Managing and troubleshooting resources in a NetWare network

Download Report

Transcript Managing and troubleshooting resources in a NetWare network

Ch19: Managing and Troubleshooting
Resources in a NetWare network
Unit objectives
• Discuss user and group management
• Identify the methods for implementing file
system security
• Discuss user account restrictions
• Discuss NDS context
• Describe NetWare log files
• Use monitoring and management tools
Topic A
•
•
•
•
•
•
User and group management
Rights and trustee assignments
User account restrictions
NDS/eDirectory context
NetWare log files
Using monitoring and management tools
User management
• You can use the NetWare ConsoleOne or
iManager (web-based) utilities to create,
delete, rename, and manage User objects in
an NDS Directory tree
– Old version was the “NetWare Administrator Utility.”
• You can also view and modify a User object’s
properties and associated values
The New User dialog box in ConsoleOne
Viewing user information
3 ways to do this:
1. Double-click the object’s icon in the
Directory tree
2. Right-click the object and choose Properties
3. Click to select the object and choose File,
Properties
Creating users with iManager
• Web-based management utility
– http://server_IP_address/nps/iManager.html
• Supported browsers:
– Internet Explorer 6 SP1 or later
– Netscape 7.1 or later
– Mozilla 1.4 or later
The Create User pane in iManager
Group management
• You can use either ConsoleOne or iManager
• You can also view and modify a Group object’s
properties, members, and associated values
Activity A-1
Page 19-7
Discussing user and group management
Topic B
•
•
•
•
•
•
User and group management
Rights and trustee assignments
User account restrictions
NDS/eDirectory context
NetWare log files
Using monitoring and management tools
Rights and trustee assignments
• NetWare file system is one of the frequently
accessed network resources
• The implementation of this comprehensive file
system security plan includes file and directory
access security and trustee assignments
– Trustee assignments, for example, give certain rights,
which are determined by things like:
• To whom they are made:
–
–
–
–
–
Trustee assignment can be made directly to a user
Or to a group
Or to a container
Or, they can be inherited from a parent directory
Which, in turn, can be blocked by an Inherited Rights Filter (IRF)
File system rights
• Determine the type of directory and file
access available to a user
• Users must be granted rights to file system
resources before they’re able to access
directories and files
• The following is a list of the available NetWare
directory trustee rights:
– Supervisor (S)
• Grants all rights to a directory and overrides any restrictions
placed on subdirectories or files with an Inherited Rights Filter
continued
File system rights
– Read (R)
• Permits the user to view file contents or execute a file
– Write (W)
• Grants the right to open a file and write to or modify the
contents of a file
– Create (C)
• Permits the user to create files or subdirectories
– Erase (E)
• Grants the right to delete a directory, its subdirectories, and
files
continued
File system rights
– Modify (M)
• Permits the user to change directory and file attributes,
including the directory, subdirectory, and filenames
• This doesn’t permit the user to modify the contents of a file
– File Scan (F)
• Grants the right to see subdirectories and files when the user
views directory contents, as with dir or ndir
– Access Control (A)
• Permits the user to modify trustee rights and the Inherited
Rights Filter (IRF) for a directory
• Just to repeat here; if you want to change the Inherited Rights
Filter (IRF), you must have Access Control rights!
Trustees and explicit trustee assignments
• Trustee rights are granted to users, groups,
or NDS / eDirectory container objects to give
specific access privileges to directories,
subdirectories, and files
• Explicit trustee rights are those granted
directly to an object at any level of the file
system
– This overrides rights that would be inherited by that
object
Inherited Rights: the Inherited Rights Filter
• The Inherited Rights Filter (IRF) restricts the
inheritance of trustee rights to a particular
subdirectory or file
– IRFs aren’t user-specific and affect all users
– All directories, subdirectories, and files possess an IRF
• When an IRF has been altered to block rights
inheritance, the filter is referred to as a
“restrictive IRF”
• Exists on every directory and file
• By default, no rights are blocked by the IRF
• The Supervisor right cannot be blocked
Activity B-1
- Page 19-10
Discussing file system security
Effective rights
• Effective rights determine a user’s access to any
directory, subdirectory, or file
– This is a combination of all rights granted through trustee
assignments, minus those blocked by Inherited Rights
Filters
– A user has no rights in a directory unless assigned
through a trustee assignment (user or group)
– One way to divide systems in which people are given
rights to secure entities is to distinguish between systems
in which you start out with all rights, which are then
limited in various ways, versus systems in which you begin
with no rights and are then granted the rights you need.
