1/19/2006
Eric Low

Login Scripts

There are four possible login scripts that are run when a user logs in, in this order: These are the Container Script, Profile Script, User Script, and Default Script.

The Container Script is a property of the container object that a user resides in. If you go into ConsoleOne, you will see a Login Script tab, under which you can edit the script. In Netware 4.1, this was called the System Login Script.

The Profile Script is associated with a group that a user is in, but it is actually configured on a user-by-user basis (it is not a property of the group). A user can only be associated with one Profile Script. If you go into ConsoleOne and create a Profile Object, you can then go into the properties and modify the login script (Profile Script) for that object. If you then go into the properties of an individual User Object, under the Login Script tab, you can enter that Profile Object in the "Profile:" section down at the bottom. The Profile Script will then be run when that user logged in.

The User Script is a property of an individual User Object. Again, if you go into ConsoleOne, you will see a Login Script tab.

The Default Script is hard-coded into the login program (login.exe), and cannot be edited. It simply sets up a first network drive mapping and a search drive mapping to SYS:/PUBLIC. If a user has a User Script, however, the Default Script does not run! It is automatically run otherwise, but will be skipped if you insert a NO_DEFAULT statement in either the Container Script or Profile Script.

I am upgrading from a Netware 4.1 installation, which was upgraded from Netware 3.12. If I look in the properties of our Container Object in NDS, the Login Script (this would be the System Login Script) is blank. However, if I go into Syscon and click on Supervisor Options -> System Login Script, I can see and edit it from there. I have a feeling this is a result of the NDS upgrade to a Bindery installation. The actual file containing that script is SYS:/PUBLIC/NET$LOG.DAT.

On this Netware 6.5 installation, I chose to take the easy route out and make one big Container Script that would be run for everyone (using lots of IF MEMBER OF "THISGROUP" commands), then setting up Profile Objects that contained ProfileScripts for each special circumstance, then assigning that profile to those individual accounts. I also added the NO_DEFAULT option to the Container Script, so that the Default Script would never be run.

*** Note that there doesn't seem to be any way to stop the (DOS) login program from mapping the SYS: volume. It will always make this the first mapped drive, regardless of whether it is in any login scripts and regardless of the NO_DEFAULT setting.

*** Don't forget to set up your drive mappings in your login scripts with NetStorage in mind! One thing I did notice was that if you left the server off of your map statements (ie. MAP F:=SYS:\, they would not map in iFolder, but of course would map in DOS. I wouldn't necessarily count on that for security, but good to know).

[Public]

Ugh, this [Public] account pisses me off. Everyone (including anonymous connections) can see what it sees... and it can see everything! When I logged into LDAP anonymously and took a look around, and could see things like the name of the admin account, I realized I had to do something.

I created a fake admin account, of course, that could not actually log in, and renamed the real one. I then removed [Public] as a trustee of the real one, so that it could not even see it (the default rights that [public] had to admin were assigned Read -> Message Server, and inherited browse entry rights, as they were assigned at the [root] level). After I removed [Public] as a trustee, I put an IRF on the real admin account that blocked browse entry rights.

Time Syncing

The easiest way to do this is to use XNTPD, which is almost exactly like using NTPD on Linux. Here is the man page. First, edit SYS:\etc\ntp.conf and set it to use a/your nameserver by adding the following lines:

The logfile line, of course, is optional.

Next, modify SYS:\system\timeserve.ncf to load XNTPD rather than Timesync. Comment and then uncomment as follows:

To start it right away, without rebooting, run UNLOAD TIMESYNC followed by LOAD XNTPD. A progress screen will pop up, and when it syncs, you will see a line similar to

As far as how often it will poll the timeserver, I still don't know. I also don't know yet how to get rid of the progress screen. There are also several other useful NTP programs that come with Netware, including the following:

Unix Environment (BASH shell on Console)

When you run Bash on the system console, the environment seems to be set by the file SYS:/bin/UNIXENV.NCF.

Adding (importing) Users

It seems that some of the older utilities no longer work, with the exception of one - UIMPORT (there is also a successor called ICE, but it can't create home directories and doesn't appear to work with templates yet - but it looks like it can also do a lot that UIMPORT cannot). You can read about and obtain them both here. A more detailed document about the use of ICE can be found here. A good document with a real-life example of using UIMPORT can be found here.

I really wanted to make it so users could not change their login scripts, by setting that trustee value to Read only (by default it is read and write). My first thought was to use a user template, by specifying the "User Template=Y" option in the control file, and creating a template called USER_TEMPLATE with the proper rights assigned (New Object NDS Rights -> Rights to Other Objects -> <New Object> -> Assigned Rights), but unfortunately, although it copied certain properties of the user template, it did NOT copy the NDS rights! So instead, after I created the user with UIMPORT, I assigned those rights with a handy utility called RLACLSET. It worked like magic!

