Version PK-4.60
(Nov 22, 1998)
DISCLAIMER: THIS PRODUCT IS SUPPLIED "AS IS". DREAMLAN DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY AND OF FITNESS FOR ANY PURPOSE. DREAMLAN ASSUMES NO LIABILITY FOR DAMAGES, DIRECT OR CONSEQUENTIAL, WHICH MAY RESULT FROM THE USE OF THIS PRODUCT. |
There may be times that you have wondered if you have any containers or user or other objects in your NDS tree that you are not aware of, because you can't see them due to IRF blocking. Well, NDSTree is designed to locate and identify those stealth objects.
NDSTree is made up to two programs. One a DOS utility and the other an NLM. The NLM version will list all objects in your NDS tree regardless if they have any IRF blocking them from normal view. By comparing the output from the NLM version to that of the DOS version, you can easily locate and identify any stealth objects you may have in your tree.
In v1.01, an additional security-checking feature has been added. With the registered version, you can produce a report of which objects are Security Equals to other objects. This is useful in tracking down, for example, users that have Supervisor rights to Server objects. Because when a user is SE to a server object, the user is automatically granted Supervisor file system rights to ALL volumes on that server. This file system right can not be revoked using file system IRFs (because of the S file system right). Also, there is no easy way to find such a user using NETADMIN or NWAdmin. You can, however, use NLIST to locate such objects, but the output is pretty "ugly".
This is a must-have tool for any NetWare 4 and NetWare 5 sites that have multiple (NDS) network administrators, or for anyone serious about NDS security.
No special installation steps or program need to be used. The NDSTREE2.NLM should be copied long with its license file (NDSTREE2.LIC) to a directory. They do not need to be on a diskette, but both files need to be in the same directory. The NDSTREE.EXE should be copied to your SYS:PUBLIC directory. You must have the Unicode files for the country code and code page that your workstation use available in the respective NLS directories, for example, SYS:PUBLIC\NLS.
If you choose to place NDSTREE.EXE in a different directory, you may need a search map to SYS:PUBLIC\NLS in order for the application to find the Unicode files.
Both NDSTREE.EXE and NDSTREE2.NLM uses the same command-line parameters, with the exception of -X and -Z. The -X and -Z options are only available in NDSTREE.EXE. The syntax for these utilities is:
NDSTREE [-a] [-c] [-m] [-o] [-r] [-s] [-t] [-x] [-?] [-Z]
LOAD NDSTREE2 [-a] [-c] [-m] [-o] [-r] [-s] [-t] [-?]Starting with v4.5, the NLM has a menu-interface so you can start the NLM without any command-line options. (To turn off the color in the NLM version, use LOAD NDSTREE2 -M; this should be used alone without any other options so you'll get the menu prompts. Otherwise, it will be interpreted as the match option.) The explanations of the options are as follows:
- -a appends to an report file, if it exists.
- -c specifies continuous scroll on display. By default, the output will be paused after each screen-full.
- -m generates a 'compare' data file (NDSTREEx.DAT). This is the file that you compare from NDSTREE and NDSTREE2 to see if you have any stealth objects. Any objects listed in NDSTREE2.DAT but not in NDSTREE.DAT are stealth objects. (Not available in the unregistered version)
- -o shows all objects. By default, only the containers will be displayed. If NDSTREE can not determine if an object is a container (e.g. an Unknown), it will be displayed as though it is a container.
- -r generates a report file (NDSTREEx.RPT). This file contains the same output as you see on the screen. This is so that you can print it out later or keep it for future reference.
- -s specifies that the search should include the subtree. By default, only the current context is searched.
- -t specifies that the objects be identified by their class types.
- -x disables the use of color.
- -? shows a help screen.
- -Z generates a report file (SecEqual.RPT) that lists the objects which are "Security Equals" (a.k.a. Security Equivalent) to other objects. For more configuration details, see the Configuration section. (Not available in the unregistered version)
Except for -Z, none of the above parameters are case-sensitive.
If you encounter an error message similar to the following about fmod, ensure MATHLIB.NLM is loaded (it is not auto-loaded by the NLM):
Server-4.10-1586: Loader cannot find public symbol: fmod
Examples
1) Output from using "NDSTREE -s". It looks pretty much like the output from a CX /T command:
NDSTREE Version MT-1.00 [s/n: DLAN951015r-DLAN] (Display NDS Tree Structure) DreamLAN Network Consulting Ltd. (c)Copyright 1995. All Rights Reserved. Searching from context <DreamLAN> and below NDS Tree Listing: DreamLAN +OU=NW4SG +OU=NW3SG TotalContainer found = 3. TotalObject found = 3.2) The following is output from "NDSTREE -s -t", which identifies each lower level object it found. CX can not give you that information.