– NetWare is an example of the latter system.
Minimum rights requirements
•
•
•
•
•
•
•
•
Read from a file
Execute a file
See a file
Search a directory
Create and write to a file
Copy files (source)
Copy file (destination)
Remove an empty subdirectory
continued
Minimum rights requirements
•
•
•
•
•
•
•
Delete a file
Change directory and file attributes
Change file or directory name
Change Inherited Rights Filter
Add or modify trustee assignments
Modify disk space assignment
Move a file
Activity B-2
- Page 19-12
Discussing rights and trustee assignments
Topic C
•
•
•
•
•
•
User and group management
Rights and trustee assignments
User account restrictions
NDS/eDirectory context
NetWare log files
Using monitoring and management tools
User account restrictions
• Authentication
– A part of NetWare’s login security that’s managed
transparently to the user and the network administrator
– Occurs at login time, guaranteeing valid logins and
preventing transmission of passwords across the network
– Important because it ensures that only valid users have
access to the network
– On “transparency”:
• Authentication is session-oriented and the client's signature is
only valid for the of the current session.
• Ongoing (background) authentication is transparent to users and
takes place as required when users access other services.
• Only during login (user ID and password exchange) is the user
aware of authentication.
Login restrictions
• Login restrictions are used to:
– Enable or disable user accounts
– Set an account expiration date
– Limit the number of concurrent connections for a user
• The various items in the Login Restrictions
properties page are:
– Account disabled
– Account has expiration date
– Limit concurrent connections
– Last login
Login restrictions (continued)
• An example of the Login restrictions page:
Password restrictions
• Ensure that users have passwords
• Control whether users can change their
passwords
• Set a minimum password length
• Force periodic password changes
• Set a password expiration date
• Make unique passwords
• Limit grace logins
– A “grace login” is a login permitted after the password has
expired
Password restrictions (continued)
• An example of the Password Restrictions page
Password restrictions (continued)
• An example of Login Time Restrictions:
Network address restrictions
• The Network Address Restrictions properties
page permits the network administrator to
restrict a user’s login location to a single PC
or to a specific communications protocol
Intruder detection
• Helps network administrators determine when
an unauthorized individual has tried to
access the network
• The Intruder Detection properties page contains
the following options:
– Detect intruders
– Incorrect login attempts
– Lock account after detection
continued
Intruder detection
– Intruder attempt reset interval
– Lock account after detection
Activity C-1
- Page 19-16
Discussing user account restrictions
Topic D
•
•
•
•
•
•
User and group management
Rights and trustee assignments
User account restrictions
NDS/eDirectory context
NetWare log files
Using monitoring and management tools
NDS context
• Context is the location of an object in the
Directory tree
• Current context is a logical pointer that
indicates the object’s current position in the
NDS tree
Distinguished name
• The full path to an object’s location
• All Distinguished names begin with a leading
period
– The period is the root of the tree
• The path starts with the leaf object and moves
toward the root of the tree
• Each object is preceded by the attribute type of
the object it’s referencing and has a period
separating objects within the name
Example of Distinguished Name
Relative distinguished name
• Identifies only part of the full name and
assumes the current context to be the rest of
the name
• Doesn’t begin with a leading period
Naming Conventions
Distinguished name and relative distinguished name
Typeful and typeless names
• When NDS/eDirectory attribute type information
(C=, O=, OU=, or CN=) is specified, the object
name is referred to as a “typeful” name
• When NDS attribute type information isn’t
specified, the name is referred to as a
“typeless” name
Activity D-1
- Page 19-18
Discussing NDS/eDirectory context
Topic E
•
•
•
•
•
•
User and group management
Rights and trustee assignments
User account restrictions
NDS/eDirectory context
NetWare log files
Using monitoring and management tools
NetWare log files
• One of the ongoing activities of a network
administrator is server monitoring
• Unless you carefully monitor the server, you
might not be aware of network errors and
performance issues
• The key point to know is that Novell NetWare
stores log information in plain text file like
sys$log.err, vol$log.err and tts$log.err.
• These files are accessible from any system
that can connect to the NetWare file server.
