Setting password fails with windows client

[dkastens]

Hi,
Server 8.1.17.0 on Linux
Client 8.1.17.0/8.1.20.0 on Windows 11

I'm not able to change my client node password using the windows client. I open the menu "Utilities > Change password", enter the current password and the new one twice. An error window pops up: "Authentication failure". After the third attempt the error window shows the message "ANS5844E Unable to update password".
The server logs the following error: "ANR0424W Session 250642 for node MY_CLIENT (1.2.3.4(58077)) refused - invalid password submitted."
I tried this with different windows clients, because one of our users told me, that he was unable to change his password.
Using the command line client dsmc, it is no problem to change the password:

Protect> set password Please enter password for user id "MY_CLIENT": ************** Please enter a new password:******** Enter new password for verification:******** Password updated.

Do you have any idea what could be wrong?
Dirk

 

[LED888]

I am suspecting that the encrypted PWD file is corrupted.
Via the SP Client directory (C:\Program Files\Tivoli\TSM\baclient) issue: dsmc q fi
If we are prompted for an ID and PWD.
Then the encrypted pwd files are corrupted.
To fix the issue.

In the hidden directory C:\ProgramData\Tivoli\TSM\baclient there are three files -

TSM.KDB - The file that stores the encrypted passwords.

TSM.sth - The file that stores the random encryption key that is used to encrypt passwords in the TSM.KDB file. This file is protected by the file system. This file is needed for automated operations.

TSM.IDX - An index file that is used to track the passwords in the TSM.KDB file.

Rename the above three files to .OLD

On the SP Server command line issue: update node node_name new_pwd

Then on the SP B/A Client directory (C:\Program Files\Tivoli\TSM\baclient) issue: dsmc q fi
We should be prompted for an ID and PWD.
Once this information have been enter, we should see file space information.
The SP B/A Client should generate a fresh set of encrypted files.
Exit, and then reissue dsmc q fi.
The second time, we should not be prompted for an ID and PWD.

The encrypted files that were marked .OLD can be deleted.

Good Luck,
Sias

 

[dkastens]

Hi Sias,
thanks for the reply, but this doesn't help.
I made a fresh installation of the SP client on my windows 11 laptop. The password update didn't work from the beginning. The command "dsmc q fi" didn't ask for a password.
Nevertheless, I renamed the three files, entered the password again, so that the files have been recreated. But the password update is still not working.

Dirk

 

[LED888]

I made a fresh installation of the SP client on my windows 11 laptop.

So this is a fresh installation and the SP Client have not communicated with the SP Server.

The command "dsmc q fi" didn't ask for a password.

If we were not prompted for an ID and PWD.
Do we see file space information?

Is the SP B/A Client pointing to the correct SP Server?
In the dsm.opt file what do we have for the parameter TCPSERVERADDRESS?

On the SP Server, is the node name registered?

Please post the contents of the dsm.opt file.

But the password update is still not working.

How are we updating the password?
Are we updating the password on the SP Server?
Or are we issuing "set password" via the SP Client command line?

What are the messages in the dsmerror.log when we try to get the client to authenticate with the server?

What are the messages in the SP Server activity log when we try to get the node to authenticate with the SP Server? q act begindate=today begintim=hh:mm endtime=hh:mm


At this point, I would update the password for the node on the SP Server and locally encrypt the password on the node. Once we get the node to authenticate with the server, then later on can use the "set password" via the SP Client.


Good Luck,
Sias

 

[dkastens]

Hi Sias,
thank you, so far. I'm the admin of our TSM installation for 25 years, now. When one of our users told me, that he was not able to change the password on his new windows client, I tried it with my workstation client and couldn't change it, neither. Then I installed an registered a new client on my laptop and couldn't change the password using the gui of the windows client, neither. So I think there must be a general problem. Using the "set password" command on the windows client works.
The server always logs the message from my first post: "ANR0424W Session 250642 for node MY_CLIENT (1.2.3.4(58077)) refused - invalid password submitted." The client establishes an ssl session with the server, but when I enter the old password in the change password dialogue, it is not being accepted.
I will try to completely delete my windows client from the server and laptop and try to install erverything from scratch. Maybe there is a problem with the german language environment or with the SSL configuration.

 

[Trident]

Hi,

My 2c,

upd node XXXXX newpassword sessionsec=trans

That tends to work for me

Good luck,

 

[dkastens]

Good point, but doesn't work.
I reinstalled my client, but the problem persists. After setting the sessionsecurity option to "transitional", it changes to "strict", as soon as the client starts a new session. The password works, but when I want to change the password using the gui, the same problem occurs:


The server logs the message:
ANR0424W Session 258831 for node MYCLIENT (1.2.3.4(52601)) refused - invalid password submitted. (SESSION: 258831)
Using the command line client dsmc, changing the password works.

I'm puzzled ...

 

[Trident]

Hi,

Looks like a pmr to me.

For fun, to a dsm.exe -traceflag=service and compare with dsmc.exe -traceflag=service

I guess you need to 'scroll down' a bit to where the passwords are read/written to see what the difference is.

Rgds,

 

[dkastens]

I just opened a support case with IBM

 

[dkastens]

It's a known bug that will be fixed in client version 8.1.21.

IT42959: CHANGING PASSWORD DOES NOT WORK THROUGH THE BA GUI WHEN SERVER IS AT 8.1.15 OR LATER

When the backup-archive client communicates with a server at 8.1.15 or later, changing the password via the GUI does not work

www.ibm.com