM i" profile is.

How can I tell if my NetServer profile is disabled?

How about when I try to map the IFS share to a Microsoft Windows network drive using the Batch file:

C:\>NET USE R: \\dev730.rzkh.de\RPGPGM /user:999.99.9.99\SIMON
Enter the password for '999.99.9.99\SIMON' to connect to 
'dev730.rzkh.de':
System error 5 has occurred.

Access is denied.


C:\>PAUSE
Press any key to continue . . .

A message is also sent to the QSYSOPR message queue:

User profile SIMON disabled for IBM i Support for Windows 
Network Neighborhood access.

Which I can prompt upon to see more of the message:

Message ID . . . . : CPIB682      Severity . . . : 00
Message type . . . : Information

Message . . . . :   User profile SIMON disabled for IBM i Support 
  for Windows Network Neighborhood access.

Cause . . . . . :   User profile SIMON exceeded the maximum number
  of incorrect sign-on attempts when connecting to IBM i Support 
  for Windows Network Neighborhood (IBM i NetServer). This user 
  profile has been disabled for IBM i NetServer access.  The 
  latest failure was received from workstation ::ffff:999.99.9.99
  at IP address ::ffff:999.99.9.99.

Now I have the bad news, what do I need to do to re-enable my NetServer user id?

I have used two ways:

  1. Via Operations Navigator
  2. Using an IBM i API

 

Via Operations Navigator

I have to get to the "File Shares" which means:

I click on the plus ( + ) next to "My Connections".

Click on the plus next to the IBM i partition's name.

Click on the plus next to "File Systems".

Right click on "File Shares".

Select "Open i5/OS Net Server" (yours might be named slightly differently depending upon the version of Operations Navigator you are using).

Click on "File".

Select "Disabled User IDs".

There might be other profiles shown here.

Click on the ID, then click on the "Enable User ID" button.

My NetServer id has been re-enabled, as it is no longer displayed in this window.

 

Using an IBM i API

The issue with enabling NetServer user ids using Operations Navigator means that this can only be done by someone with a full version of Operation Navigator and the necessary security authorizations. The average user cannot do this for themselves.

I was heartened to discover that there is an IBM i API, QZLSCHSI, that can be called to do the same as I just did using Operation Navigator. IBM is even kind enough to give an example in their documentation for this API of a program to re-enable the NetServer id.

I took the example, made a few minor changes, and put my program on a menu so that any user can re-enable their NetServer id for themselves. The program is just ten lines long:

01  PGM PARM(&USER)

02  DCL VAR(&USER) TYPE(*CHAR) LEN(10)
03  DCL VAR(&RQSVAR) TYPE(*CHAR) LEN(14)
04  DCL VAR(&RQSLEN) TYPE(*INT) VALUE(14)

05  DCLPRCOPT USRPRF(*OWNER)

06  IF COND(&USER = ' ') THEN(RTVJOBA USER(&USER))

07  CHGVAR VAR(&RQSVAR) VALUE('    ' *CAT &USER)
08  CHGVAR VAR(%BINARY(&RQSVAR 1 4)) VALUE(&RQSLEN)

09  CALL PGM(QSYS/QZLSCHSI) PARM(&RQSVAR &RQSLEN +
                                 'ZLSS0200' X'00000000')

10  ENDPGM

Line 1: I may want to write another program to call this one and pass to it a user id I want to re-enable. For now the call on the menu passes a blank parameter.

Lines 2: This variable will contain the user id of the person who wants to re-enable their id.

Lines 3 and 4: These are parameters that are passed to the API when it is called.

Line 5: If the user does not have *IOSYSCFG and *JOBCTL special authority they will not be able to run the API. I need the program to adopt the authority of the program's owner, in this case the profile of who created the program object. I do this using the Declare Processing Options command, DCLPRCOPT with the USRPRF parameter of object owner.

Lines 7 and 8: I build the parameters that will be passed to the API. The first is the user id, and the second is the length of the first variable's contents.

Line 9: The API is called with four parameters:

  1. Request variable, i.e. the user id
  2. Length of request variable, as binary
  3. Format, ZLSS0200 indicates to the API that I want to re-enable the NetServer id passed in the first parameter
  4. Error code, don't care about this so I pass a value of hexadecimal zeros to the API

I have to be careful how I compile this program. If I compile use my usual programmer profile, which has neither *IOSYSCFG nor *SECADM authorities when the program is called I receive the following message:

Message ID . . . . : CPFB684     Severity . . . :  40
Message type . . . : Diagnostic

Message . . . . :   User does not have the correct authority
   for API QZLSCHSI.
Cause . . . . . :   Error occurred for reason code 2.  See 
   explanation of the reason codes below:
    1 - User does not have *IOSYSCFG authority.
    2 - User does not have *IOSYSCFG and *SECADM authority.
    3 - File system directory or output queue does not exist
  and the user does not have *IOSYSCFG authority.
    4 - File system directory or output queue does exist, 
  but the user does not have *IOSYSCFG authority or is not
  the owner of the file system directory or output queue.
Recovery  . . . :   Complete the recovery for the specified
  reason code and call the API again.

This time I compiled the program using a profile that is the same as QSECOFR. Now when I run this program it enables my NetServer id without error.

 

I did find a mention, in IBM's documentation, of an option on the NETS menu that would allow me to re-enable my NetServer id, but I was unable to find a menu called NETS on any of the IBM i I use.

 

You can learn more about this from the IBM website:

 

Other posts in this trilogy:

 

This article was written for IBM i 7.3, and should work for some earlier releases too.

3 comments:

  1. You can load the NETS menus form QUSRTOOL library. I loaded and created a command to run to menu option and allow all users to access and enable themselves.
    http://www-01.ibm.com/support/docview.wss?uid=nas8N1021773

    ReplyDelete
  2. As Dave mentioned, the NETS menu (option 12 I recall) makes it easy to re-enable the disabled users. Have given it to clients so they can do self-service. Presents them w/a simple list that they just use the option to re-enable.

    ReplyDelete
    Replies
    1. I wrote a program that when the user takes the menu option it re-enables their NetServer profile.

      Delete

To prevent "comment spam" all comments are moderated.
Learn about this website's comments policy here.

Some people have reported that they cannot post a comment using certain computers and browsers. If this is you feel free to use the Contact Form to send me the comment and I will post it for you, please include the title of the post so I know which one to post the comment to.