NDSTREE Version MT-1.00 [s/n: DLAN951015r-DLAN] (Display NDS Tree Structure) DreamLAN Network Consulting Ltd. (c)Copyright 1995. All Rights Reserved. Searching from context <DreamLAN> and below NDS Tree Listing: DreamLAN +OU=NW4SG (Org Unit) +OU=NW3SG (Org Unit) TotalContainer found = 3. TotalObject found = 3.3) The following output is generated using "NDSTREE -s -t -o" options:
NDSTREE Version MT-1.00 [s/n: DLAN951015r-DLAN] (Display NDS Tree Structure) DreamLAN Network Consulting Ltd. (c)Copyright 1995. All Rights Reserved. Searching from context <DreamLAN> and below NDS Tree Listing: DreamLAN NDS Tree Listing: DreamLAN +CN=USER_TEMPLATE (User) +CN=Peter (User) +CN=Q1 (Queue) +CN=PS-DreamLAN (Print Srv) +CN=P1 (Printer) +CN=Test2 (User) +CN=Guest (User) +CN=SDK (User) +CN=aaa (User) +OU=NW4SG (Org Unit) | +CN=Test Computer (Computer) | +CN=Test (User) | +CN=Test2 (User) | +OU=NW3SG (Org Unit) | +CN=Test (User) | +CN=Test3 (User) +CN=print_q (Queue) +CN=HP_LaserJet_II (Queue) +CN=HP3_16S (Queue) +CN=PS-DreamLAN-2 (Print Srv) +CN=HP3-16th-South (Printer) +CN=testing (User) +CN=bbb (User) +CN=Joe (User) +CN=HelpDesk (User) +CN=Ctal (User) +CN=HelpDesk2 (User) +CN=HelpDesk3 (Org Role) +CN=HelpDesk4 (Group) +CN=Peter2 (User) +CN=newadmin (User) TotalContainer found = 3. TotalObject found = 32.Looking for Stealth Objects
You can use the following steps to see if you have any stealth objects in your NDS tree:
- Log in as Admin or someone with Supervisor rights to the [Root] or as someone that has as much NDS rights as you can get.
- Set the workstation's context to [Root].
- Run NDSTREE.EXE with the following options:
NDSTREE -s -t -o -r -m
This searches the whole tree, shows all objects, identify each object with a base class, generate both a report file (NDSTREE.RPT) as well as a "match" file (NDSTREE.DAT). It is the match file you use later. (The use of -t is optional but it gives you additional information as to the object type of the object.)- Run the NDSTREE2 NLM as follows:
LOAD NDSTREE2 -s -t -o -r -m
This searches the whole tree, shows all objects, identify each object with a base class, generate both a report file (NDSTREE2.RPT) as well as a "match" file (NDSTREE2.DAT). It is the match file you use later. These two files are placed at the root of the SYS: volume. (If you didn't use the -t option to generate the NDSTREE.DAT file in Step 3, don't use -t here.)NOTE: You must perform Step 4 on *every* server that holds a replica. At the very least, run this on all servers that contain Master replicas. REASON: The NLM will have to tree-walk to other servers if the server it runs on doesn't hold a replica of part of your tree. When the NLM tree-walks, it will NOT see stealth objects in partitions located on other servers. Therefore, you need to run the NLM on all servers that holds a replica and the easiest is to run it on the servers with the Masters (to reduce the number of servers you have to run it on).
- Copy each NDSTREE2.DAT to your workstation and combine all copies into a *single* file.
- Use the DOS SORT program (or any others of your choice) to sort the two .DAT files:
SORT < NDSTREE.DAT > NDSTREE.1
You should always sort the files as sometimes the order of the objects returned by NDSTREE is different than that of NDSTREE2. This is the best way to ensure a smooth comparison.
SORT < NDSTREE2.DAT > NDSTREE.2- Use the supplied UNIQUE.EXE (or any others of your choice) to remove any duplicate lines from the sorted NDSTREE2.DAT (NDSTREE.2 in the example) file:
UNIQUE -i NDSTREE.2 -o NDSTREE.2B
- Use a file compare utility, such as DOS's FC to compare NDSTREE.1 and NDSTREE.2B. Any entries found in NDSTREE.2B but not in NDSTREE.1 can be considered as stealth objects (unless they were created after you ran NDSTREE.EXE but before running NDSTREE2.NLM).
