NOVELL TECHNICAL INFORMATION DOCUMENT

TITLE:  Trustee.nlm v 1.10.6
TID #:  2971887
README FOR:  trust110f.exe

SUPERSEDES:
trust110e.exe

NOVELL PRODUCTS and VERSIONS:
NetWare 6.5
NetWare 5.1
NetWare 4.2

ABSTRACT:

This is a Public Release of the TRUSTEE.NLM.
The program was tested on NetWare 4.x, 5.x and 6.x servers 
 
 



-----------------------------------------------------------------
DISCLAIMER
THE ORIGIN OF THIS INFORMATION MAY BE INTERNAL OR EXTERNAL TO 
NOVELL.  NOVELL MAKES ALL REASONABLE EFFORTS TO VERIFY THIS 
INFORMATION.  HOWEVER, THE INFORMATION PROVIDED IN THIS DOCUMENT 
IS FOR YOUR INFORMATION ONLY.  NOVELL MAKES NO EXPLICIT OR IMPLIED 
CLAIMS TO THE VALIDITY OF THIS INFORMATION.
-----------------------------------------------------------------


INSTALLATION INSTRUCTIONS:

Copy to the SYS:\SYSTEM directory of the NetWare server on which this NLM is to
be loaded. 
 
 


ISSUE: 

Changes in v1.10.6:

  - Enhanced command line parameter checking and syntax help
  - Bug fix around IRM handling, volume names without a terminating colon
caused
    "Skipped incomplete entries, /R basePath might be missing" failures during
restore
  - Virtual volumes (_ADMIN and NSS_ADMIN) automatically excluded from scanning
while listing excess or effective file system rights
  - System files and directories automatically excluded from restore:
      sys:\cdrom$$.rom
      <anyvol>:\deleted.sav
      <anyvol>:\~DFSINFO.8-P
      <anyvol>:\backout.tts
      <anyvol>:\VOL$LOG.ERR
      <anyvol>:\TTS$LOG.ERR
      <anyvol>:\VOLDATA.TDF
      <anyvol>:\_swap_.mem
      <anyvol>:\uxaction.log
      <anyvol>:\Network Trash Folder

Changes in v1.10.5:

  - Bug fix: Trustee restore failed on Japanese NetWare
  - Reviewed the code and made the necessary changes to support DBCS characters
in path
  - Ability to save and restore using relative path
  - Ability to remove user and volume level quotas

Changes in v1.10.4:

  - Few minor performance changes

Changes in v1.10c:

  - Modified ScanExcessNDSRights() to report W right to ACL for every object,
not only NCP Server objects
  - Removed leading dot from user name when authenticating, to prevent -610
errors.
  - We no longer call RingTheBell because of user complaints
  - -601 errors will report Warning instead of an Error in every case
  - Meaningful messages written for the error codes reported so far

Changes in v1.10a:
  - Bug fix: /V caused path to be written twice to the output file
  - Bug fix: restoring user quota failed for volume names ending with a colon
  - Exclude volumes NSS_ADMIN and _ADMIN when performing SAVE ALL

Changes in v1.10:

  - Handling of additional file system properties: attributes, owner, user
quota, directory quota
  - Ability to process files or directories only
  - Verbose mode made optional to free up sys:\trustee.log for system and
status messages
  - Ability to include all files and directories to the output file, even in
case of empty or default settings
    (makes it easier to change the settings doing a search & replace)

Changes in 1.05a:

  - Correctly handles volume root directory in all cases



Usage:


- LOAD TRUSTEE [options] SAVE (ALL | <path>) <outputFile>
  Saves all file system properties into a CSV file starting from the given path
(or, using the ALL parameter, all the directories and files on the volume).
  Use options to include selected properties only, or to process files
  or directories separately (see the Option explanation below).


