APAR status
Closed as canceled.
Error description
5655HAL00 R380 R50A R10 R120 R140 z/OS TCPIP FTPD CLIENT SERVER DAEMON MVS TCP/IP S/390 FTPSERVE FTPSERV TCPIPINFO **************************************************************** Info apar for common FTP problems --------------------------------- This info apar addresses the most common problems, configuration issues, and recommended maintenance for the FTP application on the z/OS and OS/390 operating systems. Recommendations / Configuration ================================================================ R1. It is recommended the FTP server started procedure be named 'FTPD' or something similar with LESS THAN EIGHT CHARACTER NAME. When the server is started, it will spawn a listening daemon with the proc name and a '1' appended to the end (ie. FTPD1) ** R2. SYSLOGD should be running and properly configured to capture FTP server trace records. See II12021 for our SYSLOGD HOWTO. * NOTE: If syslogd is not running, all FTPD trace output will go to the MVS console. This is NOT recommended as the console will get flooded. R3. FTP is a UNIX application, so the resolver follows the Unix search order. See II13452 if FTP is failing to resolve hostnames. R4. When applying maintenance to the FTP client or server, both the load modules and the aliases need to be copied over. For the client, FTP and EZAFTPLC need to be copied over. For the ftp server, FTPDNS and EZAFTPLS must be copied over. And for the daemon, FTPD and EZAFTPLD. If not performed properly, unpredictable resultes may occur, including abends. R5. When invoking FTP via shell script or MVS batch job, and encountering "Permission Denied" message such as " 530 PASS command failed - __passwd() error ", ensure that userid/password are correctly authorized, and that the word PASS is not included as part of the command. Example, use the following syntax: USER userid password === OR === USER userid /* Note: Do not use the password /* PASS subcommand here Common Problems / Solutions ================================================================ P1. The following three problems can be caused by any of the reasons as Described in A1.1 - A1.7 P1.1. 530 Pass Command Failed 530 - A load was done from an uncontrolled library P1.2. 530 Pass command failed: passwd() failed EDC5157I Internal error P1.3. ICH420I messages indicating a program was loaded causing the environment to be uncontrolled. A1.1. The sticky bit must be turned on for both /usr/sbin/ftpd and /usr/sbin/ftpdns. You can verify the sticky bit is on by executing the following command: ls -l /usr/lpp/tcpip/sbin/ftp* The output will look similar to: -rwxr-xr-t 17 OMVS ... Jan 27 1998 /usr/lpp/tcpip/sbin/ftpd -rwxr-xr-t 17 OMVS ... Jan 27 1998 /usr/lpp/tcpip/sbin/ftpdns / \ STICKY BIT The "t" in the permission bits indicates the sticky bit is set. Use the follow command to set the sticky bit if the "t" is not present: chmod o+t /usr/lpp/tcpip/sbin/ftp* A1.2. Copies of ftpd, ftpdns, and the LE libraries (such as SCEERUN) must reside in authorized dataset(s) in the linklist. A1.3. In order for the FTPD cataloged procedure to get control with superuser and daemon authority, you must add an entry to the started procedures tables in RACF (ichrin03) DC cl8'ftpd' procedure name DC cl8'ftpd' procedure name DC cl8'ftpd' userid DC cl8' ' DC xl1'40' trusted user DC xl7'00' reserved See also II11805 and II10548 A1.4. Authorize userids to the system with an OMVS segment (i.e OMVS default segment) A1.5. Directories in the path to the FTP executable must be set to 755. A1.6. Ensure that you are running the libraries that came with your release i.e. LE/370 or C runtime. A1.7. Ensure that the following libraries are defined as program controlled (see Program Control section under UNIX System Services security considerations in Chapter 2 of the IP Configuration Guide): - C/C++ run-time libraries - Language Environment libraries - SYS1.LINKLIB - SYS1.SIEALNKE A1.8. For z/OS 1.2 and above, ACCESSERRORMSGS TRUE or DEBUG ACC can be coded in FTP.DATA to generate more error information for failed PASS commands. P2. GDG transfers failing A2. A model DCBDSN must exist. in the FTP.DATA file as DCBDSN=model. To use a DCBDSN model to create a data set, do the following: 1. Issue the following command: SITE DCBDSN=data_set_name where data_set_name is the name of the data set to be used as a model to set the values of the: logical record length (LRecl), block size (BLKsize), retention period (RETpd), and the record format (RECfm) of a new data set. 2. Issue the following command to enable the LRecl, BLKSIze, and RECfm of the model to be used: SITE LRECL BLKSIZE RETPD RECFM 3. Issue the following command to create the new data set with the values specified by the DCBDSN model: PUT data_set_name where data_set_name is the name of the new data set. P3. 