SYS$LOG.ERR
• Automatically created by the server and stored
in the SYS:SYSTEM directory
• Error and informational messages generated
by the server and displayed on the server
console are recorded in this log file
• Limited in size so that it doesn’t grow and
consume the entire SYS: volume
VOL$LOG.ERR
• The server creates one vol$log.err file in the
root of each volume
• Any errors or informational messages
generated by the server are recorded in this
log file
• By default, the size of the vol$log.err file is
limited to 4,194,304 bytes (4 MB)
Activity E-1
- Page 19-21
Discussing SYS$LOG.ERR and VOL$LOG.ERR
ABEND.LOG
• An ABEND (ABnormal END) occurs when a
server has encountered a critical error
• The server frequently puts the offending
process to sleep and sends an alert to the
console
• In some cases, the offending process can’t be
isolated and the server reboots itself to correct
the situation
continued
ABEND.LOG
• The types of information recorded in the
abend.log file include:
– The type of ABEND and when it occurred
– The name and memory address of the offending process
– A dump of the registers and stack
• See “Core Dump”, next slide
– The name and version number of each network module
loaded
Core Dump
• A core dump consists of the recorded state of
the working memory of a computer program at
a specific time, generally when the program has
terminated abnormally (crashed).
• Other key pieces of program state are usually
dumped at the same time, including the
processor registers which may include the
program counter and stack pointer, memory
management information, and other CPU and
operating system flags and information.
– The name comes from the once-standard core memory
technology. Core dumps are often used to diagnose or
debug errors in computer programs.
CONSOLE.LOG
• During the startup process of the NetWare
server, the system console screen displays:
– Configuration information
– Modules loaded
– Warnings
– Error messages
• To capture and log all of the console
messages that are generated at the server
while booting, you can use the CONLOG utility
Activity E-2
- Page 19-23
Discussing ABEND.LOG and
CONSOLE.LOG
Topic F
•
•
•
•
•
•
User and group management
Rights and trustee assignments
User account restrictions
NDS/eDirectory context
NetWare log files
Using monitoring and management tools
Using MONITOR.NLM
• Provides a wealth of server information to gauge
server performance
• Provides a screensaver and a password protection
function
• To load MONITOR on NetWare 4.x or earlier, type the
following at the server console
– “LOAD MONITOR” [option]
• To load MONITOR on NetWare 5.x or later, type
– “MONITOR” [option]
continued
Optional switches
• L
– Immediately locks the server console upon load
• M
– Restricts the activation of the screensaver to the
monitor screen only
• N
– Disables the screen saver function
• Txxx
– Where xxx is the number of seconds of keyboard
inactivity before the screensaver is activated
MONITOR.NLM Screen Shot 1
MONITOR.NLM Screen Shot 2
Activity F-1
- Page 19-25
Discussing MONITOR.NLM
Available options
• MONITOR measures server performance,
hardware status and memory usage.
• It also provides password and screensaver
protection
• The following is a description of some of the
items listed in the MONITOR utility’s “Available
Options” menu:
– Connections
– Storage devices
– Volumes
– LAN/WAN drivers
continued
Available options
– Loaded modules
– File Open/Lock Activity
– Disk cache utilization
– System resources
– Virtual memory
– Kernel
– Server parameters
NetWare Management Portal
• In NetWare 5.0 forward, many of these utilities
can be accessed from the Management Portal
NetWare Management Portal
Activity F-2
- Page 19-26
Discussing the
Available Options menu
NetWare Remote Manager (NRM)
• New in NetWare 5.1 and later
• Web-based interface
• Lets you diagnose server problems and
perform server management tasks
• To access NRM, enter:
– http://server_name_or_IP_address:8008
• Supported browsers:
– Netscape 4.5 or later
– Internet Explorer 5 or later
The NetWare Remote Manager interface
The NRM Health Monitor page
Viewing reports and log files in NRM
• Included reports:
– Config
– Security
– Inventory
• Included log files:
– Server Personal Log Book
– System Error Log File
– Abend Log File
– Server Health Log File
Activity F-3
- Page 19-29
Discussing NetWare Remote Manager
The VREPAIR utility
• Problems might occur on your NetWare
volumes because of improper shutdown or
loss of power
– The primary File Allocation Table (FAT) or the Directory
Entry Table (DET) might become corrupt due to these
conditions
• VREPAIR can help rectify such problems on
traditional NetWare volumes (not NSS
volumes)(NSS = NetWare Storage Services)
Volume repair
• The NetWare operating system maintains two
copies of both the FAT and DET
• The VREPAIR utility compares the primary
tables with the mirrored copies
– Both sets of tables are checked for errors
continued
Volume repair
• If VREPAIR finds any inconsistencies in the
primary or secondary FAT or DET:
– It selects the one that it believes to be intact and
corrects the damaged table
– Corrections are written directly to the volume’s tables
– VREPAIR might have to delete files that have become
corrupt
Using VREPAIR
• Type LOAD VREPAIR or just VREPAIR
(depending on the server OS version) at the
server console prompt and
• press ENTER to load VREPAIR
• Choose the appropriate option
VRepair Module (other ppt)
• Volume cannot be mounted.