  Example:
  LOAD TRUSTEE SAVE ALL VOL1:\Home\Admin\Trustee.txt
    Save all properties from all local volumes to the specified file
  LOAD TRUSTEE /EDI SAVE VOL1:\Programs VOL1:\Home\Admin\Trustee.txt
    Save all directory quotas and IRMs starting at the given path
  LOAD TRUSTEE /ETO /R SAVE DATA:\Home DATA:\Trustee.txt
    Save all trustees and owners starting at the given path, storing relative
path


- LOAD TRUSTEE [options] RESTORE <inputFile>
  Restores file system properties from the CSV file created by the previous
function.
  Use options to restore selected properties only, or to process files
  or directories separately (see the Option explanation below).


  Example:
  LOAD TRUSTEE RESTORE VOL1:\Home\Admin\Trustee.txt
    Restore every settings found in the input file
  LOAD TRUSTEE /D /ETI RESTORE VOL1:\Home\Admin\Trustee.txt
    Restore only directory trustees and IRMs from that file
  LOAD TRUSTEE /ETO /R USERS:\Home RESTORE USERS:\Trustee.txt 
    Restore all trustees and owners from file to the given base path
    Input file is supposed to contain relative path only


- LOAD TRUSTEE REMOVE (ALL | <path>)
  Removes all trustee rights starting from the given path (or, using the ALL
parameter,
  all the directories and files on the volume). Will ask for confirmation when
specifying
  the ALL parameter or a path on the SYS volume.


  Example:
  LOAD TRUSTEE REMOVE ALL
    Remove all trustees from all volumes on this server
  LOAD TRUSTEE REMOVE VOL1:\Programs
    Remove all trustees starting at the given path


- LOAD TRUSTEE REMOVENULL (ALL | <path>)
  Removes all trustee rights starting from the given path (or, using the ALL
parameter,
  all the directories and files on the volume), where empty rights are
assigned.
  Will ask for confirmation when specifying the ALL parameter or a path on the
SYS volume.


  Example:
  LOAD TRUSTEE REMOVENULL ALL
    Remove all empty trustees from all volumes on this server
  LOAD TRUSTEE REMOVENULL VOL1:\Programs
    Remove all empty trustees starting at the given path


- LOAD TRUSTEE REMOVEINVALID (ALL | <path>)
  Removes all trustee rights starting from the given path (or, using the ALL
parameter,
  all the directories and files on the volume), where the object ID is unknown
or invalid
  (ID to name mapping returns -601). Will ask for confirmation when specifying
  the ALL parameter or a path on the SYS volume.


  Example:
  LOAD TRUSTEE REMOVEINVALID ALL
    Remove all invalid trustees from all volumes on this server
  LOAD TRUSTEE REMOVEINVALID VOL1:\Programs
    Remove all invalid trustees starting at the given path


- LOAD TRUSTEE EFFECTIVE <objectName> <outputFile>
  Reads through all the directories and files on the server (on all volumes)
and 
  lists into the designated file (in CSV format) the effective rights of a
user. 
  If a user does not have rights to a file or directory, it is not listed.


  Example:
  LOAD TRUSTEE EFFECTIVE "user.department.company" SYS:\effright.txt
    Lists effective rights of that user for the entire server
  LOAD TRUSTEE EFFECTIVE "cn=user.ou=department.o=company" SYS:\effright.txt
    Lists effective rights of that user for the entire server


- LOAD TRUSTEE EFFECTIVEDIR <objectName> <outputFile>
  Reads through all the directories on the server (on all volumes) and lists 
  into the designated file (in CSV format) the effective rights of a user. If a
user does not have rights to a directory, it is not listed.


  Example:
  LOAD TRUSTEE EFFECTIVEDIR "user.department.company" SYS:\effright.txt
    Lists effective rights of that user for the entire server (directories
only)
  LOAD TRUSTEE EFFECTIVEDIR "cn=user.ou=department.o=company" SYS:\effright.txt
Lists effective rights of that user for the entire server (directories only)


- LOAD TRUSTEE EXCESSNDS <outputFile>
  Asks for an admin name and password, uses these to authenticate into NDS and 
starting from [Root], it analyzes all objects. It reports the following cases 
  - that are considered to be dangerous - into the given file:

  - S right to an object
  - S right to an attribute
  - W right to the ACL attribute of an object


  Example:
  LOAD TRUSTEE EXCESSNDS SYS:\suspect.txt
    List excess or dangerous NDS rights for the entire tree


