We are able to use Co:Launcher to copy data sets from a z/OS 1.13 system to a Windows 2012 Server's local drive, however we receive a Permission Denied error when attempting to copy the data sets using a UNC path:
Sample job:
//RUNCOZPW EXEC PROC=COZPROC,ARGS='-LT,t COZUSER@CYGWIN64'
//RMFDAT DD DSN=PSYS.CPSTOOLS.RMFDAT,DISP=SHR
//SMFDAT DD DSN=PSYS.CPSTOOLS.SMFDAT,DISP=SHR
//COZCFG DD *
ssh-options=-vvv
//STDIN DD *
fromdsn //DD:RMFDAT > //share/zBNA/rmfdat.edf
fromdsn //DD:SMFDAT > //share/zBNA/smfdat.dat
/*
CoZAgent: COZUSER@cygwin64 target program '/bin/bash' PID: 1620
CoZAgent: completed with RC=1
-/bin/bash: line 1: //share/zBNA/rmfdat.edf: Permission denied
-/bin/bash: line 2: //share/zBNA/smfdat.dat: Permission denied
Our Windows Administrator has indicated that COZUSER has the proper permissions to write to the folder. We are also able to write to the folder from the Cygwin bash shell with the COZUSER user.
Is is possible to copy the data sets using a UNC path?
Thank you.
Co:Z Launcher Permission Denied error with UNC Paths
Re: Co:Z Launcher Permission Denied error with UNC Paths
When you run the CO:Z Launcher to a Windows server, your script (STDIN) is being run in the CYGWIN shell (by default this is usually "bash")
Consider the offending command:
fromdsn //DD:RMFDAT > //share/zBNS/rmfdat.edf
This runs the fromdsn command and then the shell (bash) redirects (>) stdout to the file.
So, you should get the same error if you did this:
echo "abc" > //share/zBNS/rmfdat.edf
Can you do this "echo" command when logged in directly to COZUSER on the machine?
If so, then the problem could be that your SSHD server is not actually giving the SSH process the right user credentials (account).
To verify, please login to the Windows server using some ssh client (like PuTTY) with the COZUSER id. In the bash shell running under ssh, try the above echo command.
It should fail with the same permission problem. This would prove that the issue is that SSH is not (completely) assigning the correct credentials. Try to figure out while it is running what account it is using.
Perhaps your setup for the Windows sshd server's authentication/login needs to be adjusted so that the correct account is being used?
Consider the offending command:
fromdsn //DD:RMFDAT > //share/zBNS/rmfdat.edf
This runs the fromdsn command and then the shell (bash) redirects (>) stdout to the file.
So, you should get the same error if you did this:
echo "abc" > //share/zBNS/rmfdat.edf
Can you do this "echo" command when logged in directly to COZUSER on the machine?
If so, then the problem could be that your SSHD server is not actually giving the SSH process the right user credentials (account).
To verify, please login to the Windows server using some ssh client (like PuTTY) with the COZUSER id. In the bash shell running under ssh, try the above echo command.
It should fail with the same permission problem. This would prove that the issue is that SSH is not (completely) assigning the correct credentials. Try to figure out while it is running what account it is using.
Perhaps your setup for the Windows sshd server's authentication/login needs to be adjusted so that the correct account is being used?
Re: Co:Z Launcher Permission Denied error with UNC Paths
You are correct, we received the same error with:
echo 'abc' > //share/zBNA/rmfdat.edf
I signed on to the Windows 2012 server with the COZUSER user id where CYGWIN is installed. I entered the echo command from a DOS command prompt and it worked fine. It also worked from the Cygwin Terminal.
I was also able to successfully issue the fromdsn command from the CYGWIN terminal:
fromdsn -ssh zkdl@dns //PSYS.CPSTOOLS.RMFDAT > //share/zBNA/rmfdat.edf
It appears the permissions are set correctly, however the Co:Launcher batch job fails with the Permission Denied error.
Thank you for your help.
echo 'abc' > //share/zBNA/rmfdat.edf
I signed on to the Windows 2012 server with the COZUSER user id where CYGWIN is installed. I entered the echo command from a DOS command prompt and it worked fine. It also worked from the Cygwin Terminal.
I was also able to successfully issue the fromdsn command from the CYGWIN terminal:
fromdsn -ssh zkdl@dns //PSYS.CPSTOOLS.RMFDAT > //share/zBNA/rmfdat.edf
It appears the permissions are set correctly, however the Co:Launcher batch job fails with the Permission Denied error.
Thank you for your help.
Re: Co:Z Launcher Permission Denied error with UNC Paths
Did you login with an interactive ssh session to try the "echo" redirection to the file?
