fighting for truth, justice, and a kick-butt lotus notes experience.

 
alt

Detlev Poettgen

 

IBM Technote regarding Traveler 9.0.1.18 Feature Run As User and whats in the box in 9.0.1.19 to solve it

 10 September 2017 11:30:00
This week IBM released a new Technote, which explains the "Run as a User" feature introduced with Traveler 9.0.1.18 in detail.
Some customers reported issues after upgrading to 9.0.1.18 or later. The Technote explains how to solve this issues.

You should read the Technote BEFORE upgrading.


IBM Traveler 9.0.1.18 enabled by default a feature that allows Traveler to "Run as a User" instead of as a server. This feature resolves several long standing issues with accessing the user's data as the server ID, including:

          Preventing event notices and automated responses from being sent “from” the Traveler server ID (they are sent “from” the user ID instead)
          Preventing the server ID from being assigned as the owner of the mail profile when there is no owner defined.
          Honoring access controls on the mail file and corporate lookup for the user.

The last point above may cause sync issues for mobile users. If the access controls are inadvertently set to values that restrict individual users, but do not restrict the Traveler server, then users that could sync when running as the Traveler server ID might not be able to sync when running as their user ID.

Note that the Traveler administrator can disable the Run as User feature by setting the notes.ini value NTS_USER_SESSION=false on all Traveler servers and restarting the servers. This may be a quick way of restoring sync capability to the few affected mobile users with restrictive access control settings.
However, it is not recommended because it is a global setting, so all users will lose the benefits of Run as User when it is disabled.


Please, read the Technote!

Link to IBM Technote: How to resolve synchronization issues that start after upgrading to IBM Traveler 9.0.1.18 (or higher)


The Technote discripes a new feature in Traveler 9.0.1.19, which will help to the solve the issue I posted in an earlier Blog entry: Traveler 9.0.1.18 needs Editor access under Maximum Internet Access ACL settings

Image:IBM Technote regarding Traveler 9.0.1.18 Feature Run As User and whats in the box in 9.0.1.19 to solve it


For Traveler 9.0.1.19, this field is reflected in the 'show user' and 'dump user' output in the ACL section:

Mail File Replicas:
  [CN=Tserver/O=Torg, mail/johndoe.nsf] is reachable.
         ACL for John Doe/Torg:  Access=Manager,No access Capabilities=create,update,read,copy Missing Capabilities=delete
          ACL for Tserver/Torg:  Access=Manager Capabilities=create,update,read,delete,copy Missing Capabilities=none

Also, Traveler 9.0.1.19 counts the number of times it has read an ACL with the “Maximum Internet name and password” field set to each of its values, and prints them in the 'systemdump' output in the Statistics section:

          DCA.ACL_InternetLevel.NTS_ACL_EDITOR = 6
          DCA.ACL_InternetLevel.NTS_ACL_NOACCESS = 1

If set to No Access, and another user sends a new email to this user's Inbox, Traveler fails during prime sync.

Symptom: Console message


Traveler: SEVERE John Doe User ID CN=John Dow/O=Torg on device prime sync failed to connect to mail database mail/johndoe.nsf on server CN=Tserver/O=Torg. Either the user or the IBM Traveler server does not have sufficient rights to access this database. Exception Thrown: com.lotus.sync.caf.auth.NTSAuthException: ESM_AUTH_007

If set to Reader, and another user sends a new email to this user's Inbox, Traveler can sync the received document. If the user tries to send a new email (or a reply to the received email) from the device, that fails writing into the user's mail database.

Symptom: Console message


Traveler: SEVERE John Doe Document(null) Subject of 'Re: Dear John Doe' could not be synchronized from the device to the server mail database as ACL permissions for this user insufficient for this create operation.

Likewise, if another user sends an invitation it is synced to the device. However, if the user tries to send an accept notice from the device, that fails trying to write the accept notice into the user's mail database.

Symptom: Console message


Traveler: SEVERE John Doe Document(null) Subject of 'Tentative: Invitation: Doe reunion (Sat 09/02/2017 08:00AM, Deer Park)' could not be synchronized from the device to the server mail database as ACL permissions for this user insufficient for this create operation.

Recommended fix
: For Traveler 9.0.1.18, the user will have to modify his ACL to change the “Maximum Internet name and password” setting to a value of Editor or above.

Traveler 9.0.1.19 includes an enhancement to the Run as User feature which allows Traveler to run as the Traveler server for just those users that have the “Maximum Internet name and password” ACL field set to a value lower than Editor, in order to allow those users to sync without access errors. Thus Traveler will override the Run as User feature on a per-user basis, based solely on the “Maximum Internet name and password” setting for each user. This enhancement is enabled by a new notes.ini setting, NTS_USER_SESSION_OVERRIDE_INTERNET=true, and it is set to true by default.

Symptom: NTSActivity log entry (if the user session is being overridden):


[09/05 11:27:13.287] FINEST PS-7fc9e44e0700 Tom User1 DispatchThreadData.getNotesSessionUser#849 Overriding user session due to ACL settings


If the Run as User function is being overridden for a user, that user will lose the benefits of the Run as User function. To restore those benefits, the user will have to modify his ACL to change the “Maximum Internet name and password” setting to a value of Editor or above.

Traveler caches the user's ACL in memory, for performance reasons. If the user updates the ACL setting, the cache entry should be cleared for that user to ensure the new setting will be recognized by Traveler. The Traveler administrator can clear the user cache entry for a user by issuing Traveler command:

tell traveler clearcache user


The next time the user syncs, the cache entry will be refreshed using the ACL settings at that moment.



As already mentioned in my older post I created a small database QuickFix for Traveler , which will query the mail databases of all Traveler users and shows some consolidated database properties (Size, Quota, Template, ACL, Owner, Soft Deletions, Max. Internet Access, #Documents).
From there you can select the databases with Max. Internet access lower then Editor and it will fix it for you.

If you want to use this database, too - just drop me an Email or leave a comment with your mail address. I will send you the QuickFix for Traveler app.
Kommentare

1Fredrik Norling  18.09.2017 16:22:12  IBM Technote regarding Traveler 9.0.1.18 Feature Run As User and whats in the box in 9.0.1.19 to solve it

I've got a strange thing after installing FP18 and still after FP19.

Some users with the correct access can sync emais but not sending emails.

The server console says you are not authorized.

Anything you heard of ?

Archive