- LOAD TRUSTEE EXCESSFILE <outputFile>
  Scans all volumes on the server, and reports the following cases
  - that are considered to be dangerous - into the given file:

  - [Public] has rights to anything except sys:login
  - any rights to sys:system or a file or subdirectory inside
  - any rights to sys:etc or a file or subdirectory inside
  - any rights given to any volume root
  - more than RF rights to sys:login
  - more than RF rights to sys:public


  Example:
  LOAD TRUSTEE EXCESSFILE SYS:\suspect.txt
    List excess or dangerous file system rights for the entire server


Options can be specified with the SAVE and RESTORE commands:
  
    [/V] [/A] [/R[ basePath]] [/F] [/D] [/E[T][I][O][A][U][D]]
    /V  ... verbose mode (include all lines written to the output,
            or read from the input file into sys:\trustee.log)
    /A  ... all entries, even unchanged or default ones
            (makes it possible to change them in a text editor
            and restore back)
    /R  ... use relative path (specify basePath for restore only)
    /F  ... files only
    /D  ... directories only
    /ET ... trustee entries only
    /EI ... IRM entries only
    /EO ... owner entries only
    /EA ... attribute entries only
    /EU ... userquota entries only
    /ED ... dirquota entries only

If no parameters are specified, the program gives a short description on usage.
The program lists its activities into the sys:\trustee.log file.


Sample output file:

TRUSTEE.NLM v1.10
"ATTR","SYS:\Apache\Apache.nlm","LONG","APShDi",""
"OWNER","SYS:\Apache\Apache.nlm","LONG","[Supervisor]",""
"TRUSTEE","SYS:\TRUSTEE\temp","LONG","user.org","RWCEMFA"
"IRM","SYS:\Network Trash Folder","LONG","S",""
"DIRQUOTA","SYS:\TRUSTEE\temp","LONG","3200",""
"USERQUOTA","DATA","LONG","user.org","3200"

ATTR
  path       The complete path, starting with the volume name
  namespace  DOS or LONG
  attrs      Abbreviated attribute names
             Ro  Read-Only
             H   Hidden
             Sy  System
             A   Archive needed
             X   Execute only
             T   Transactional
             P   Immediate purge
             Sh  Shareable
             Di  Delete inhibit
             Ci  Copy inhibit
             Ri  Rename inhibit
  na         Not used, leave it empty
  
OWNER
  path       The complete path, starting with the volume name
  namespace  DOS or LONG
  owner      Full distinguished object name
  na         Not used, leave it empty

TRUSTEE
  path       The complete path, starting with the volume name
  namespace  DOS or LONG
  trustee    Full distinguished object name
  rights     Trustee rights
             R   Read
             W   Write
             C   Create
             E   Erase
             M   Modify
             F   File scan
             A   Access control

IRM
  path       The complete path, starting with the volume name
  namespace  DOS or LONG
  irm        Rights allowed to flow down from upper levels
             R   Read
             W   Write
             C   Create
             E   Erase
             M   Modify
             F   File scan
             A   Access control
  na         Not used, leave it empty

DIRQUOTA
  path       The complete path, starting with the volume name
  namespace  DOS or LONG
  quota      Assigned quota in KB, must be a multiple of 4
             Specify -1 on input to remove the quota
  na         Not used, leave it empty

USERQUOTA
  vol        Volume name
  namespace  DOS or LONG
  owner      Full distinguished object name
  quota      Assigned quota in KB, must be a multiple of 4
             Specify -1 on input to remove the quota


Compatibility: The program was tested on NetWare 4.x, 5.x and 6.x servers.

Always use the latest support pack, or you might experience different issues on
NSS volume

Self-Extracting File Name: trust110f.exe

Files Included          Size         Date          Time
..\
 TRUST110F.TXT   (This file)
   TRUSTEE.NLM         18472    7-18-2005    9:32:18 pm



-----------------------------------------------------------------
Any trademarks referenced in this document are the property of their respective
owners.  Consult your product manuals for complete trademark information.
-----------------------------------------------------------------

