How can i manage network share permissions on a server outside of a Novell network?
Hello Experts, I am in a bit of a pickle. I am stuck putting a file server into a network utilizing Novell. Effectively, the file server is sitting in a workgroup by itself. Eventually, this network will become a domain and all my problems will be solved, but I need to find an interim solution.
I have an app that requires access to the shares on my fileserver, however, I do not want the user to have any rights to this share. Typically (in a domain), I would setup a domain service account and script my app to run as this "service account". However, I can't do this due to Novell.
I can think of a few ways to potentially get by.
1. run a net use to provide credentials to the share. I want to avoid this because if the user knows the share name or runs a net use, they can get access to the share.
2. Create matching user/passwords across all of the PCs that need access. This should trick NTLM into allowing access to the shares. Then script the app to runas this common user.
3. Create a local service account and cache the share credentials. Then script the app to runas the local service account.
Of course, if there is a way to automate the process, that would be a huge plus. Keep in mind that I am a Novell idiot, and I am looking for a general direction I should go before jumping into the rabbit hole. Any help is greatly appreciated!
I have an app that requires access to the shares on my fileserver, however, I do not want the user to have any rights to this share. Typically (in a domain), I would setup a domain service account and script my app to run as this "service account". However, I can't do this due to Novell.
I can think of a few ways to potentially get by.
1. run a net use to provide credentials to the share. I want to avoid this because if the user knows the share name or runs a net use, they can get access to the share.
2. Create matching user/passwords across all of the PCs that need access. This should trick NTLM into allowing access to the shares. Then script the app to runas this common user.
3. Create a local service account and cache the share credentials. Then script the app to runas the local service account.
Of course, if there is a way to automate the process, that would be a huge plus. Keep in mind that I am a Novell idiot, and I am looking for a general direction I should go before jumping into the rabbit hole. Any help is greatly appreciated!
Your wording is a little confusing. Let's see if I understand you correctly. In your environment you are running a Novell Netware based file and print service. You now wish to implement a Windows server running some application. You can not make this Windows server a domain controller (for some reason that you've never explained). Your application requires access to some shares on this newly installed Windows server. The problem is that you can not authenticate and access the Windows shares as you're not in a domain????? WTH? Your application needs to access some shares. Your application needs to run as somebody. Make them one and the same. Setup a local (workgroup) account (called say app) and make the shares available only to app. Done. Or perhaps I don't understand.
Please explain.
Please explain.
ASKER
Bud,
Netware version i will have to get back to the client site (I have not been allowed remote access yet). And I will post as soon as I can get it.
From my tinkering, the Netware computers can see the shares just like if they were on a workgroup. I just need to type in some valid credentials when windows prompts me, and i an get into the share just fine (also with the security i apply to the account)
Also, I did a bad job of explaining "my app". This app is required by the customer, but written by another party. While it is possible to get changed, it is not something that I can do personally. This app assummes that the user environment has access to the network shares, thus my use of a script (I am using AutoIT) to runAs.
The App is an executable, and by "Service account", I just mean another user account that I am using to store the user credentials to access the share (because I do not want the general users to have any access to the shares)
I hope that clarified it a bit.
Netware version i will have to get back to the client site (I have not been allowed remote access yet). And I will post as soon as I can get it.
From my tinkering, the Netware computers can see the shares just like if they were on a workgroup. I just need to type in some valid credentials when windows prompts me, and i an get into the share just fine (also with the security i apply to the account)
Also, I did a bad job of explaining "my app". This app is required by the customer, but written by another party. While it is possible to get changed, it is not something that I can do personally. This app assummes that the user environment has access to the network shares, thus my use of a script (I am using AutoIT) to runAs.
The App is an executable, and by "Service account", I just mean another user account that I am using to store the user credentials to access the share (because I do not want the general users to have any access to the shares)
I hope that clarified it a bit.
NetWare 6.5 can see CIFS shares (if they're enabled) pretty much like a workgroup - the difference being that you authenticate against Novell's eDirectory (as opposed to Microsoft Active Directory). eDirectory requires Simple Passwords (or more specifically these days, universal password) to be enabled, this'll allow eDirectory to compare the NTLM hash given by the client with what's stored on the server.
Does that help?
Does that help?
ASKER
elf,
As of right now, I am using just workgroup CIFS/SMB to access the shares (e.g. open the share with run and type in an account with the correct permissions.
The client I am working for is in public safety, and i am not the IT Admin (just a lowly subcontractor). While I was assured that this would get migrated to AD/Windows Domain, it am not counting on that happening anytime soon. I am not permitted to change there general network infrastructure and am limited in the configuration I can change on their department PCs.
You are correct in your suggestion about making a shared "app" account. This is what i have done. However, I need the app to run under any account, but not have access to the shares.
My #2 guess in the original questions was to:
"Create matching user/passwords across all of the PCs that need access. This should trick NTLM into allowing access to the shares. Then script the app to runas this common user."
So... I am trying to get a 2nd opinion on whether this will work before I start banging on my clients computers.
