7/25/2005
Eric Low

First, during installation, I assigned a Server Number of 15. This is unique - however, I will be using the same server name as our existing Netware v4.11 that is currently online and in production.

I set up six volumes in addition to SYS, distributed amongst three pools. Each pool was 100GB. For most of the volumes, I used the following options:

On SYS, as well as our two non-backed up (misc) drives, I disabled Data Shredding; All drives, except the misc drives and SYS, had a read ahead count of 2 (8KB) because there is a lot of random access going on with small files. I left the read ahead count on SYS at 0. On the misc drives, which are not backed up, and only used for misc storage, I selected Backup: No; Compression: Yes; MFL: No; Snapshot - File Level: No; Read Ahead Count: 8. I only set the Volume Quota to 20GB on all drives except misc, so that I could expand them later and have plenty of room for that. I did not want them to grow up to pool size, which would have happened if I had put in a quota of zero. I did, however, allow the misc drives to grow to pool size, as well as turn on compression on those drives.

****I have read somewhere that Brightstor (Arcserve) 9 does not take advantage of the NSS "Backup" setting (although it supposedly does in version 11.1). We are going to be running Brightstor 9, so I may end up turning that option off for all of our volumes. It does, however, take advantage of the Snapshot on NW6.5 NSS volumes, as long as you install BAOF (which must be purchased seperately).

Once the graphical part of the installation came up, I selected "Customized Netware Server," then the following components:

I named the server s3. On NIC 1, I bound IPX (ETHERNET_802.2 with network address 0000000B, ETHERNET_802.3 with network address 00000003, and ETHERNET_II with network address 00000002). On NIC 2, I only bound IP, using an address from our private subnet. Under Advanced->SNMP, I simply typed an IP address in the "IP Trap Destination Address" box (I couldn't find any documentation on this, so I assumed that the Example->IP_address 129.200.35.160 could be ignored - meaning I wouldn't need to add an IP_address part). I used NIC 2's private IP for this address. On the next section, under hostname, I put s3.datastat.com for the private IP and left the other IP's hostname blank. I did not enter or check anything for SLP (I do not have a Directory Agent (DA) on our network, nor do I know what it is at this time). Not selecting SLP would come back to haunt me - I could not see the tree on the network! I could sometimes get to it by specifying an IP rather than a tree name, but only in certain instances. And seeing how multicast is disabled on our firewall (for some reason the server bounces everything off our firewall), we cannot get away without having a DA (a DA causes SLP to use Unicast rather than Multicast). Basically, SLP does the same thing for IP that SAP does for IPX. I needed to go back and install SLP! I had to reinstall the server anyhow for other reasons, so this time, under Advanced->SLP, I checked "Configure this server as a DA (Directory Agent)" and left all three DA Server IP addresses blank.

I selected to create a new eDirectory tree. We are upgrading from NW 4.1, but I wanted to start fresh and figure out a manual migration process later. Tree Name: DSROOT, Context for Server Object: O=DataStat, Admin Name: admin, Admin Context: O=DataStat. This resulted in an Administrator name of CN=admin.O=DataStat. eDirectory can then be modified and configured using iManager.

When the licenses screen came up, I had some problems. We purchased 200 Netware 6.0 user licenses and the corresponding license protection, which allowed us to transfer those licenses to 6.5. However, you can only download license files for 6.0 - the "smartcert" program only SHOWS YOU a 9-digit serial number for your upgrade to 6.5. according to the Netware Product Activation FAQ, "Licenses with a 9-digit serial number cannot be installed while upgrading an existing server to NetWare 5 and NetWare 6. If the serial number printed on your license diskette label has 9 digits, you must check the "Install without licenses" box on the License Installation screen during the server install." I had originally checked that box and moved on, to install later. However, I did have problems later. I had to contact Novell to get those licenses, because it turned out they weren't showing up for our account on our licenses page! On a reinstall, I did select the actual 6.5 licenses on this screen. It only let me install the Server License at that screen, however; if you have any user licenses selected, you will get an Invalid License File error that reads "The format of license file is unknown. It will not be installed." The User Licenses will have to be added after installation is complete.

I kept the standard ports, 389 and 636, for LDAP, and made sure the "Require TLS for Simple Bind with Password" box was checked. Keep in mind that if a client tries to connect by sending an unencrypted password, the login will fail, but it can still be sniffed since the packet is still sent.

