Domain names must match
The domain name that is configured with iSeries navigator must match the domain name of the machine.
If not, you will get an error on the client like: "the specified target is not known or inaccessible" (with tcp/ip error code -14)
Here is how to check it:
Step 1: to know what the real domain name is, do the following using a command prompt on the client machine:
Enter "nslookup", then type the name of the iseries, like follows:
Default server : domain_controller.domain-name.com
Address: 194.206.160.4
> my_iseries
Server : domain_controller.domain-name.com
Address: 194.206.160.4
Name : my_iseries.domain-name.com
Address: 194.206.160.112
So here the correct domain name is domain-name.com
Step 2: check that exported keytab contains the correct domain name.
Do do this, use iseries navigator, and go to "security", and then "Network authentication service". Right-click and select "Manage keytab". Click on the "Details" button.
You should see a line with:
Principal Type: i5/OS
Principal Name: krbsvr400/my_iseries.domain-name.com@DOMAIN-NAME.COM
Where DOMAIN-NAME.COM is your i5/OS realm.
If this is not correct, you need to modify configuration an re-export keytab, or you need to check your DNS to have matching domain names.
b. DES encryption must be enabled on the DC accounts created from keytab.
If not, you will get an error "Encryption or checksum type is not supported."
To enable it, you need to connect to the domain controller machine, and run the Active Directory application. Then, select "Users", and choose a user named:
my_iseries_1_krbsvr400
(There also can be others:
my_iseries_2_krbsvr400, …)
On the properties of that user, choose "Account", and check "use
DES encryption".
c. Error on connect: "Not authorized to access key table".
The keytab file must be accessible from the i5/OS account that is used for EASYCOMD, typically QTCP.
You need to know the location of the keytab file. iseries navigator, and go to "security", and then "Network authentication service". Right-click and select "Manage keytab". Follow the wizard until the last step (you can cancel it if you already done the wizard). The keytab file path is specified in that window.
The typical location is:
/QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab
To grant access to QTCP you need to do the following command:
CHGAUT OBJ('/QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab') USER(QTCP) DTAAUT(*R)
d. The time of all machines must be synchronized.
If you get errors like ‘ticket not yet valid’ or ‘ticket is expired’, this is probably due to wrong time synchronization.
Check QTIMZON and QTIME system values using WRKSYSVAL. Also check the time clock and time zone for the domain controller and end-users machines.
See also