Essentially:
1. Create a matching (workgroup) account called "App" across all Client (Novell)computers.
2. Create a matching account on my Server (not Novell).
3. Restrict rights on the shares for access only to the "App" account.
4. Script the application to RunAs the account "App". (I will use AutoIT for this)
This will work right?
Also, I can give my customer a vbs file to create a local user right? Should run just fine as a startup script in Novell?
I am also increasing the point value of this question!
As of right now, I am using just workgroup CIFS/SMB to access the shares (e.g. open the share with run and type in an account with the correct permissions.
The client I am working for is in public safety, and i am not the IT Admin (just a lowly subcontractor). While I was assured that this would get migrated to AD/Windows Domain, it am not counting on that happening anytime soon. I am not permitted to change there general network infrastructure and am limited in the configuration I can change on their department PCs.
You are correct in your suggestion about making a shared "app" account. This is what i have done. However, I need the app to run under any account, but not have access to the shares.
My #2 guess in the original questions was to:
"Create matching user/passwords across all of the PCs that need access. This should trick NTLM into allowing access to the shares. Then script the app to runas this common user."
So... I am trying to get a 2nd opinion on whether this will work before I start banging on my clients computers.
Essentially:
1. Create a matching (workgroup) account called "App" across all Client (Novell)computers.
2. Create a matching account on my Server (not Novell).
3. Restrict rights on the shares for access only to the "App" account.
4. Script the application to RunAs the account "App". (I will use AutoIT for this)
This will work right?
Also, I can give my customer a vbs file to create a local user right? Should run just fine as a startup script in Novell?
I am also increasing the point value of this question!
ASKER
elf, we cross posted there!
but in response to your 2nd post, Do you mean that if I create a local account on eDirectory that matches a local account on my server, the credentials will pass just fine?
In my experience with Novell, the eDiectory account doesn't actually exist on the local computer until I log in one time (and it does that windows profile creation that takes forever). Of course, it wouldn't be the first time that i was wrong.
If I can just have their admin create a Edirectory account to match my local server account (with share permissions), that seems like it would be the easiest thing to do!
but in response to your 2nd post, Do you mean that if I create a local account on eDirectory that matches a local account on my server, the credentials will pass just fine?
In my experience with Novell, the eDiectory account doesn't actually exist on the local computer until I log in one time (and it does that windows profile creation that takes forever). Of course, it wouldn't be the first time that i was wrong.
If I can just have their admin create a Edirectory account to match my local server account (with share permissions), that seems like it would be the easiest thing to do!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Elf,
I am actually trying to connect to a Windows share from a Netware Client. But regardless, I think you have given me aot of relevant information.
I will be able to access the server on monday and what I will try the following.
1. Insert startup VBS to Netware client PC to create local user "APP"
2. Create local user "APP" on the (workgroup) Server, with permissions to \\SERVER\SHARE
3. Create script to run the application under the "APP" account.
4. Hopefully witness the application run OK, even thought the account that ran the shortcut has no rights to \\SERVER\SHARE
Ill let you know what happens.
I am actually trying to connect to a Windows share from a Netware Client. But regardless, I think you have given me aot of relevant information.
I will be able to access the server on monday and what I will try the following.
1. Insert startup VBS to Netware client PC to create local user "APP"
2. Create local user "APP" on the (workgroup) Server, with permissions to \\SERVER\SHARE
3. Create script to run the application under the "APP" account.
4. Hopefully witness the application run OK, even thought the account that ran the shortcut has no rights to \\SERVER\SHARE
Ill let you know what happens.
Install the Novell client, setup the main tab to log into your Netware server, hit advanced button and set up the Windows tab to log in as the username on the local machine. If you match the username and passwords between the Novell client and the local workstation you'll only get one login prompt, but Novell will pass the login info on to Windows. So - you'll wind up with full NDS authentication and a connection to your local workstation as whatever user you desire. You can also set a batch file called from the Novell login script to do your net use as whatever limited user you want to insert without the user ever being aware the net use was run.
You can also use the Windows tab to connect to a domain rather than a local workstation if you desire.
Am I missing something here? It sounds simple to me, so I must be all wet, as you sound like you know what you're doing!
You can also use the Windows tab to connect to a domain rather than a local workstation if you desire.
Am I missing something here? It sounds simple to me, so I must be all wet, as you sound like you know what you're doing!
For the record, NetWare does not use the concept of "shares". A NetWare server mounts volumes, and USERS are given access rights to the folders and files on that volume. The authentication process for NetWare is quite different "under the hood" than for Windows, and to access any resources on the NetWare server you will need to install the Novell network client for your workstation's operating system. Once the client is installed, users (humans) can log in to the server to access resources.
Generally speaking, there's no such thing as a "service account"; programs running as a service in a Windows box cannot access the NetWare server. I think your program can connect to the server and present log in credentials programmatically. The Novell developer forums can be of help there.
Newer versions of NetWare offer CIFS, which allows you to configure a share-like facility on a NetWare server, and access it via Windows networking