For NMAS Login methods, I checked the default of NDS, as well as "Challenge Response," which looks to me like it is really a subset of the NDS login method (as would be simple password, etc.). We are not currently in the position to force our users to carry keys or certificates to log in, which eliminated most of the login methods. Simple password is too insecure, so I chose not to enable it - although not having it also means that I can not use CIFS (Samba/Windows filesystem) in NFAP (Native File Access Protocols). Going back later to install Universal Password, the more I read, the more I thought I needed Simple Password after all - but, since I decided not to install NFAP, this turned out to be false. (later on, when I upgraded eDirectory, I also installed the DIGEST-MD5 login method (which supposedly allows SASL to authenticate to eDir through LDAP)).

I did choose to install iFolder, even though it seems to be redundant and silly (According to the Netware Administrator's Handbook, you actually need to have Internet Explorer to use it! (in reality, however, this is not the case - it can (at least now) be done with any java enabled browser) I thought Novell was making a move towards using Linux?? Anyhow, I personally run Suse Linux 9.3 with Gnome on my workstation, and there is a program Applications->Utilities->Sync->Novell iFolder that looks like it does what the iFolder client would do on Windows). It basically creates a folder on your desktop that is a shortcut to a folder on the server, your "iFolder" which can be accessed from anywhere either via a java applet or the iFolder client. Why not just map a drive to your home directory and then access that via the web? Well, I don't know. Novell probably needed something else to stick on the features list. Anyhow, the install settings are fairly straightforward:

That should give you an idea of some of the other settings as well. Because LDAP and iFolder are on the same server, using SSL for LDAP is not really necessary. However, you must have clear-text passwords enabled if you're not using SSL, and of course I had decided to disallow that up above. Hence the port 636 for secure LDAP. Once the server is up, you can access the iFolder Server Management Console at https://s3.datastat.com/iFolderServer/Admin. Before you can use iFolder, you MUST log in there and go to the Global Settings page at least once, as the first time you do, it will automatically extend the eDirectory Schema on the LDAP server (Which, by the way, supposedly takes 20-30 seconds, and so there will be a long pause).

For MySQL Options, I made sure that "Secure Installation" was checked. This forces the mysql root user to use a password, ensures that they are only allowed to connect from the local host, and makes it so an anonymous user is NOT created! I kept the Data Directory as the default, sys:/mysql/data. I then typed in and confirmed the password and moved on.

According to Novell, "The Novell(R) exteNd(TM) Application Server is a comprehensive, J2EE certified platform for building and deploying enterprise-class Web applications. It supports the full Java 2 Enterprise Edition standard -- JavaServer Pages (JSP pages), Enterprise JavaBeans (EJBs), and all the other J2EE 1.3 components and technologies." Ok, so it looks to me like it's a Java server. I noticed that it also includes an IDE for building Java apps (Workbench). I'm sure that somewhere down the line, we'll find it to be useful. ExteNd requires MySQL, and automatically creates a database called SilverMaster50. It also installs Apache. When I installed it, I changed the admin name, selected the default port of 83 (Note that Apache will redirect stuff intended for exteNd - you connect to port 80 on the server, it redirects it to port 83), and made sure to select "Restrict Access," which restricts administrative operations and directory listings to members of the Administrators group. For the exteNd Database Options, I used the following values:

I'm using the MySQL database installed with the server, so I kept localhost and default MySQL port in there. I could change it later if we needed to use our SQL server instead. I changed the username, but kept the default database name (SilverMaster50) and made sure that "Execute SilverMasterInit" was checked. The install will create the named user in MySQL, and since "Execute SilverMasterInit" is checked, will create the named database and populate it with the appropriate tables. It appears that the install should assign the named user the appropriate rights to those tables regardless of the "Execute SilverMasterInit" setting. Once the server is set up and you want to start using exteNd, you probably want to look at the "Novell exteNd Workbench" and "Novell exteNd Application Server Clients."