530 PASS command failed - getpwnam() error : USERNAME A3. Set up a superuser FTPD userid: Ensure you have defined a HOME directory ( / ) and then: ADDUSER FTPD OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) and permit it to BPX.DAEMON facility if necessary: PERMIT BPX.DAEMON CLASS(FACILITY) ID(FTPD) ACCESS(READ) P4. FTP listens on multiple stacks when stack affinity is desire. A4. Use ENVAR to ensure the server binds to the correct stack //FTPD PROC MODULE='FTPD',PARMS='TRACE' //FTPD EXEC PGM=&MODULE,REGION=7M,TIME=NOLIMIT, // PARM=('POSIX(ON) ALL31(ON)', // 'ENVAR("_BPXK_SETIBMOPT_TRANSPORT=xxxxxxxx")', // '/&PARMS') //* where 'xxxxxxxx' is the stack name for affinity P5. ICH408I USER(aaaaaa) GROUP(bbb) NAME(ccccc) /usr/sbin/ftpdns CL(DIRSRCH) FID(dddddddddd) INSUFFICIENT AUTHORITY TO LOOKUP ACCESS INTENT(---X) ACCESS ALLOWED(GROUP ---) A5. The key being CL(DIRSRCH) - meaning that RACF was trying to do a directory search and the user was not allowed. CAUSE: Either root ( / ) or one of the subdirectories does not have permission bits 755. Verify with ls -ld / (for root). The output should look like: drwxr-xr-x .... This should be the setting for each subdirectory as well as root. Issue 'chmod 755 /' (for root) to add the correct permission bits. P6. Receiving EZA2562W with reason code 536 when attempting to transfer/allocate a file to a tape dataset. A6. Make sure AUTOTAPEMOUNT=TRUE is specified in the CLIENT FTP.DATA file. P7. Top Secret or ACF2 users applying PQ63326. A7. A new resource profile must be defined to the SERVAUTH facility class to allow users to access the HFS: (EZB.FTP.sysname.ftpdaemonname.ACCESS.HFS) P8. FTPD fails on startup with: EZYFT12E socket error : EDC5111I Permission denied. -or- EZYFT13E bind error : EDC5111I Permission denied. A8. This is caused by having SERVAUTH active and ACF/2 not having EZB.STACKACCESS.sysname.tcpname defined. The ACF2 R10 compatibility fixes add the SERVAUTH Class to the Class Profiles that respond to SAF Calls as being active. So once the R10 compatibility service is installed on ACF2 6.3 (the only release supported on R10), the SERVAUTH Class is active (as far as TCP/IP is concerned) and the Installation MUST create the various EZB.xxxxx Profiles in the SER Resource Type (which ACF2 maps SERVAUTH to). The existance of the SERVAUTH Class mapping would have no impact on previous releases, as no one was using them. P9. FTP Server Hangs A9. This problem is non-recoverable. It is suggested that you perform the normal termination procedures as per your operating environment (i.e. purge,cancel,force). The documentation needed to identify the problem is a dump of the ftpd server, tcpip, and omvs address space along with the dataspace for omvs. The syntax for the dump command is: DUMP COMM=(FTP Server Hung) R XX,JOBNAME=(tcpprocname,ftpprocname1,OMVS),DSPNAME=('OMVS'.*), SDATA=(CSA,RGN,TRT,SUM,ALLNUC),END Here is an example for the Reply XX above assuming the tcprocname is TCPIP and the ftpprocname is FTPD. R 00,JOBNAME=(TCPIP,FTPD1,OMVS),DSPNAME=('OMVS'.*), SDATA=(CSA,RGN,TRT,SUM,ALLNUC),END P10. FTP Fails when BPX.POE class is active (V1R5 and above) A10. This is caused by not having the proper FTP definitions when the SERVAUTH CLASS is activated. When activated, - NETACCESS profile must be defined for each network security zone. - Authorize FTPD to NETACCESS profiles for read access from which any client may login. - Authorize FTP login users to NETACCESS profiles for read access from which they may login. - Add a PORTOFENTRY4 SERVAUTH statement to FTP.DATA if IPV4 clients are to be migrated to SERVAUTH - Define datasets which are to have limited access by Port of Entry. Refer to z/OS Comm. Server IP Configuration Guide for additional information. ================================================================ Recommended APARS: PQ38878 PQ37932 PQ42648 PQ43077 PQ44816 PQ45544 PQ46171 PQ48702 PQ46754 PQ54076 PQ54420 PQ51154 PQ54913 PQ54213 PQ57930 PQ50648 PQ53694 PQ58521 PQ58008 PQ65597 PQ72957 PQ66743 PQ61119 PK02231 ================================================================ ADDITIONAL FTP INFORMATIONAL APARS - II13516 FTP CLIENT AND SERVER TLS SUPPORT - II12925 DOCUMENTATION AND DEBUGGING FTP ================================================================ - To the customer: if you have suggestions to improve this informational APAR, please submit a problem record to TCPIP level 2 using component ID 5655HAl00. WE APPRECIATE YOUR SUGGESTIONS. NOTE: For z/OS Commserver hints and tips go to: http://www.ibm.com/software/network/commserver/support/
Local fix
Problem summary
Problem conclusion
Temporary fix
Comments
INFOPALIB
APAR Information
APAR number
II12079
Reported component name
PA LIB INFO ITE
Reported component ID
INFOPALIB
Reported release
001
Status
CLOSED CAN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
1999-10-13
Closed date
1999-10-14
Last modified date
2009-05-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19N","label":"APARs - OS\/390 environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"001","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG32M","label":"APARs - VSE\/ESA environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"001","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"001","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"001","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"001","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG27M","label":"APARs - z\/VM environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"001","Edition":"","Line of Business":{"code":"LOB16","label":"Mainframe HW"}}]
Document Information
Modified date:
26 May 2009