Hi Gary,
Yes you're correct, the old account still fails with the expired error when using wlcftap/wsettap to verify. The new account does not fail.
However, regardless of what account is set (good/bad/null) the errors are still generated in the oservlog.
thanks, Lisa
-----Original Message-----
From: Gary Hamilton [mailto:HAMILGAR-ygUJEDcBm8rQT0dZR+***@public.gmane.org]
Sent: 19 February 2004 12:49
To: tme10-***@public.gmane.org
Subject: RE: [tme10] wlcftap: The user's account has expired.
Please note that we have made a few changes in 4.1.1 (hence the change in
the TivoliAP version number in the wsettap/wlcftap command).
The access to the AD is now using ASDI API, which means that we can now
access the AD in the context of a specific user, instead of doing an
anonymous login to AD. This means that in 4.1.1, you don't have to
implement the DSACL command option to allow your Tivoli users to be
accessed by anonymous, or add Everyone to the "Pre-Windows 2000 Compatible
group".
Instead, you can create a TRAA account and this account will be used to
access AD. If TRAA is not set, then we revert to using anonymous to access
AD, which means you must have one of the previous options implemented for
it to work.
We're still trying to understand what is happening in Lisa's case.
The new account seems to be working, but the old one still fails as before.
Is that correct?
Gary R. Hamilton
Senior Software Engineer
IBM Software Group - Tivoli Software (UK)
Global Response Team - Europe/Middle East/Africa
(GRT - EMEA)
+44(0)1753-780-988
mobile: +44(0)780-820-3714
e-mail:hamilgar-ygUJEDcBm8rQT0dZR+***@public.gmane.org
____________________________________________
AskTivoli - http://www-3.ibm.com/software/sysmgmt/products/support/
Web PMR submission - http://www-3.ibm.com/software/support/probsub.html
"Mead, Lisa"
<Lisa.Mead-***@public.gmane.org To: <***@lists.us.ibm.com>
a.com> cc:
Sent by: Subject: RE: [tme10] wlcftap: The user's account has expired.
owner-tme10-gDVLAvcG/***@public.gmane.org
.us.ibm.com
19/02/2004 12:11
Please respond to
tme10
I'm wondering if the problem lies with the version of TivoliAP.dll as our
wlcftap returns
1
19
1
Wed Nov 19 20:05:41 2003
(null)\(null)
Primary Domain Controller
thanks for your post though, I'm awaiting an update from IBM Support on the
PMR.
-----Original Message-----
From: Wolinski, Pablo [mailto:pabloaw-***@public.gmane.org]
Sent: 19 February 2004 12:02
To: tme10-***@public.gmane.org
Subject: RE: [tme10] wlcftap: The user's account has expired.
Hello!
Yes I do leave it at null. TRAA is not set in any of our Managed Nodes
or TMR Server or Endpoints. AFAIK you don't need it set unless you are
accessing any remote filesystem shares or printers, etc.
The output of wsettap in the TMR is as follows:
bash$ wsettap
1
17
1
Mon Jul 7 14:15:29 2003
(null)\(null)
Primary Domain Controller
On the other nodes the output is similar to that.
BTW, as Gary say in a previous post, we don't even need to reboot the
box for the oserv to work, 'cause TivoliAP.dll was already hooked in the
OS.
Hope it helps!
Pablito.
-----Original Message-----
From: Mead, Lisa [mailto:Lisa.Mead-***@public.gmane.org]
Sent: Thursday, February 19, 2004 8:32 AM
To: tme10-***@public.gmane.org
Subject: RE: [tme10] wlcftap: The user's account has expired.
Hi Pablito,
Thank you for the post, I have run through the instructions that worked
for you, but unfortunately the problem still occurs in the oservlog on
this ADC. Out of interest, did you leave the TRAA as Null ?
thank you :-)
-----Original Message-----
From: Wolinski, Pablo [mailto:pabloaw-***@public.gmane.org]
Sent: 19 February 2004 11:13
To: tme10-***@public.gmane.org
Subject: RE: [tme10] wlcftap: The user's account has expired.
Hello Lisa,
FW4.1 FP2 - Win2K
We have a similar problem here, the account DOMAIN\tmersrvd was disabled
erroneously and after enabling it the oserv on the only AD Domain
Controller managed node was giving us the same error as yours.
We solve the problem using the solution provided in
Tivoli/Software/Support # 1158412 titled "Oserv hang - error in
oservlog: tap_get_sid_logon_token failed for user xxx"
Just set tap to null (wsettap -ar "") and start oserv after enabling
DOMAIN\tmersrvd and verifying that the account has the permissions
required (Logon Locally and Bypass Traverse Checking) in the "Domain
Controller Security Policy". Be careful not to change erroneously the
"Domain Security Policy" or no user but tmersrvd will be able to logon!.
