IBM Support

ID and Password Considerations for QNTC File System

Product Documentation


Abstract

This document describes the properties and settings that affect QNTC encrypted password authentication.

Content

The IBM i QNTC file system is a CIFS (common internet file system) also known as SMB (server message block) client.  QNTC can be used to connect to remote CIFS/SMB servers such as Microsoft Windows file sharing feature.
The ID and password that are sent to the remote file server are the user profile and password for the job that is accessing the QNTC file system.  For this document, the term 'credentials' refers to a user ID and encrypted passwords.  For more information about using single sign-on (Kerberos) with QNTC, see the link in 'Related Information'.  The use of IBM i credentials to access a remote system has several implications that need to be examined.  For this discussion, I focus on a Windows system as the remote file server.
A Windows ID might be a domain account that is part of your Active Directory domain or it might be a local account created and stored on that individual Windows system.  In order to use a domain account, the domain name specified in the IBM i NetServer configuration must match your Active Directory domain name.  The IBM i NetServer domain name is limited to 15 characters. Therefore, your Windows Domain name cannot be any longer than 15 characters in order to use Windows domain accounts.  If the IBM i NetServer domain name is not a match for your Active Directory domain, then the Windows ID has to be created as a local account.
Another major consideration is the case of the password and several things play into how this works.  All Windows passwords are case-sensitive and all modern password encryption mechanisms are also case-sensitive.  On IBM i, the QPWDLVL system value setting determines whether IBM i passwords are case-sensitive.  Because changes to the password level require an IPL, the system value setting might not match what the system is presently using.  In order to see what password level the system is at, use the DSPSECA command.  If your system is at password level 0 or 1, then IBM i treats your passwords in a case-insensitive manner. In other words, when you sign on to an emulation session, you can enter your password in any combination of uppercase letters, lowercase letters or both and it makes no difference.  But for QNTC your IBM i password is encrypted (hashed) in lowercase letters.  Therefore, the Windows password must not contain any uppercase letters.  If the password level is 2 or 3, your passwords on IBM i are case-sensitive and so it must be an exact match with the Windows case-sensitive password.
Another wrinkle to add to this scenario is an obsolete and insecure password encryption mechanism call LAN Manager (more commonly referred to as LANMAN).  This password encryption mechanism is case-insensitive, so if you were using this security mechanism, your passwords would simply have to have the same characters on Windows and IBM i.  However, this security mechanism is not supported by newer versions of the SMB protocol.  Starting at 7.2 (with PTFs) and 7.3 (base code level), QNTC uses SMB2 by default so it cannot use the LANMAN security mechanism any longer1. This change might cause QNTC connections that worked at older releases to fail to work after an upgrade.  The SMB version used by QNTC can be controlled with an environment variable, QIBM_ZLC_SMB_VERS. Setting QIBM_ZLC_SMB_VERS to a value of 1 causes QNTC to revert to SMB1.  One other consideration that comes into play with the ability to use LANMAN security mechanism on IBM i, is the password level.  The even-numbered password levels, 0 and 2, cause the system to save a user password LANMAN hash (what is sent to the remote server), whenever the user changes or sets their password.  But the odd-numbered password level values, 1 or 3, do not create a LANMAN hash so the system is not able to use LANMAN with QNTC, regardless of the SMB version used.
Finally, the user profile being used on IBM i must be enabled.  You cannot use QNTC with a user profile that is disabled, the password cannot be retrieved from that user profile to generate the password hash.
1.  The QIBM_ZLC_SMB_VERS environment variable can be used to force QNTC to use a specific version of SMB.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0"}]

Document Information

Modified date:
16 June 2021

UID

ibm10878112