In order to step up to a higher level of security, I suggested a customer to start using encryption on File Shares on IBM i. Currently for IBM i SMBv3 with encryption, is the highest level you can go to. For more details I suggest you have a look at this article: smbv3-support-in-ibm-i-7-4. Since we call the Navigator shown in that article, the Heritage Navigator for i and are now talking about the New Navigator for i, which is available since September 2021. In this article when mentioning the Navigator for i (Nav4i) I am talking only about the new one.
Well, back to the drawing board. In order to test SMBv3 with encryption, it is always the best to create a test share. When doing so, you can directly activate “Encryption” as shown below:
After testing this share with someone from the IT department, they kindly asked to be added to the M3 share currently available, so they could do some testing before and after the activation of encryption.
It is there where the trouble began, as the directory was linked to an authority list, the user was added by copying the authority settings from another user. Soon after the customer discovered that was not sufficient to access the share, so we came into play. Knowing the value of Authority Collection, started an SQL script as shown below:
Soon we discovered that to the user *Execute rights were not given, which is needed when in order to search the directory, when connecting the share.
In order to examine the Authority Collection results I already mentioned that a SQL script was used and the SQL statement:
select * from QSYS2.AUTHORITY_COLLECTIOn where AUTHORIZATION_NAME=’DBEKKER’and
path_name=’/M3BE/env/M3BE_15.1_PRD/transfer’ order by CHECK_TIMESTAMP desc;
Which resulted in this:
When using Nav4i, I did hover over the user DBEKKER and it is there where I did notice the option to use Authority collection:
When looking at the results of the option “Authorization failures” I did get the following result:
So the lesson I learned from this is, the next time I need to have a look at a specific authority problems, I will start with using Nav4i.
In order to give you a quick impression of the other options, here they are:
Leave a Reply