How can i manage network share permissions on a server outside of a Novell network?

Hello Experts, I am in a bit of a pickle.  I am stuck putting a file server into a network utilizing Novell.  Effectively, the file server is sitting in a workgroup by itself.  Eventually, this network will become a domain and all my problems will be solved, but I need to find an interim solution.

I have an app that requires access to the shares on my fileserver, however, I do not want the user to have any rights to this share.  Typically (in a domain), I would setup a domain service account and script my app to run as this "service account".  However, I can't do this due to Novell.

I can think of a few ways to potentially get by.

1. run a net use to provide credentials to the share.  I want to avoid this because if the user knows the share name or runs a net use, they can get access to the share.

2. Create matching user/passwords across all of the PCs that need access.  This should trick NTLM into allowing access to the shares.  Then script the app to runas this common user.

3. Create a local service account and cache the share credentials.  Then script the app to runas the local service account.

Of course, if there is a way to automate the process, that would be a huge plus.  Keep in mind that I am a Novell idiot, and I am looking for a general direction I should go before jumping into the rabbit hole.  Any help is greatly appreciated!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BudDurlandDirector of ITCommented:
It would help to know the version of NetWare you are dealing with.

For the record, NetWare does not use the concept of "shares".  A NetWare server mounts volumes, and USERS are given access rights to the folders and files on that volume.  The authentication process for NetWare is quite different "under the hood" than for Windows, and to access any resources on the NetWare server you will need to install the Novell network client for your workstation's operating system.  Once the client is installed, users (humans) can log in to the server to access resources.

Generally speaking, there's no such thing as a "service account"; programs running as a service in a Windows box cannot access the NetWare server.  I think your program can connect to the server and present log in credentials programmatically.  The Novell developer forums can be of help there.

Newer versions of NetWare offer CIFS, which allows you to configure a share-like facility on a NetWare server, and access it via Windows networking
Your wording is a little confusing.  Let's see if I understand you correctly.  In your environment you are running a Novell Netware based file and print service.  You now wish to implement a Windows server running some application.  You can not make this Windows server a domain controller (for some reason that you've never explained).  Your application requires access to some shares on this newly installed Windows server.  The problem is that you can not authenticate and access the Windows shares as you're not in a domain?????  WTH?  Your application needs to access some shares.  Your application needs to run as somebody.  Make them one and the same.  Setup a local (workgroup) account (called say app) and make the shares available only to app.  Done.  Or perhaps I don't understand.
Please explain.
allanchenAuthor Commented:
Netware version i will have to get back to the client site (I have not been allowed remote access yet).  And I will post as soon as I can get it.

From my tinkering, the Netware computers can see the shares just like if they were on a workgroup.  I just need to type in some valid credentials when windows prompts me, and i an get into the share just fine (also with the security i apply to the account)

Also, I did a bad job of explaining "my app".  This app is required by the customer, but written by another party.  While it is possible to get changed, it is not something that I can do personally.  This app assummes that the user environment has access to the network shares, thus my use of a script (I am using AutoIT) to runAs.

The App is an executable, and by "Service account", I just mean another user account that I am using to store the user credentials to access the share (because I do not want the general users to have any access to the shares)

I hope that clarified it a bit.
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

NetWare 6.5 can see CIFS shares (if they're enabled) pretty much like a workgroup - the difference being that you authenticate against Novell's eDirectory (as opposed to Microsoft Active Directory).  eDirectory requires Simple Passwords (or more specifically these days, universal password) to be enabled, this'll allow eDirectory to compare the NTLM hash given by the client with what's stored on the server.
Does that help?

allanchenAuthor Commented:
As of right now, I am using just workgroup CIFS/SMB to access the shares (e.g. open the share with run and type in an account with the correct permissions.

The client I am working for is in public safety, and i am not the IT Admin (just a lowly subcontractor).  While I was assured that this would get migrated to AD/Windows Domain, it am not counting on that happening anytime soon.  I am not permitted to change there general network infrastructure and am limited in the configuration I can change on their department PCs.

You are correct in your suggestion about making a shared "app" account.  This is what i have done.  However, I need the app to run under any account, but not have access to the shares.

