IBM Support

How to resolve synchronization issues that start after upgrading to IBM Traveler 9.0.1.18 (or higher)

Flash (Alert)


Abstract

This technote describes how to resolve synchronization issues that may occur after upgrading to IBM Traveler 9.0.1.18 (or higher).

Content

IBM Traveler 9.0.1.18 enabled by default a feature that allows Traveler to "Run as a User" instead of as a server. This feature resolves several long standing issues with accessing the user's data as the server ID, including:

  • Preventing event notices and automated responses from being sent “from” the Traveler server ID (they are sent “from” the user ID instead)
  • Preventing the server ID from being assigned as the owner of the mail profile when there is no owner defined.
  • Honoring access controls on the mail file and corporate lookup for the user.
The last point above may cause sync issues for mobile users. If the access controls are inadvertently set to values that restrict individual users, but do not restrict the Traveler server, then users that could sync when running as the Traveler server ID might not be able to sync when running as their user ID.

Note that the Traveler administrator can disable the Run as User feature by setting the notes.ini value NTS_USER_SESSION=false on all Traveler servers and restarting the servers. This may be a quick way of restoring sync capability to the few affected mobile users with restrictive access control settings. However, it is not recommended because it is a global setting, so all users will lose the benefits of Run as User when it is disabled.

This document describes the access controls, and the symptoms seen by the Traveler administrator when the controls are set to values which restrict users access.

Traveler 9.0.1.19 introduces enhancements to the messaging, to make it easier for the administrator to identify which access control is causing the sync issue. Traveler 9.0.1.19 also introduces a modification to the Run as User feature, that enables users to sync even if one of the access controls is configured in a restrictive way.

Server document of the user's Mail server

Security tab, Server Access section, Trusted servers field


If the Traveler server is not in the mail server's Trusted Servers list, mobile users cannot access their mail file through the Traveler server.

Symptom: Console message like
Traveler: SEVERE John Doe Could not open the Database. Debug Data: Database 'mail/johndoe.nsf' on 'CN=Mserver/O=Torg', options=0, options2=0, PathName='CN=Mserver/O=Torg!!mail\johndoe.nsf' for user 'CN=John Doe/O=Torg'. Error(17eb)=You are not listed as a trusted server

Also, Yellow status message like:
Traveler: Yellow Status Messages
Traveler: Mail server CN=Mserver/O=Torg does not have the IBM Traveler server CN=Tserver/O=Torg in the trusted server list.

Recommended fix: Add the Traveler server to the Trusted Servers list in the Server document of the indicated mail server. NOTE: Due to replication delays, this may take up to 30 minutes to fully take effect.

Server document of the user's Traveler server

Security tab, Server Access section, Access server and Not access server

  • If 'Access server' is non-blank, only those servers and users will be allowed to access
    - All others not listed will be denied access
  • If 'Not access server' is non-blank, those servers and users will be denied access.
    - Even those that are also in the 'Access server' list

Symptom: Console message like
Traveler: SEVERE John Doe Exception while opening a notes session for CN=John Doe/O=Torg, Exception Thrown: Notes Exception(4488) : Server access denied


Recommended fix: If you have servers listed in the Access server field, check the box labeled “users listed in all trusted directories.” If individual users are listed in the Not access server field, remove them if you want to allow them to sync.

Server document of the user's Traveler server, Notes Traveler tab

IBM Notes Traveler Access section, Access server and Not access server


This is configured similar to the Security tab, Server Access section. However, Traveler does not log console messages for these access controls because they are Traveler configuration parameters, so they are treated as expected events. To see these log entries you must be logging the user on FINE or FINEST.

Symptom: NTSActivity log entries like

[08/17 12:00:20.714] FINEST WD-7faea84f5700 John Doe[OO2BKSDG0T6IJ5QLRT5EA3QS5O] NativeAccess.lookupUser#2188 EXITING [CN=John Doe/O=Torg] [cache] [DominoDBInfo: CN=John Doe/O=Torg, InternetAddress=johndoe@Tserver.rtp.raleigh.ibm.com, Active Server={Server=CN=Tserver/O=Torg, path=mail/johndoe.nsf, displayServerName=CN=Tserver/O=Torg}, Primary Server={Server=CN=Tserver/O=Torg, path=mail/johndoe.nsf, displayServerName=null}, mailServers=[{Server=CN=Tserver/O=Torg, path=mail/johndoe.nsf, displayServerName=null}], DB Replica Id=, Mail Domain=Torg, TravelerAccessRights=deny, Has Validated DB=False, Lookup RC(36)='User denied access', ExplicitPolicy=null, ShortName List=[johndoe], FullName List=[CN=John Doe/O=Torg, John Doe, johndoe, johndoe@Tserver.rtp.raleigh.ibm.com], designFlags=null, createDate(1502985620714)=Thu Aug 17 12:00:20 EDT 2017, isSet()=true] []

[08/17 12:00:20.714] FINE WD-7faea84f5700 John Doe[OO2BKSDG0T6IJ5QLRT5EA3QS5O] WorkManager$WorkerRunnable.run#1558 Request userId CN=John Doe/O=Torg could not be normalized because lookup returned (36) User denied access. This request will be ignored as a bad request unless the action allows execution (such as some servlet pages) even when the user is invalid.

Recommended fix: If you have servers listed in the Access server field, check the box labeled “users listed in all trusted directories.” If individual users are listed in the Not access server field, remove them if you want to allow them to sync.

ACL of the user's mail file - Basics tab

File → Application → Access control...