Next in the installation was the Nsure Audit Starter Pack. This lets you set up your server to do secure remote logging, and/or be a secure logging server. Having your server act as both the client and server, of course, completely defeats the purpose of secure logging! I would definitely recommend using Linux with syslog-ng. However, because our secure logging server is temporarily down, I decided to initially install both client and server for now. I selected all of the options on the first screen:

"Install Platform Agent" installs the client - it sets up Netware and eDirectory to perform remote logging, as well as installing a "common platform agent" (sounds to me like a secure logging relay) that other products on the server can use. As far as the NSure Database Options were concerned, I kept the defaults except for the DB User Name and password:

The next part of the installation is very exciting for me - NetStorage. This lets you access the file server from a web browser, which is something we've never really had on our network. I used the following options:

We are of course installing NetStorage on the same server that is acting as our primary (and only) eDirectory server, so I put in the IP address of the server. It appears that IP addresses as well as fqdn's also acceptable here. Note how I added a context of the eDirectory Server, by adding a colon - the first line up there reads s3.datastat.com:O=DataStat or could also say 194.150.6.75:O=DataStat or 127.0.0.1:O=DataStat and will only search for user objects from that point down in the eDirectory tree. If you wanted NetStorage to search the entire eDirectory tree on that primary eDirectory server, however, leave the context out and only enter the IP address or dns name. You may also specify the same server as the primary server, but with a different context, for alternate eDirectory servers, if you want NetStorage to look in multiple branches (but not the whole) of the tree. This can be changed later by using iManager\File Access (NetStorage)\Authentication Domains. However, I could not find a way to change the iFolder port from there.

At this point, it asked me to restart the server, then booted up into a barebones (but working) server.

======================================================
======================================================

The primary setup of the different Netware modules seems to be done through iManager. From a workstation, browse to the following path on the server: https://s3.datastat.com/nps/iManager.html. I was able to log in as admin, using the admin password. You can also access this from the browser on the server, by clicking on the red "N" in the lower left of the task bar. This will actually take you to Netware Remote Manager, but you can browse to iManager by typing in the URL.

First thing I did was install our licenses. From iManager, I selected "Install a License" and browsed to the first license file. If I needed to enter server licences here, I would have selected the file, then hit Next. Location: DataStat; Server assignment: S3.DataStat. I believe the activation key would be the serial number. I had already installed the server license, though, so I selected the user license files. Each one was 100 users, but it displayed them as 20 groups of five. I selected all of them and hit Next. Location: DataStat. It did not ask me for the activation key, but again, I believe it would be the 9-digit serial number. Note that the location must be an Organization or Organizational Object. You cannot install user licenses in root!

Adding an administrator
The default admin user is set up as a trustee of the tree. If you look at the NDS Rights (effective rights) of that user for the tree object, you'll see that the admin user has the Supervisor Object Right, which gives him every object, property, and file system right from that point on down (because it is inheritable). I also explicitly assigned him all other rights as well, an case an IRF was ever put in place. The server, on the other hand, has the Supervisor Object Right to the Organization object under this tree. I made the admin account security equal to the server object as well, once again, in case there was ever an IRF put into place (you don't want to lose access to your objects!)

By default the [Public] trustee is assigned the browse right for the tree, allowing unauthenticated users to see the entire directory structure. This is, of course, a potential security risk.

I first created a group with full administrative privileges. This is easy - simply give them Supervisor Object Rights (as well as explicitly allowing all other rights, just in case there is an IRF) to the root.

*Assigning the "Add Self" right to the ACL is functionally the same as assigning the Supervisor right, since they can then add themselves as a supervisor.
***Assigning the "write" property right to the ACL also allows someone to grant themselves the supervisor right.

*ACL is also called the Object Trustees property.

*Difference between Organizational Role object and Group Role object? I don't yet see much purpose for OR's. The obvious difference is that you become Security Equivalent to an OR, rather than just being a member. But you could easily get the equivalent trustee rights by becoming a member of a group. I feel like being a member of a group is more obvious, too - it shows up in many more places. Perhaps OR's have a place in setting up policies, such as a password policy?

*Entry Rights is a synonym for Object Rights. Attribute Rights is a synonym for Property Rights

*There is a [Supervisor] object

*The [Public] trustee (object) represents all authenticated and nonauthenticated users.

*The S (Supervisor) right cannot be filtered in the file system by an IRF (Inherited Rights Filter). It can, however, be filtered in eDirectory security.

*A user is made security equivalent to every container that they reside in, all the way up to, and including, the tree.

*Rights are cumulative (logical OR): Group rights + Individual Rights - IRF's = Effective Rights

*When looking at an IRF (rights . /F), rights that are filtered are the rights that do not show between the brackets
(ie. [S WCEM A] means that RF are filtered).

*If a user/group is assigned the S (Supervisor) file system right, that gives them all other rights as well (all other letters will also show between the brackets when looking at their effective rights).

*An explicit trustee assignment to a user or group overrides that user or group's inherited rights at that level in the file system. The same is true in eDirectory - a new object rights assignment overwrites an inherited object assignment, while a new property rights assignment overrides an inherited property rights assignment at that level in the eDirectory structure.

*Any eDirectory object that has the Supervisor object right to the server object automatically receives the Supervisor file system right to all volumes on the Server object! A trustee with the Write right to the File Server object (This means the Writie right in "All Properties," or the Write property right to the Object Trustee (ACL) Property in "Individual Properties") is also granted the Supervisor right to the file system.

***The admin object gains the Supervisor file system right to all volumes on the server object because it is granted the Supervisor Object Right to the server object. When I looked at the trustees of the server object, however, I could not see this! Not specifically, anyhow. The admin object did have the Supervisor Object Right to the tree, however, which was inherited downward. This is purely based on the fact that the tree is a container and the rights are inherited downward, because if you assign the Supervisor Object right to the tree, but leave the inheritable flag unchecked, the user/group will NOT get Supervisor File System Rights. You could, of course, give a user Supervisor File System Rights by assigning them Supervisor Object rights to any other container above the server, such as the Organization object.

****** I DID test assigning the Supervisor Object Right to the Server Object for a particular user, and it did, in fact, give that user the supervisor right to the filesystem for all associated volumes.

The Server Object is, for some reason, explicitly assigned the Supervisor Object Right to the Organization Object. This seems redundant, since the server seems to have effective Supervisor Object Rights all the way up to, and including, the tree - although they do not seem to be assigned explicitly! (If anything, it is most likely to get around any IRF's). Things are a bit different in Netware 4, however - the Server Object is not a trustee of the Organization Object (but this does not matter, because again, it gets Supervisor Object Rights all the way up the tree).

*What is an Organizational Role?? Difference between Organizational Roles and Groups?

*All authenticated users that reside in a tree receive the rights that the tree gets when that tree object is made a trustee of another object.

*In eDirectory, the Supervisor object right gives you all other object rights and property rights. The Supervisor property right, however, only gives you all other property rights.

*The Create object right can only be granted at the container level because, of course, you can only create other objects in a container.

In Netware Adminstrator, when looking at the IRF of an eDirectory object, inherited rights that are filtered are the ones that are unchecked!

**What is the [This] trustee??

**The _admin volume is a virtual volume that is used by the system in creating and managing NSS volumes. The _admin volume is not persistant. Each time the server boots the volume is recreated.

*There is no "Netware Administrator" program for Linux. However, Novell did write a version of Console One. Download it from Novell's site, untar it, cd into that directory (which it names Linux), then install it by typing c1-install. If you already have Java installed, you should already have an environment variable named JRE_HOME. The installation program for Console One did NOT install Java for me, but perhaps it's just because I already had it on my system. For me, that environment variable was defined as JRE_HOME=/usr/lib/jvm/jre. After it is installed, type /usr/ConsoleOne/bin/ConsoleOne to run it. I was unable to authenticate to our root tree, however. When I right clicked on NDS and selected "Authenticate," then typed in the admin account, password, tree and context, I repeatedly got the following error:

I searched around a bit, and this seems to be an issue with the Linux version of ConsoleOne. I put in the IP address of the server for the tree name, and suddenly I was able to log in just fine.

*Note that there is no EVERYONE group in NW6.5 as in earlier versions of Netware. Instead, you assign [Public] as a trustee, and everyone who has no specific rights to to an object, dir or file gets those of [Public].

Installing Printers

Megaraid Drivers

Installing BrightStor ARCserve

*** When I did a fresh installation of NW65SP4a, I could not see the tree from my clients. If I put in the IP address instead of the tree name, I could log in, but it could never browse for the tree or resolve the tree otherwise. I only had once of the network cards plugged in on the server, and that NIC only had IP bound to it. I *had* installed SLP on the server, and furthermore, made it a DA (there's a checkbox to do this during SLP setup in the installation). I also checked to make sure that SLPDA was running on the server. This appeared to be a multicast problem (see TID 10014919 for the login process). When the client searches for a tree, the client sends out a multicast packet to 224.0.1.22, which supposedly tells the router to forward multicast packets, followed by a multicast to 224.0.1.35, to which the DA is supposed to respond. It appeared that this step was failing for us.
If I went into Novell Client Properties->Service Location->Directory Agent List and entered the server's IP address (also making sure to check Static), I could then browse and see the tree. From that point forward, the computer could still see the tree, even if I removed the DA from that list. However, I needed it to work dynamically! A couple of other ways to fix this (although all are static), including via DHCP, can be found in TID 10014700. The conf file man page for setting a Linux DHCP server (dhcpd) to hand out this info can be found here (look for option slp-directory-agent). Note that you can access the SLP configuration from Server Monitor->Server Parameters->Service Location Protocol. You can see if your DA is active by typing DISPLAY SLPDA from the System Console. You may also type DISPLAY SLP SERVICES. On a Windows workstation with Novell Client installed, you can type SLPINFO /ALL to see the DA's. The first time I ran inetcfg, it asked me if I wanted to move all networking commands from the startup.ncf file. I said, yes, then restarted the server. Suddenly the SLP DA was answering the multicasts! I don't know if this was coincidence or not, but then it worked.

A little bit about SLP can be found here. A little more (some of the configuration uptions from Console Monitor) can be found here.

If you download a Netware 6.5 support pack overlay CD, you can install products using the "Remote Product Install" utility. Select "Install Netware 6.5 Products" from the menu on the left, then click on "Remote Product Install." It will, however, yell at you if you don't have a recent version of NICI installed (cryptographic stuff).

To determine the version of eDirectory that you are running, simply type version ds.nlm from the server console.
From iManager, you can also supposedly click on "Agent Summary," but I could not find this option, at least in iManager 2.0.2. The best place to find version numbers, however, seems to be from NWCONFIG. type load nwconfig from the System Console on the server, then select "Product Options" and then "View/Configure/Remove installed products."

LOAD INETCFG to configure all protocol/NIC related stuff.

If you change IP's on any of your interface, make sure that different modules are bound to correct IP's. To do this, go into Remote Manager (NoRM), and under Manager Server -> IP Address Management, change any IP addresses as necessary. An IP address of 0.0.0.0 should make a module listen on all interfaces. There are a million other places that the IP address must be changed as well! Refer to TID 10067853 for all the different places in NW6.5. I was never able to find all the places to change the IP, and ended up having to do a reinstall of the whole operating system.

* Netware 6.5 comes with a (primitive) version of BASH. If you are familiar with Linux, you will greatly appreciate this command console. I made Bash automatically load when our server boots up, by adding the line LOAD BASH to our AUTOEXEC.NCF file.

* Apparently there is not syscon program installed with Netware 6.5. I tried copying the version over from our Netware 4.11 server, but when I tried to insert a user, it died when it tried to set the password. Damn. Nonetheless, Syscon consisted of the following files: IBM$DRV.OVL, IBM$EMS.OVL, IBM$NOT.OVL, IBM$Q.OVL, IBM$RUN.OVL, IBM$EMS.HLP, IBM$HLP.OVL, IBM$SET.OVL, SYS$ERR.DAT, SYS$HELP.DAT, SYS$MSG.DAT, SYSCON.EXE, SYSCON.HLP

Chey Vsvr S3 user?

AuthenticationBrok.1505 java.lang.NullPointerException

Purgeable space on volumes?

How do you assign a specific volume to a specific server?

Clearance levels - "Multilevel Administration" for read-write access to all areas on the network?

LDAP Contextless logins?

NFAU (Native File Access for Unix?)

Move filer from \\SYS\PUBLIC to \\SYS\SYSTEM for security?

To do a quick health check of NDS, rather than running DSREPAIR, go into NoRM (Netware Remote Manager) and select NDS iMonitor (under "Manage eDirectory"). Select Agent Health -> Agent and look for all green lights.

TCPCON to show protocol/NIC stats.

A Directory Map is a leaf object, equivalent to a symbolic link in Linux. To create one, highlight the Organization in ConsoleOne and select New->Object->Directory Map.

There is a great program called trustee.nlm that will read trustee information from a volume and output it to a file. Try typing LOAD TRUSTEE.NLM /ET /D SAVE SYS:\ SYS:\OUTPUT1.TXT. This program can also be used to do things like saving and restoring trustee rights or even removing all of them, starting from a given path. It can also analyze NDS rights very nicely - try typing LOAD TRUSTEE.NLM EXCESSNDS SYS:\OUTPUT1.TXT. Take a look at TID2971887 for a list of options.

This is a great, quick tutorial about the workings of Netware (albeit 4.1).