The following is a sample (edited for easier reading) output from FC, which shows there are four stealth objects:
ASCII differences between NDSTREE.1 and NDSTREE.2B After line 117 in NDSTREE.1 insert line 118 from NDSTREE.2B > CN=SU2.OU=Temp.O=DreamLAN (User) After line 133 in NDSTREE.1 insert line 135 from NDSTREE.2B > CN=USER_TEMPLATE.O=HideMe (User) After line 147 in NDSTREE.1 insert line 150 from NDSTREE.2B > O=HideMe.[Root] (Organization) After line 170 in NDSTREE.1 insert line 174 from NDSTREE.2B > OU=Temp.O=DreamLAN (Organizational Unit)
The registered version of NDSTREE.EXE supports the -Z command-line parameter (which will generate a Security Equals report) and the -M command-line parameter (which will generate a Match Object datafile).
By default, the -Z option will report all objects that are SE to either a Server object or a Volume object. However, you can create a SecEqual.CFG file that lists, up to 10, different object classes for NDSTree to check on. For example, you can generate a report for objects that have SE to Server, Volume, and Profile objects. The .CFG file needs to be in the current working directory.
The syntax of the SecEqual.CFG is simple: one class name on each line. A line starting with either ';' (semi-colon) or '#' (pound) is treated as comment. The class name must match exactly (including spaces) to that of the schema. You can get a list of the class names in your schema using NDSCOUNT, a utility that is also part of the NDS ToolKit.
Note that the -Z option is not available for NDSTREE2.NLM. Shown below is a sample output from NDSTREE.EXE using the -Z option:
NDSTREE Version MT-1.01 [s/n: DLAN951027r-DLAN] DreamLAN Network Consulting Ltd. (c)Copyright 1995. All Rights Reserved. Report file (SecEqual.RPT) generated on October 27, 1995 at 00:53:39 Searching from context <[Root]> and below. SE Config file [SecEqual.CFG] used. Objects with SE to the following object classes are flagged: 1. --> Volume 2. --> Messaging Server 3. --> NCP Server 4. --> Profile NOTE: The 'Security Equalled To' object name is relative ----- to the 'source' object's context. *************************************************************************** CN=DREAMLAN.OU=Toronto.O=North_America: SE --> CN=DREAMLAN_MSG (Messaging Server) CN=Csadmin.OU=Consulting.OU=Toronto.O=North_America: SE --> CN=NW410B (NCP Server) CN=Louvre+Bindery Type=543.OU=Toronto.O=North_America: SE --> CN=DREAMLAN (NCP Server) CN=Admin.O=North_America: SE --> CN=DREAMLAN_MSG.OU=Toronto (Messaging Server) CN=Tester.O=TopLevel: SE --> CN=DREAMLAN.OU=Toronto.O=North_America. (NCP Server) *** End of Report ***
In this trial version, the following options are disabled:
- -a Append to report file
- -c Continuous scroll of display
- -m Generate compare data file
- -r Generate report file
- -t Show object types
The full version of NDSTree is available by registering on-line through the following Web sites:
The NDS tree name is required as it is used to generate a key. The registration cost is $99 US. Canadian registration is $135 CDN plus GST. All other countries, please remit in US funds.
You can also FAX a company Purchase Order to +1 (905) 887-3836. Please make sure you either include your tree name information on the FAX or send a follow up email.
Special site agreements for multiple trees and service providers are available. Although the license does not grant you the right to resell the program (for a profit; but you can charge the customer a service charge for your time). If you are a service provider, you can register copies on behave of your customers (by providing your customer's mailing information -- this is used only for tracking purposes). At the same time, we ask you to send us a separate email indicating that you are registering on behave of your customer and inciate in this email if further software upgrade (free or for a charge) be send to you or the customer directly, and an email address for that purpose.
NDSTREE is written in C using MicroSoft C optimizing compiler and Novell Development Kit. Some string manipulating routines are from the CXL library. NDSTREE2 is written using WatCOM C compiler and Novell Developer Kit.
Inclusion of this utility on CD-ROMs (except for backup purposes) without permission from DreamLAN Network Consulting Ltd. is expressly prohibited.