My #2 guess in the original questions was to:
"Create matching user/passwords across all of the PCs that need access.  This should trick NTLM into allowing access to the shares.  Then script the app to runas this common user."

So... I am trying to get a 2nd opinion on whether this will work before I start banging on my clients computers.

1. Create a matching (workgroup) account called "App" across all Client (Novell)computers.
2. Create a matching account on my Server (not Novell).
3. Restrict rights on the shares for access only to the "App" account.
4. Script the application to RunAs the account "App".  (I will use AutoIT for this)

This will work right?

Also, I can give my customer a vbs file to create a local user right?  Should run just fine as a startup script in Novell?  

I am also increasing the point value of this question!
allanchenAuthor Commented:
elf, we cross posted there!

but in response to your 2nd post, Do you mean that if I create a local account on eDirectory that matches a local account on my server, the credentials will pass just fine?

In my experience with Novell, the eDiectory account doesn't actually exist on the local computer until I log in one time (and it does that windows profile creation that takes forever).  Of course, it wouldn't be the first time that i was wrong.

If I can just have their admin create a Edirectory account to match my local server account (with share permissions), that seems like it would be the easiest thing to do!
All this depends on the version of Netware you have:
Netware 6.0 SP2 and above can do NTLMv2 hashes (simple password required).
Netware 6.5 can do SMB signing (simple password required).
Both these properties are on by default in Windows 2003 (see M$ article about why Netware 6 won't work here:
When you connect to a Netware CIFS server from a Windows client, you'll transmit authentication details in the form of an NTLM hash (I'm ignoring the handshake stuff like which version to use and whether we should sign all packets and so on).  This hash is then received by the target Netware CIFS server (assuming networking is okay and work as expected), Netware then retrieves the SIMPLE PASSWORD (specifically the Universal password in Netware 6.5) not the NDS PASSWORD from eDirectory (we find these attributes by using the naming attribute defined in eDirectory i.e.: their login name - by default CN=) and computes an NTLM hash over it.  The network received hash and the newly computed hash are compared.  If they match you are authenticated and a principle is established, if not login denied messages and the like are sent back to the client.
Hopefully that clears it up for you.

You said: "In my experience with Novell, the eDiectory account doesn't actually exist on the local computer until I log in one time (and it does that windows profile creation that takes forever).  Of course, it wouldn't be the first time that i was wrong."
Yes this is kind of true.  Netware by itself does not have "control" over the clients as it does not use Kerberos (it can, but does not by default) so clients are not "imported" into eDirectory by default.  Novell ZENWorks (a stripped down version is often bundled with Netware) is kind of like SMS but has this thing called Dynamic Local User.  DLU will create a Windows profile and add the authentication details to the local Windows client at login (the time it takes to create a profile can be very small if you make a default profile that is small - likewise for large).  There are options to manage existing accounts (so the local account exists but has a different password (say, because I changed the password on a different machine) then DLU will overwrite that existing local account with you're new password).
Hope that helps clear it up a bit.

Hope this helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
allanchenAuthor Commented:

I am actually trying to connect to a Windows share from a Netware Client.  But regardless, I think you have given me aot of relevant information.

I will be able to access the server on monday and what I will try the following.

1. Insert startup VBS to Netware client PC to create local user "APP"
2. Create local user "APP" on the (workgroup) Server, with permissions to \\SERVER\SHARE
3. Create script to run the application under the "APP" account.
4. Hopefully witness the application run OK, even thought the account that ran the shortcut has no rights to \\SERVER\SHARE

Ill let you know what happens.
Install the Novell client, setup the main tab to log into your Netware server, hit advanced button and set up the Windows tab to log in as the username on the local machine. If you match the username and passwords between the Novell client and the local workstation you'll only get one login prompt, but Novell will pass the login info on to Windows. So - you'll wind up with full NDS authentication and a connection to your local workstation as whatever user you desire. You can also set a batch file called from the Novell login script to do your net use as whatever limited user you want to insert without the user ever being aware the net use was run.

You can also use the Windows tab to connect to a domain rather than a local workstation if you desire.

Am I missing something here? It sounds simple to me, so I must be all wet, as you sound like you know what you're doing!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Novell Netware

From novice to tech pro — start learning today.