– Volume Allocation Tables can be damaged due to power outages,
server crashes, faulty software.
– After repairs are made, notify users to check their files for
possible problems.
• Check volume integrity.
– Preventative maintenance tool.
– Document any problems.
– Decide whether to write repairs to disk.
Using VRepair (1)
• Start VRepair utility.
– If SYS volume is mounted, enter the command VREPAIR or LOAD VREPAIR from
the server console.
– If SYS volume is not mounted, enter the command: LOAD C:VREPAIR to load
VREPAIR.NLM from the DOS partitions.
Using VRepair (2)
• Select VREPAIR options:
– Option 3 keeps changes in memory for later update.
– Option 1 allows you to remove a name space from a volume.
• Return to Main Menu and select the Repair a Volume option.
Using VRepair (3)
• Select a volume to repair.
– Volume to repair must be dismounted.
• If an error is found, VREPAIR displays the Current Error Settings
window.
– Select the option 1 “Do not pause”
– Select option 2 to log errors to a file.
Using VRepair (4)
•
•
•
•
Select option 4 to continue repair.
A status windows is displayed.
At end of VREPAIR, write repairs to disk.
Continue to run VREPAIR until no errors are reported.
Working with NSS volumes
• More recent versions of NetWare include the ability
to take advantage of Novell Storage Services (NSS)
volumes
• Many advantages
–
–
–
–
Larger file sizes
Volumes mount faster
No additional memory requirements
Others
• Management through NRM, ConsoleOne, iManager
and server console commands
NSS
• Novell Storage Services (NSS) is an enhanced, improved file
system, compared to previous versions of NetWare.
• It is optional: you don't have to install or use it. If you do install
it, it does not have to replace the traditional NetWare File
System: NSS can coexist with NFS.
• The NSS service first scans hard drives for unused space.
Whatever space is found is marked off, labeled as available to
NSS, and recorded in a pool called the NSS object bank. This
action is registering the space.
• Each of several hard drives may have free space available.
The space that is marked, labeled, and recorded from each
hard drive can be called a storage deposit. When NSS starts
to use some of this space the storage deposit becomes a
managed object.
• NSS can register space in NetWare partitions and in IBMformatted (DOS) partitions.
NSS
• However, note that this action is essentially
creating an NSS partition on the hard drive,
and that there is a limit of four partitions within
any IBM-formatted partition. If an IBM/DOS
partition already has four partitions in it, you
cannot make an NSS partition in it. This is why
you do not want to create partitions within your
DOS partition on the server.
• When NSS takes free space from a NetWare
partition, NFS sees the new NSS partition as a
file.
NSS
• NSS can mount a CD as a read-only volume. This
makes it available to users on your system. To make
it possible, load CDROM.NLM on your server.
• NSS takes its registered partitions and combines
them into logical storage groups. Storage groups
are combined into logical NSS volumes.
• The text cautions you not to combine space from
inside NetWare volumes and space from outside
NetWare volumes into one NSS volume.
• NSS volumes may be physically located on several
servers, and on several hard drives. They act as
though they are on one server. Storage groups may
be combined. More storage groups may be added to
NSS volumes after the volumes are created.
Activity F-4
- Page 19-31
Discussing the VREPAIR utility and NSS
volumes
Unit summary
• Discussed user and group management
• Identified methods for implementing file system
security
• Learned about user account restrictions
• Discussed NDS/eDirectory context
• Described NetWare log files
• Learned about monitoring and management
utilities