Re: Omvs/tcpip question
- From: bwf2@xxxxxxxxxxxx (Brian France)
- Date: 1 Feb 2006 10:44:09 -0800
We had this happen when we MOVED to I think z/OS 1.3 from ( sorry, I forget which release ). We're an ACF2 shop and the change I needed to make was to set up a default uid and gid. Then, FTP was okay for the "masses".
At 12:40 PM 2/1/2006, you wrote:
Hi.
I have a strange one. z/OS 1.4 on a Multiprise 3000 H50 box. Last night I got a call from operations that a FTP job blew on the 390 trying to FTP to a wintel server with a "connection refused" error. In trying to diagnose the problem I had the operator try a ping to the same machine and then to a couple others. Each time, they received this error: "EZZ3115I Unable to open RAW socket: EDC5139I Operation not permitted." I logged on and was able to ping and ftp all I wanted without any errors. What I discovered was that I have an OMVS segment in RACF giving me UID 0 access and the IDs the operators are using have no OMVS segment at all. Giving them UID 0 in newly-created OMVS segments allowed them to now run ping and FTP. I made NO changes to RACF yet these things worked 1 day and not the next. This is consistent across all 3 LPARs on our machine. The only thing that I can see that changed was one of my network associates started working on building pools into a pair of F5 load balancers to allow me to load balance telnet and ftp traffic across both of the BusTech appliances we front-end the MP3000 with.
Now my questions:
What could have caused working FTP and PING to suddenly break due to security violations - with no changes to RACF?
I don't relish the thought of giving operations UID 0. How do I give them access to FTP and PING without it? I saw something that I need to put oping into the IKJTSOxx member of PARMLIB to allow the ping command to work. That may be so, but it doesn't help batch FTP work. What do I need to change in RACF to allow these commands to work by mere mortals (ie non-root)? Or at least point me to the doc that will tell me.
I have the network guy removing the F5 configuration changes he had to see if that makes a difference, but since he didn't even activate any of it I can't see how this could have done it.
Any suggestions - even bizarre ones - will be considered.
TIA
Rex
---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Brian W. France Systems Administrator (Mainframe) Pennsylvania State University Administrative Information Services - Infrastructure/Sysarc Rm 25 Shields Bldg., University Park, Pa. 16802 814-863-4739 bwf2@xxxxxxx
---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html .
- Prev by Date: Re: Mount a tape
- Next by Date: RE: COBOL and CA-Intertest Batch
- Previous by thread: Re: Ordering HLASM for Linux on zSeries
- Next by thread: Omvs/tcpip question
- Index(es):
Relevant Pages
|