The oserv? It just works nicely since then...
Good luck!
Pablito.
-----Original Message-----
From: Mead, Lisa [mailto:Lisa.Mead-***@public.gmane.org]
Sent: Thursday, February 19, 2004 5:20 AM
To: tme10-***@public.gmane.org
Subject: RE: [tme10] wlcftap: The user's account has expired.
Hi Gary,
I followed your instructions and here are the results:
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>wlcftap -ar "swdist"
Password for swdist:
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>wlcftap
wlcftap: The user's account has expired.
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>wlcftap -P
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>wlcftap
wlcftap: The user's account has expired.
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>net stop oserv
The Tivoli Object Dispatcher service is stopping.
The Tivoli Object Dispatcher service was stopped successfully.
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>net start oserv The Tivoli
Object Dispatcher service is starting. The Tivoli Object Dispatcher
service was started successfully.
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>wlcftap
wlcftap: The user's account has expired.
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>e:
E:\Tivoli\db\fr05wadc001.db>tail oservlog
2004/02/19 09:04:15 -01: tap_get_sid_logon_token failed for user
EU\Administrator, The user's accoun t has expired. 2004/02/19 09:04:15
-01: @fork failed (errno 2) 2004/02/19 09:04:15 -01:
tap_get_sid_logon_token failed for user EU\Administrator, The user's
accoun t has expired. 2004/02/19 09:04:15 -01: @fork failed (errno 2)
2004/02/19 09:04:15 -01: run_method, wsa_close_shared_socket_ex failed,
error: The parameter is inco rrect. 2004/02/19 09:04:15 -01: run_method,
wsa_close_shared_socket_ex failed, error: The parameter is inco rrect.
So I thought I'd set it back to the good account:
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>wlcftap -ar ""
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>wlcftap -ar "tivtest1"
Password for tivtest1:
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>wlcftap
1
19
1
Wed Nov 19 20:05:41 2003
EU\tivtest1
Primary Domain Controller
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>net stop oserv
The Tivoli Object Dispatcher service is stopping.
The Tivoli Object Dispatcher service was stopped successfully.
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>net start oserv The Tivoli
Object Dispatcher service is starting. The Tivoli Object Dispatcher
service was started successfully.
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>e:
E:\Tivoli\db\fr05wadc001.db>tail oservlog
2004/02/19 09:07:34 -01: tap_get_sid_logon_token failed for user
EU\Administrator, The user's accoun t has expired. 2004/02/19 09:07:34
-01: @fork failed (errno 2) 2004/02/19 09:07:34 -01:
tap_get_sid_logon_token failed for user EU\Administrator, The user's
accoun t has expired. 2004/02/19 09:07:34 -01: @fork failed (errno 2)
2004/02/19 09:07:34 -01: run_method, wsa_close_shared_socket_ex failed,
error: The parameter is inco rrect. 2004/02/19 09:07:34 -01: run_method,
wsa_close_shared_socket_ex failed, error: The parameter is inco rrect.
The errors still occur in the oservlog regardless of good or bad TRAA
:-(
lisa
-----Original Message-----
From: Gary Hamilton [mailto:HAMILGAR-ygUJEDcBm8rQT0dZR+***@public.gmane.org]
Sent: 18 February 2004 17:19
To: tme10-***@public.gmane.org
Subject: RE: [tme10] wlcftap: The user's account has expired.
Lisa,
can you try the following:
1. With the bad account set as the TRAA account, run wlcftap/wsettap -P
to authenticate using the Primary Domain Controller and no reboot. 2.
Run wlcftap with no option again.
So you have execute wlcftap/wsettap -r "bad account". Stop the
oserv/lcfd process and restart it. And then try the steps above.
Gary R. Hamilton
Senior Software Engineer
IBM Software Group - Tivoli Software (UK)
Global Response Team - Europe/Middle East/Africa
(GRT - EMEA)
+44(0)1753-780-988
mobile: +44(0)780-820-3714
e-mail:hamilgar-ygUJEDcBm8rQT0dZR+***@public.gmane.org ____________________________________________
AskTivoli - http://www-3.ibm.com/software/sysmgmt/products/support/
Web PMR submission - http://www-3.ibm.com/software/support/probsub.html
"Mead, Lisa"
<Lisa.Mead-***@public.gmane.org To:
<tme10-***@public.gmane.org>
a.com> cc:
Sent by: Subject: RE: [tme10]
wlcftap: The user's account has expired.
owner-tme10-gDVLAvcG/***@public.gmane.org
.us.ibm.com
18/02/2004 15:44
Please respond to
tme10
Hi Gary,
Here's the results:
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>wlcftap
wlcftap: The user's account has expired.