In order for a user to create a user, he/she must have Create Entry Rights in that container. Also, if you wish that user to be able to add that user to a User Group, he/she must have the following rights to the group (I did this by assigning them to an Organizational Role and then making the user equivalent to that role):

Read "Minimum rights to add members to a group" for more information.

*** If using UIMPORT, bear in mind that both the control and data files must be named according to the 8.3 file naming convention, otherwise you will get an error about being unable to find the file!

*** Note that UIMPORT, at least from Netware 4.1, is NOT Y2K COMPLIANT! This means that if you try to set a field such as "Date Password Expires," which is in the form MM/DD/YY, it will expire a century ago. :( Use the newest one, from Netware 5.1 Service Pack 8e.

Memory Issues

After a while, we started having some memory issues, specifically a "cache memory allocator out of available memory" error appearing. Following this document, I identified LENGINE.NLM as the culprit, being the NAudit Secure Logging Server and taking up 428MB of memory!

Memory leak in LENGINE.NLM

Memory leak in LENGINE.NLM, part two

asdf

Trying to log into iManager (2.5), you get the following error: Login failed. The required dependencies were not found. Please reinstall this software from the original distribution to ensure the components are available. Refer to Novell documentation for the required prerequisites. I also saw errors 698 and 699 on the server's logger screen.

This happened on our server after I changed a bunch of the environment settings from their default, so I assumed this was the culprit and ended up changing a lot of settings back. However, this did not seem to cause the problem. I had also recently upgraded edirectory to version 8.8, although had logged into iManager successfully many, many times since, with no problem! However, according to the eDirectory 8.8 docs:

To test if this works, try typing the following commands at the console prompt:

Then, try logging into iManager. It worked for me! So, I added the following line to the very beginning of c:\nwserver\startup.ncf:

After I rebooted, iManager worked great!

It should also be noted that this setting affects authentication through other avenues, such as LDAP:

Read this document for more information, as well as a flowchart.

novell audit mysql: can't open file: log.myi errno: 145
05/14/07

The database may be corrupt; try running a fix by typing the following command at the Netware Console:

Then reboot, if possible, to make sure everything reloads correctly. Worked great for me on the first time and, at the same time, solved a dozen other weird problems I had been having for a couple of days!

Novell Audit Platform Agent: Attempting to re-establish connection to secure log server for application ...
Novell Audit Platform Agent: Failed SSL HandShake
Novell Audit Platform Agent: Failing primary connection for application SecretStore.
05/21/07

From Brian Hieb in a post at NDS Engineers: Find the sss_en.lsc file in sys:\system\naudit of the SecretStore Server, and create a log application object for the logging server from that file. Restart the logging server and it will stop connecting. One thing to note - if you dont create the log application object, your log server may eventually crash.

So, how do we do this? According to the Nsure Audit docs, Log Schema (LSC) files catalog the events that can be logged for a given application. They also provide event descriptions and field titles, although this is optional.

Manually add the uniqueID attribute to the user
02/06/08

This can be done through iManager or ConsoleOne, although I thought iManager seemed easier.
See this link for more info.

iManager:
- Directory Administration
- Modify Object
- Browse for user object name and click OK
- Click the "Other link" within the "General" tab.
- Move the attribute of uniqueID from the Unvalued Attributes column to the Valued Attributes column. During the move, you are prompted to enter a value. A typical value would be the user ID name, however, be sure that the name is unique. For this reason, it may be best to use something such as an email address name. The user will need to know the value you entered to authenticate when using secure iPrint.
- Click OK

ConsoleOne:
- Properties of the user object
- Other tab
- Highlight "Attributes"
- Click Add
- Highlight uniqueID, click OK
- Add a value. A typical value would be the user ID name, however, be sure that the name is unique. For this reason, it may be best to use something such as an email address name. The user will need to know the value you entered to authenticate when using secure iPrint.
- Click OK

Backing up eDir and file system trustees
06/30/08

There's no point in me rewriting this, is a very comprehensive and straightforward documentation is already posted here. Whee!

Crontab
07/01/08

Just like on a Linux machine, Netware can run cron jobs. When loaded (you must manually do this or set this to happen in your startup.ncf, as it is not in there by default), CRON.NLM reads the SYS:/etc/crontab file once per minute and runs commands from the file accordingly if it is time to do so. It then logs everything to SYS:/etc/cronlog. If you wish to limit the size of this log file, run cron with the max logfile size as the command like option (ie. LOAD CRON 50 to load it with a max log size of 50MB). The syntax of SYS:/etc/crontab is as follows:

I set up a cron job to back up our NDS as well as file system trustees to flat files, so that they could be backed up as files along with the rest of our file system, with the followin crontab entries:

This will then back up eDirectory at 2:00am every morning, followed by the file system trustees every morning at 2:10am. Read more about CRON.NLM here.

Linux commands for Netware can be found here.

Take a look at the NW OES NLM Reference.