Basics tab, Access field and Attributes


Restricts access for Notes client as well as iNotes and mobile/IMSMO
  • Access field sets a default set of Attributes, some of which can be modified by checking the boxes
  • Anything less than Editor access, or without all boxes checked, can restrict actions that the user can take on his own mail file
    - Reader can receive emails and invitations, but cannot reply or accept because Readers cannot create the response documents
    - Author can only Create documents if you check that box.

Symptom: for Access=Reader trying to send a reply email, Console msg:

Traveler: SEVERE John Doe Document(null) Subject of 'Re: To reader' could not be synchronized from the device to the server mail database as ACL permissions for this user insufficient for this create operation.

Symptom: for Access=Reader trying to delete an email, Console msg:


Traveler: SEVERE John Doe Exception on folder move doc=52175ACF8C8FD2548525818A006A614A sourceFolder=($Inbox) targetFolder=($SoftDeletions) Exception=NotesException: Notes error: You are not authorized to perform that operation Exception Thrown: Notes Exception(4000) : Notes error: You are not authorized to perform that operation

Symptom: for Access=No Access trying to sync a new email, Console msg:


Traveler: SEVERE John Doe Database open of 'mail/johndoe.nsf' on server '' failed Exception Thrown: Notes Exception(4060) : User CN=John Doe/O=Torg cannot open database mail/johndoe.nsf

Recommended fix: If you have servers listed in the Access server field, check the box labeled “users listed in all trusted directories.” If individual users are listed in the Not access server field, remove them if you want to allow them to sync.

ACL of the user's mail file - Advanced tab

File → Application → Access control...

Advanced tab, Maximum Internet name and Password field

Restricts access for Internet users that authenticate using name and password (so iNotes users using basic auth), and all Traveler users (mobile and IMSMO) when running as user.

Default value: Editor, which is sufficient to create, delete, read and write docs in the mail database.
Other values like Reader or No Access cause exceptions reading or writing specific documents in the user's mail file.

For Traveler 9.0.1.19, this field is reflected in the 'show user' and 'dump user' output in the ACL section:
Mail File Replicas:
        [CN=Tserver/O=Torg, mail/johndoe.nsf] is reachable.
               ACL for John Doe/Torg:  Access=Manager,No access Capabilities=create,update,read,copy Missing Capabilities=delete
                ACL for Tserver/Torg:  Access=Manager Capabilities=create,update,read,delete,copy Missing Capabilities=none

Also, Traveler 9.0.1.19 counts the number of times it has read an ACL with the “Maximum Internet name and password” field set to each of its values, and prints them in the 'systemdump' output in the Statistics section:

    DCA.ACL_InternetLevel.NTS_ACL_EDITOR = 6
    DCA.ACL_InternetLevel.NTS_ACL_NOACCESS = 1
If set to No Access, and another user sends a new email to this user's Inbox, Traveler fails during prime sync.

Symptom: Console message

Traveler: SEVERE John Doe User ID CN=John Dow/O=Torg on device prime sync failed to connect to mail database mail/johndoe.nsf on server CN=Tserver/O=Torg. Either the user or the IBM Traveler server does not have sufficient rights to access this database. Exception Thrown: com.lotus.sync.caf.auth.NTSAuthException: ESM_AUTH_007

If set to Reader, and another user sends a new email to this user's Inbox, Traveler can sync the received document. If the user tries to send a new email (or a reply to the received email) from the device, that fails writing into the user's mail database.

Symptom: Console message

Traveler: SEVERE John Doe Document(null) Subject of 'Re: Dear John Doe' could not be synchronized from the device to the server mail database as ACL permissions for this user insufficient for this create operation.

Likewise, if another user sends an invitation it is synced to the device. However, if the user tries to send an accept notice from the device, that fails trying to write the accept notice into the user's mail database.

Symptom: Console message

Traveler: SEVERE John Doe Document(null) Subject of 'Tentative: Invitation: Doe reunion (Sat 09/02/2017 08:00AM, Deer Park)' could not be synchronized from the device to the server mail database as ACL permissions for this user insufficient for this create operation.

Recommended fix : For Traveler 9.0.1.18, the user will have to modify his ACL to change the “Maximum Internet name and password” setting to a value of Editor or above.

Traveler 9.0.1.19 includes an enhancement to the Run as User feature which allows Traveler to run as the Traveler server for just those users that have the “Maximum Internet name and password” ACL field set to a value lower than Editor, in order to allow those users to sync without access errors. Thus Traveler will override the Run as User feature on a per-user basis, based solely on the “Maximum Internet name and password” setting for each user. This enhancement is enabled by a new notes.ini setting, NTS_USER_SESSION_OVERRIDE_INTERNET=true, and it is set to true by default.

Symptom: NTSActivity log entry (if the user session is being overridden):

[09/05 11:27:13.287] FINEST PS-7fc9e44e0700 Tom User1 DispatchThreadData.getNotesSessionUser#849 Overriding user session due to ACL settings

If the Run as User function is being overridden for a user, that user will lose the benefits of the Run as User function. To restore those benefits, the user will have to modify his ACL to change the “Maximum Internet name and password” setting to a value of Editor or above.

Traveler caches the user's ACL in memory, for performance reasons. If the user updates the ACL setting, the cache entry should be cleared for that user to ensure the new setting will be recognized by Traveler. The Traveler administrator can clear the user cache entry for a user by issuing Traveler command:

tell traveler clearcache user <username>

The next time the user syncs, the cache entry will be refreshed using the ACL settings at that moment.

Related information

IBM Domino setup considerations

Document information

More support for: IBM Traveler
Synchronization

Software version: 9.0.1

Operating system(s): IBM i, Linux, Windows

Reference #: 2005703

Modified date: 08 September 2017


Translate this page: