NDSTree Version MT-1.10/PK-2.01 =============================== (Feb 16, 1997) DISCLAIMER ---------- THIS PRODUCT IS SUPPLIED "AS IS". THE AUTHOR DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY AND OF FITNESS FOR ANY PURPOSE. THE AUTHOR ASSUMES NO LIABILITY FOR DAMAGES, DIRECT OR CONSEQUENTIAL, WHICH MAY RESULT FROM THE USE OF THIS PRODUCT. Introduction ------------ There may be times that you have wondered if you have any containers or user or other objects in your NDS tree that you are not aware of, because you can't see them due to IRF blocking. Well, NDSTree is designed to locate and identify those stealth objects. NDSTree is made up to two programs. One a DOS utility and the other an NLM. The NLM version will list _all_ objects in your NDS tree regardless if they have any IRF blocking them from normal view. By comparing the output from the NLM version to that of the DOS version, you can easily locate and identify any stealth objects you may have in your tree. In v1.01, an additional security-checking feature has been added. With the registered version, you can produce a report of which objects are Security Equals to other objects. This is useful in tracking down, for example, users that have Supervisor rights to Server objects. Because when a user is SE to a server object, the user is automatically granted Supervisor file system rights to ALL volumes on that server. This file system right can not be revoked using file system IRFs (because of the S file system right). Also, there is no easy way to find such a user using NETADMIN or NWAdmin. You can, however, use NLIST to locate such objects, but the output is pretty "ugly". This is a must-have tool for any NetWare 4 sites that have multiple (NDS) Network Administrators, or for anyone serious about NDS security. Notes ----- 1. NDSTree will display only the first 50 levels of an NDS tree. This should not be a problem as a properly and efficiently designed tree should have no more than about 10 levels, including [Root]. Because recursive code is used to create the tree map, it is possible you may run into an "out of stack" error (same with the NLM). Therefore, we recommend you run the NLM during non-production hours if you have a deep tree. Both the NDSTREE and NDSTREE2 have been tested with a tree-depth of 10 levels. 2. NDSTREE2.NLM creates its data files at the root of the SYS: volume. The location can not be changed. 3. NDSTREE.EXE creates its data files in the default working directory of the workstation. 4. NDSTREE2.NLM will always scan the tree starting from [Root]. 5. NDSTREE.EXE will always scan the tree starting from the workstation's current context. 6. Any Unknown objects will be considered as a possible container. 7. Aliased container objects are not shown without the use of the "-o" option. And when an container alias is shown, no objects will be shown underneath it; you need to refer back to the original container object. 8. Aliased user objects (and other leaf objects) are identified with the base class of the original objects. For example, an user alias object will be identified as an user rather than as an alias. 9. On a large tree, the output may be ugly! 10. During testing, we have seen the output of NDSTREE2.NLM screens doesn't get fully send to the RCONSOLE workstation, and the keystroke from the RCONSOLE station doesn't get to the NDSTREE2.NLM when the screen is paused. If this happens to you, use the server console directly. This is most likely caused by the keyboard polling loop code used when a full screen of information is displayed (i.e. "Press any key to continue"). (This problem has been addressed with NDSTREE2.NLM v1.01) 11. The NDSTREE2.NLM has not been tested on a SFT III server. If you need to use it, try it on the MSEngine. 12. The use of NDSTREE2.NLM is keyed to the name of the NDS tree. 13. There must be a free connection slot on the server for the utility to load. 14. There must be a valid license (even a 2-user) installed on the server in order for the NLM to load correctly. Installing NDSTree ------------------ No special installation steps or program need to be used. The NDSTREE2.NLM should be copied to a diskette along with its license file (NDSTREE2.LIC). The license file must be in the root directory. The NDSTREE.EXE should be copied to your SYS:PUBLIC directory. You must have the Unicode files for the country code and code page that your workstation use available in the respective NLS directories, for example, SYS:PUBLIC\NLS. If you choose to place NDSTREE.EXE in a different directory, you may need a search map to SYS:PUBLIC\NLS in order for the application to find the Unicode files. Authenication Password ---------------------- Your authenication password is: ***** Please note the case. Running NDSTree --------------- Both NDSTREE.EXE and NDSTREE2.NLM uses the same command-line parameters, with the exception of -Z. The -Z option is only available in NDSTREE.EXE. The syntax is: NDSTREE [-a] [-c] [-m] [-o] [-r] [-s] [-t] [-?] [-Z] or LOAD [drive:]NDSTREE2 [-a] [-c] [-m] [-o] [-r] [-s] [-t] [-?] where "-a" will append to an report file, if it exists. "-c" specifies continuous scroll on display. By default, the output will be paused after each screen-full. "-m" will generate a 'compare' data file (NDSTREEx.DAT). This is the file that you compare from NDSTREE and NDSTREE2 to see if you have any stealth objects. Any objects listed in NDSTREE2.DAT but not in NDSTREE.DAT are stealth objects. (Not available in the unregistered version) "-o" will show all objects. By default, only the containers will be displayed. If NDSTREE can not determine if an object is a container (e.g. an Unknown), it will be displayed as though it is a container. "-r" will generate a report file (NDSTREEx.RPT). This file contains the same output as you see on the screen. This is so that you can print it out later or keep it for future reference. "-s" specifies that the search should include the subtree. By default, only the current context is searched. "-t" specifies that the objects be identified by their class types. "-?" shows a help screen. "-Z" generates a report file (SecEqual.RPT) that lists the objects which are "Security Equals" (a.k.a. Security Equivalent) to other objects. For more configuration, see a later section. (Not available in the unregistered version) NOTE: Except for -Z, none of the other parameters are case sensitive. ---- Examples -------- 1) Output from using "NDSTREE -s". It looks pretty much like the output from a CX /T command. --------------------------------------------------------------------------- NDSTREE Version MT-1.00 [s/n: DLAN951015r-DLAN] (Display NDS Tree Structure) DreamLAN Network Consulting Ltd. (c)Copyright 1995. All Rights Reserved. Searching from context and below NDS Tree Listing: DreamLAN ÀOU=NW4SG ÀOU=NW3SG TotalContainer found = 3. TotalObject found = 3. 2) The following is output from "NDSTREE -s -t", which identifies each lower level object it found. CX can not give you that information. --------------------------------------------------------------------------- NDSTREE Version MT-1.00 [s/n: DLAN951015r-DLAN] (Display NDS Tree Structure) DreamLAN Network Consulting Ltd. (c)Copyright 1995. All Rights Reserved. Searching from context and below NDS Tree Listing: DreamLAN ÀOU=NW4SG (Org Unit) ÀOU=NW3SG (Org Unit) TotalContainer found = 3. TotalObject found = 3. 3) The following output is generated using "NDS -s -t -o" options. --------------------------------------------------------------------------- NDSTREE Version MT-1.00 [s/n: DLAN951015r-DLAN] (Display NDS Tree Structure) DreamLAN Network Consulting Ltd. (c)Copyright 1995. All Rights Reserved. Searching from context and below NDS Tree Listing: DreamLAN ÃCN=USER_TEMPLATE (User) ÃCN=Peter (User) ÃCN=Q1 (Queue) ÃCN=PS-DreamLAN (Print Srv) ÃCN=P1 (Printer) ÃCN=Test2 (User) ÃCN=Guest (User) ÃCN=SDK (User) ÃCN=aaa (User) ÃOU=NW4SG (Org Unit) ³ ÃCN=Test Computer (Computer) ³ ÃCN=Test (User) ³ ÃCN=Test2 (User) ³ ÀOU=NW3SG (Org Unit) ³ ÃCN=Test (User) ³ ÀCN=Test3 (User) ÃCN=print_q (Queue) ÃCN=HP_LaserJet_II (Queue) ÃCN=HP3_16S (Queue) ÃCN=PS-DreamLAN-2 (Print Srv) ÃCN=HP3-16th-South (Printer) ÃCN=testing (User) ÃCN=bbb (User) ÃCN=Joe (User) ÃCN=HelpDesk (User) ÃCN=Ctal (User) ÃCN=HelpDesk2 (User) ÃCN=HelpDesk3 (Org Role) ÃCN=HelpDesk4 (Group) ÃCN=Peter2 (User) ÀCN=newadmin (User) TotalContainer found = 3. TotalObject found = 32. Looking for Stealth Objects --------------------------- You can use the following steps to see if you have any stealth objects in your NDS tree: 1. Log in as Admin or someone with Supervisor rights to the [Root] or as someone that has as much NDS rights as you can get. 2. Set the workstation's context to [Root]. 3. Run NDSTREE.EXE with the following options: NDSTREE -s -t -o -r -m This searches the whole tree, shows all objects, identify each object with a base class, generate both a report file (NDSTREE.RPT) as well as a "match" file (NDSTREE.DAT). It is the match file you use later. 4. On one of the NetWare 4.1 servers on your NDS tree (it does not have to contain any replicas), run the NDSTREE2 NLM as follows: LOAD A:\NDSTREE2 -s -t -o -r -m This searches the whole tree, shows all objects, identify each object with a base class, generate both a report file (NDSTREE2.RPT) as well as a "match" file (NDSTREE2.DAT). It is the match file you use later. These two files are placed at the root of the SYS: volume. 5. Copy the NDSTREE2.DAT to your workstation. 6. Use the DOS SORT program (or any others of your choice) to sort the two .DAT files: SORT < NDSTREE.DAT > NDSTREE.1 SORT < NDSTREE2.DAT > NDSTREE.2 You should always sort the files as sometimes the order of the objects returned by NDSTREE is different than that of NDSTREE2. This is the best way to ensure a smooth comparison. 7. Then use a compare utility, such as DOS's FC to compare NDSTREE.1 and NDSTREE.2. Any entries found in NDSTREE.2 but not in NDSTREE.1 can be considered as stealth objects (unless they were created after you ran NDSTREE.EXE but before running NDSTREE2.NLM). The following is a sample (edited for easier reading) output from FC, which shows there are four stealth objects: --------------------------------------------------------------------------- ASCII differences between NDSTREE.1 and NDSTREE.2 After line 117 in NDSTREE.1 insert line 118 from NDSTREE.2 > CN=SU2.OU=Temp.O=DreamLAN (User) After line 133 in NDSTREE.1 insert line 135 from NDSTREE.2 > CN=USER_TEMPLATE.O=HideMe (User) After line 147 in NDSTREE.1 insert line 150 from NDSTREE.2 > O=HideMe.[Root] (Organization) After line 170 in NDSTREE.1 insert line 174 from NDSTREE.2 > OU=Temp.O=DreamLAN (Organizational Unit) Configuring NDSTree ------------------- The registered version of NDSTREE.EXE supports the -Z command-line parameter (which will generate a Security Equals report) and the -M command-line parameter (which will generate a Match Object datafile). By default, the -Z option will report all objects that are SE to either a Server object or a Volume object. However, you can create a SecEqual.CFG file that lists, up to 10, different object classes for NDSTree to check on. For example, you can generate a report for objects that have SE to Server, Volume, and Profile objects. The .CFG file needs to be in the current working directory. The syntax of the SecEqual.CFG is simple: one class name on each line. A line starting with either ';' (semi-colon) or '#' (pound) is treated as comment. The class name must match exactly (including spaces) to that of the schema. You can get a list of the class names in your schema using NDSCOUNT, a utility that is also part of the NDS ToolKit. Note that the -Z option is _not_ available for NDSTREE2.NLM. Shown below is a sample output from NDSTREE.EXE using the -Z option: --------------------------------------------------------------------------- NDSTREE Version MT-1.01 [s/n: DLAN951027r-DLAN] DreamLAN Network Consulting Ltd. (c)Copyright 1995. All Rights Reserved. Report file (SecEqual.RPT) generated on October 27, 1995 at 00:53:39 Searching from context <[Root]> and below. SE Config file [SecEqual.CFG] used. Objects with SE to the following object classes are flagged: 1. --> Volume 2. --> Messaging Server 3. --> NCP Server 4. --> Profile NOTE: The 'Security Equalled To' object name is relative ----- to the 'source' object's context. *************************************************************************** CN=DREAMLAN.OU=Toronto.O=North_America: SE --> CN=DREAMLAN_MSG (Messaging Server) CN=Csadmin.OU=Consulting.OU=Toronto.O=North_America: SE --> CN=NW410B (NCP Server) CN=Louvre+Bindery Type=543.OU=Toronto.O=North_America: SE --> CN=DREAMLAN (NCP Server) CN=Admin.O=North_America: SE --> CN=DREAMLAN_MSG.OU=Toronto (Messaging Server) CN=Tester.O=TopLevel: SE --> CN=DREAMLAN.OU=Toronto.O=North_America. (NCP Server) *** End of Report *** Registration ------------ In this trial version, the following options are disabled: -c Continuous scroll of display -m Generate compare data file -r Generate report file -t Show object types You can register the software on CompuServe (!GO SWREG) for $99 US. Upon receiving the registration information, you will be contacted via email for the name of your NDS tree, which is used to key the NLM. To speed up the process, you can send an email to the author after registration with the NDS tree name. If you can not register via CompuServe, you can FAX a Purchase Order to (905) 886-2534. Please make sure you either include your tree name information on the FAX or send a follow up email. Canadian orders is $130 CDN plus GST. All other countries, please remit in US funds. If you like NDSTREE.EXE but have no need for NDSTREE2.NLM, you can register NDSTREE.EXE by itself for $10 US ($13 CDN plus GST for Canadian orders). This will allow you to exercise the -Z command-line option. Special site agreements for multiple trees and service providers are available. Although the license does not grant you the right to resell the program (i.e. for a profit; but you can charge the customer a service charge for your time). If you are a service provider, you can register copies on behave of your customers (by providing your customer's mailing information -- this is used only for tracking purposes). At the same time, we ask you to send us a separate email indicating that you are registering on behave of your customer and inciate in this email if further software upgrade (free or for a charge) be send to you or the customer directly, and an email address for that purpose. Other Information ----------------- NDSTREE is written in C using MicroSoft C optimizing compiler and Novell's Client SDK v1.0e. Some string manipulating routines are from the CXL library. NDSTREE2 is written using WatCOM C compiler and Novell's NLM SDK Volume 5. Revision History ---------------- Oct 15, 1995. Version MT-1.00/PK-1.00, first released code. Oct 27, 1995. Version MT-1.01/PK-1.00. Added "Security Equals" check into NDSTREE.EXE. Nov 03, 1995. Version MT-1.01/PK-1.01. Added "ThreadSwitchWithDelay" call into NDSTREE2.NLM for better screen and keyboard handling. Nov 05, 1995. Version MT-1.01/PK-1.02. Added check for NDS tree name to NDSTREE2.NLM. Jan 14, 1996. Version MT-1.01/PK-1.03. Added more comment for internal use. May 10, 1996. Version MT-1.01/PK-2.01. Changed the way licensing information is handled by the NLM. Feb 16, 1997. Versoin MT-1.10/PK-2.10. Added tree check to .EXE.