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>wlcftap -r "tivtest1"
Password for tivtest1:
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>wlcftap
1
19
1
Wed Nov 19 20:05:41 2003
EU\tivtest1
Any Domain Controller
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>wlcftap -r ""
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>wlcftap
1
19
1
Wed Nov 19 20:05:41 2003
(null)\(null)
Any Domain Controller
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>
-----Original Message-----
From: Gary Hamilton [mailto:HAMILGAR-ygUJEDcBm8rQT0dZR+***@public.gmane.org]
Sent: 18 February 2004 15:33
To: tme10-***@public.gmane.org
Subject: RE: [tme10] wlcftap: The user's account has expired.
Lisa,
can you try the following on a machine that is still using the old
"expired" account
1. Set the TRAA account using wsettap/wlcftap -r "user_account" 2. Run
wsettap/wlcftap with no option and please send me the output. If this
fails, remove the TRAA account using wsettap/wlcftap -r " " and send me
the output of wsettap/wlcftap with no option.
Also, you don't need to reboot the machine unless you are
activating/de-activating tap with the -a/-d options. All you have to do
is stop and restart the relevant process, oserv/lcfd.
Gary R. Hamilton
Senior Software Engineer
IBM Software Group - Tivoli Software (UK)
Global Response Team - Europe/Middle East/Africa
(GRT - EMEA)
+44(0)1753-780-988
mobile: +44(0)780-820-3714
e-mail:hamilgar-ygUJEDcBm8rQT0dZR+***@public.gmane.org ____________________________________________
AskTivoli - http://www-3.ibm.com/software/sysmgmt/products/support/
Web PMR submission - http://www-3.ibm.com/software/support/probsub.html
"Mead, Lisa"
<Lisa.Mead-***@public.gmane.org To:
<tme10-***@public.gmane.org>
a.com> cc:
Sent by: Subject: RE: [tme10]
wlcftap: The user's account has expired.
owner-tme10-gDVLAvcG/***@public.gmane.org
.us.ibm.com
18/02/2004 15:12
Please respond to
tme10
btw - I raised a PMR with IBM a few days ago regarding this problem, and
I've just raised it's priority, so hopefully we can get to the bottom of
it
- I will post any findings.
-----Original Message-----
From: Mead, Lisa [mailto:Lisa.Mead-***@public.gmane.org]
Sent: 18 February 2004 13:45
To: tme10-***@public.gmane.org
Subject: RE: [tme10] wlcftap: The user's account has expired.
Hi Gary,
The 'no mapping between account names' error was due to a replication
delay. Once the new account had replicated, I was able to set the tap
account without error, e.g., no more 'expired' errors. Which is great,
thank you. However, do you know why using a new account works but not
an
existing one ?
Also, we are still seeing the following errors in the oservlog, but
perhaps I need to raise a separate thread/pmr...
2004/02/18 14:42:58 -01: tap_get_sid_logon_token failed for user
EU\Administrator, The user's account has expired. 2004/02/18 14:42:58
-01: @fork failed (errno 9) 2004/02/18 14:42:58 -01: run_method,
wsa_close_shared_socket_ex failed,
error: The parameter is incorrect.
-----Original Message-----
From: Mead, Lisa [mailto:Lisa.Mead-***@public.gmane.org]
Sent: 18 February 2004 11:49
To: tme10-***@public.gmane.org
Subject: RE: [tme10] wlcftap: The user's account has expired.
Hi Gary,
Thanks for your mail :-)
The team that installed the server tell me it's brand new, not upgraded.
So I created a new domain account and have tried to set the tap to this
new account, but get the following:
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt>echo tivtest|wlcftap.exe -a
-B -k -r tivtest1
wlcftap.exe: No mapping between account names and security IDs was
done.
When I use the new domain account in the tap on another (non ADC)
machine it sets no problem.
I'm sure I've seen this error before and it's W2K related, so I'm off to
have a word with the W2K team...... in the meantime if you know what
this
means, please shout !!
-----Original Message-----
From: Gary Hamilton [mailto:HAMILGAR-ygUJEDcBm8rQT0dZR+***@public.gmane.org]
Sent: 18 February 2004 10:13
To: tme10-***@public.gmane.org
Subject: Re: [tme10] wlcftap: The user's account has expired.
By any chance were your DCs upgraded from NT, or were they new AD
installations?
Have you tried creating a new domain account and trying that for the
wlcftap account?
