Troubleshooting
Problem
After upgrade of OS/400, attempts to access Windows file server fails with error:
Message . . . . : Error exchanging security information for user &2 on
network server &5.
Technical description . . . . . . . . : An error has been detected while the
QNTC file system was exchanging security information with a network server.
The error class was 0, and the error code was 3401.
Symptom
Commands such as :
WRKLNK '/QNTC/<RemoteFileServer>/'
...returns no shares and DSPJOBLOG contains message CPDB053 - "Error exchanging security information for user &2 on network server &5." and error code 3401. Error code 3401 resolves to CPE3420 - "Permission Denied".
An error code of 5 ("Access denied") may also be returned in place of the 3401.
The file server is rejecting the provided credentials and a communications trace will show "STATUS_LOGON_FAILURE" being sent by the file server.
Cause
Starting with IBM i v720, QNTC is able to communicate with file servers using SMBv2 protocol. Prior releases were limited to SMBv1 protocol. The change to using SMBv2 protocol may cause Windows file servers to change how they authenticate Windows domain profiles.
Diagnosing The Problem
QNTC authentication failures can be found by attempting to view the remote file server shares using WRKLNK '/QNTC/RemoteServerName' and then executing DSPJOBLOG to find the error message(s).
Resolving The Problem
When the IBM i sends credentials to the Windows file server, it includes domain information for the profile. If that domain ID does not match a valid Windows domain, the file server may reject the authentication attempt.
The domain name that is sent on the authentication attempt is determined by the domain name set in the IBM i NetServer properties. These are configurable in the GO NETS tool (option 9) or IBM Navigator for i by expanding sections Network --> Servers --> TCP/IP. Then review the Properties for IBM i NetServer. The domain name listed on the "General" tab will be sent on the QNTC authentication attempt.
If the Windows file server is using Windows domain authentication (as opposed to local authentication), the NetServer Domain name should match the domain of the Windows user profile. Changing the NetServer domain name and restarting NetServer and the interactive IBM i session that is accessing QNTC will improve the likelihood that the file server will accept the credentials.
Another common cause of "Permission Denied" is because the Windows user password is not in all lower-case. The default password level on an IBM i is 0 which causes QNTC to send an all lower-case password on the authentication attempt. Administrators should consider changing the IBM i password level to 3. Please see related documentation below.
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CRUAA2","label":"Integrated File System-\u003EQNTC"}],"ARM Case Number":"TS003643835","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB57","label":"Power"}}]
Was this topic helpful?
Document Information
Modified date:
20 March 2023
UID
ibm16217393