If this fails, then the problem is that your Windows sshd server is not assigning the correct Windows user account to COZUSER when logging in over ssh.
It is not a problem with Co:Z Launcher, which simply uses ssh to login to the Windows server.
If this fails, then the problem is that your Windows sshd server is not assigning the correct Windows user account to COZUSER when logging in over ssh.
It is not a problem with Co:Z Launcher, which simply uses ssh to login to the Windows server.
Re: Co:Z Launcher Permission Denied error with UNC Paths
I spoke to our Windows Administrator and you are correct.
The Cygwin SSHD service on the Windows 2012 server is being started with a local account, which does not have permissions to the shares.
We are in the process of changing the user that starts the service, which resulted in another failure. We are going to go back through the Cygwin installation and set-up, making sure the privledged user defined during the installation is a domain user.
Thank you for your help.
The Cygwin SSHD service on the Windows 2012 server is being started with a local account, which does not have permissions to the shares.
We are in the process of changing the user that starts the service, which resulted in another failure. We are going to go back through the Cygwin installation and set-up, making sure the privledged user defined during the installation is a domain user.
Thank you for your help.
Re: Co:Z Launcher Permission Denied error with UNC Paths
It took some trial and error to get Cygwin set up with a Windows Domain user so that I could specify the UNC paths.
Not sure if this is the best way to get the Domain User to work, but here is a condensed version of the steps I took.
Username to be used defined to the domain.
After installing Cygwin and prior to running ssh-host-config.
mkpasswd -l > /etc/passwd
mkpasswd -u USERNAME -D DOMAINNAME -S '&' >> /etc/passwd
mkgroup -l > /etc/group
mkgroup -D -S '&' >> /etc/group
I had trouble trying to use '\' and '_' as seperators, thus the reason for specifying &.
When running ssh-host-config when asked to use a different name than cyg_server, I specified the User and Domain name added to the passwd member: DOMAINNAME&USERNAME
This resulted in warning messages that a Priviledged account was specified, but it did not have the necessary privileges. An Error in getSID also occurred after enter the user password.
Prior to being able to start sshd, used the Local Security Settings window (Security Settings/Local Policies/User Rights Assignement) added the Domain Account to:
- Adjust memory quotas for a process.
- Create a token object.
- Log on as a service.
- Replace a process-level token.
Executed the following:
chown 'DOMAINNAME&USERNAME' /var/log/sshd.log
chown -R 'DOMAINNAME&USERNAME' /var/empty
chown 'DOMAINNAME&USERNAME' /etc/ssh*
chmod 755 /var/empty
chmod 644 /var/log/sshd.log
sshd service was then able to start.
Using Putty to access required putting the full name within quotes (i.e. 'DOMAINNAME&USERNAME'@CYGWINSRV), however did not need to specify the quotes within the Batch Launcher arguements (i.e. ARGS='-LI DOMAINNAME&USERNAME@CYGWINSRV').
Not sure if this is the best way to get the Domain User to work, but here is a condensed version of the steps I took.
Username to be used defined to the domain.
After installing Cygwin and prior to running ssh-host-config.
mkpasswd -l > /etc/passwd
mkpasswd -u USERNAME -D DOMAINNAME -S '&' >> /etc/passwd
mkgroup -l > /etc/group
mkgroup -D -S '&' >> /etc/group
I had trouble trying to use '\' and '_' as seperators, thus the reason for specifying &.
When running ssh-host-config when asked to use a different name than cyg_server, I specified the User and Domain name added to the passwd member: DOMAINNAME&USERNAME
This resulted in warning messages that a Priviledged account was specified, but it did not have the necessary privileges. An Error in getSID also occurred after enter the user password.
Prior to being able to start sshd, used the Local Security Settings window (Security Settings/Local Policies/User Rights Assignement) added the Domain Account to:
- Adjust memory quotas for a process.
- Create a token object.
- Log on as a service.
- Replace a process-level token.
Executed the following:
chown 'DOMAINNAME&USERNAME' /var/log/sshd.log
chown -R 'DOMAINNAME&USERNAME' /var/empty
chown 'DOMAINNAME&USERNAME' /etc/ssh*
chmod 755 /var/empty
chmod 644 /var/log/sshd.log
sshd service was then able to start.
Using Putty to access required putting the full name within quotes (i.e. 'DOMAINNAME&USERNAME'@CYGWINSRV), however did not need to specify the quotes within the Batch Launcher arguements (i.e. ARGS='-LI DOMAINNAME&USERNAME@CYGWINSRV').
Re: Co:Z Launcher Permission Denied error with UNC Paths
Thanks for posting your solution. I think that setting up OpenSSH under cygwin is covered in the cygwin docs, but it is pretty complicated and these tips will probably help someone else.