Gary R. Hamilton
Senior Software Engineer
IBM Software Group - Tivoli Software (UK)
Global Response Team - Europe/Middle East/Africa
(GRT - EMEA)
+44(0)1753-780-988
mobile: +44(0)780-820-3714
e-mail:hamilgar-ygUJEDcBm8rQT0dZR+***@public.gmane.org ____________________________________________
AskTivoli - http://www-3.ibm.com/software/sysmgmt/products/support/
Web PMR submission - http://www-3.ibm.com/software/support/probsub.html
"Mead, Lisa"
<Lisa.Mead-***@public.gmane.org To: "Tme10
\(E-mail\)"
<tme10-***@public.gmane.org>
a.com> cc:
Sent by: Subject: [tme10]
wlcftap:
The user's account has expired.
owner-tme10-gDVLAvcG/***@public.gmane.org
.us.ibm.com
18/02/2004 08:49
Please respond to
tme10
Hi list,
(Windows 2000 running Framework 4.1.1 patch 0004)
I was wondering if anyone has seen the following:
Since our upgrade from fw371-411 one of our Managed Nodes says "wlcftap:
The user's account has expired." error when trying to set the tap
account. And in the oservlog log we see :
2004/02/18 09:39:02 -01: tap_get_sid_logon_token failed for user
EU\Administrator, The user's account has expired. 2004/02/18 09:39:02
-01: @fork failed (errno 9) 2004/02/18 09:39:02 -01: run_method,
wsa_close_shared_socket_ex failed,
error: The parameter is incorrect.
To try to resolve we set the tap account to another domain account, but
when we verified the tap status using wlcftap, it said the users account
has expired, however, we chose to reboot, but it did not fix the
problem.
So we set the tap account to Null, rebooted, set the tap account to a
valid domain account, verified the tap and it said the account has
expired.
Wondered if any one has seen this situation before ?
As this is a DC there are no local accounts, but I have verified that
the tmersrvd account on the domain has the correct local user rights
(bypass traverse checking, log on locally etc)
____________________________________________________________
CONFIDENTIALITY
This e-mail and any attachments are confidential and also may be
privileged. If you are not the named recipient, or have otherwise
received this communication in error, please delete it from your inbox,
notify the sender immediately, and do not disclose its contents to any
other person, use them for any purpose, or store or copy them in any
medium. Thank you for your cooperation.
____________________________________________________________
____________________________________________________________
CONFIDENTIALITY
This e-mail and any attachments are confidential and also may be
privileged. If you are not the named recipient, or have otherwise
received this communication in error, please delete it from your inbox,
notify the sender immediately, and do not disclose its contents to any
other person, use them for any purpose, or store or copy them in any
medium. Thank you for your cooperation.
____________________________________________________________
____________________________________________________________
CONFIDENTIALITY
This e-mail and any attachments are confidential and also may be
privileged. If you are not the named recipient, or have otherwise
received this communication in error, please delete it from your inbox,
notify the sender immediately, and do not disclose its contents to any
other person, use them for any purpose, or store or copy them in any
medium. Thank you for your cooperation.
____________________________________________________________
____________________________________________________________
CONFIDENTIALITY
This e-mail and any attachments are confidential and also may be
privileged. If you are not the named recipient, or have otherwise
received this communication in error, please delete it from your inbox,
notify the sender immediately, and do not disclose its contents to any
other person, use them for any purpose, or store or copy them in any
medium. Thank you for your cooperation.
____________________________________________________________
____________________________________________________________
CONFIDENTIALITY
This e-mail and any attachments are confidential and also may be
privileged. If you are not the named recipient, or have otherwise
received this communication in error, please delete it from your inbox,
notify the sender immediately, and do not disclose its contents to any
other person, use them for any purpose, or store or copy them in any
medium. Thank you for your cooperation.
____________________________________________________________
____________________________________________________________
CONFIDENTIALITY
This e-mail and any attachments are confidential and also may be
privileged. If you are not the named recipient, or have otherwise
received this communication in error, please delete it from your inbox,
notify the sender immediately, and do not disclose its contents to any
other person, use them for any purpose, or store or copy them in any
medium. Thank you for your cooperation.
____________________________________________________________
____________________________________________________________
CONFIDENTIALITY
This e-mail and any attachments are confidential and also may be
privileged. If you are not the named recipient, or have otherwise
received this communication in error, please delete it from your inbox,
notify the sender immediately, and do not disclose its contents to any
other person, use them for any purpose, or store or copy them in any
medium. Thank you for your cooperation.
____________________________________________________________
____________________________________________________________
CONFIDENTIALITY
This e-mail and any attachments are confidential and also may be
privileged.
If you are not the named recipient, or have otherwise received this
communication in error, please delete it from your inbox, notify the sender
immediately, and do not disclose its contents to any other person,
use them for any purpose, or store or copy them in any medium.
Thank you for your cooperation.
____________________________________________________________
____________________________________________________________
CONFIDENTIALITY
This e-mail and any attachments are confidential and also may be privileged.
If you are not the named recipient, or have otherwise received this
communication in error, please delete it from your inbox, notify the sender
immediately, and do not disclose its contents to any other person,
use them for any purpose, or store or copy them in any medium.
Thank you for your cooperation.
____________________________________________________________