Finding Non-Group Trustee Assignments On NetWare Volumes

Recently, I was working with a customer in a NetWare/OES server environment who was looking to to ensure that all the trustee assignments on a particular volume are group-based, not individual user-based.  Actually, it was a few volumes… and many groups… and many users…

Anyway, the method I came up with was to rely on two good ol’ fashioned utilities: trustee.nlm and bash.

trustee.nlm

First, I had to gather the trustee assignment for every file on the volume; and trustee.nlm does just that and much more.  Since I’m not interested in file ownerships, etc., I just ran the nlm with the set of flags to create the output file with only the trustee assignments, as follows:

LOAD TRUSTEE /ET SAVE <volname>:\ <volname>:\<outputfile>.txt

…and I normally just name the output file after the server and the volume, like: FS1VOL2.txt or something similar.  Now, of course, if you have a small volume, with a small amount of data, and a small amount of users and groups, you can just stop right here, read the file with your human eyes, and find out who has user trustee assignments right away.  But…

bash

I decided to use a bash script to parse the trustee.nlm output file, and for each trustee object it finds, do an LDAP call (one per second) to find out if the object is a group or not.  If the object in question is not a group, the script writes the object value to a result file.  If the object is a group, it just spits a confirmation out to the console to keep me entertained while waiting.

Here is the script below:

#!/bin/bash
# This script doesn't work well when objects have commas in them.
# It results in reporting that line as a non-group, which might not be true.
#
# Don't touch these variables
DATE=`date +%Y%m%d%H%M%S`
x=0
#
# Set these variables
LDAPSERVER="192.168.1.3"
TREE="mytree"
TRUSTEEFILE="$1"
OUTFILE="NonGroupTrustees.$TRUSTEEFILE.$DATE"
#
echo "Starting at $DATE" > $OUTFILE
#
while [ $x -lt $(wc -l <$TRUSTEEFILE) ]
do
   let x=x+1
   LINE=`head -n $x $TRUSTEEFILE | tail -n 1`
   item=`echo $LINE |awk 'BEGIN { FS ="," } ; { print $4 }'|sed s/\"//g |awk 'BEGIN { FS ="." } ; { print $1 }'`
   RESULT=`ldapsearch -LL -x -h $LDAPSERVER -p 389 -b t=$TREE "cn=$item" objectclass |grep groupOfNames`
   if [ "x$RESULT" == "x" ];then
      echo "$item is not a group, $LINE"
      echo "$LINE" >> $OUTFILE
   else
      echo "$item is a group"
   fi
   sleep 1
done
#
echo "Complete. " >> $OUTFILE

And there you go.  Just copy the script content, save it locally to a file in the same directory as your trustee report file, do a chmod +x on that file so it will execute, and change the variables in the script to match your proper values (LDAPSERVER and TREE).  Then, run the script with your trustee report file as the first input variable on the command line.  For instance, if your file were named trusteeCheckScript.bash, and your trustee file was named as my example further above, then you’d run:

trusteeCheckScript.bash FS1VOL2.txt

And then check the output file for results.

Enjoy! I hope that helps.  And if you have a better way, as always, drop me a line…

 

Leave a Comment

Your email address will not be published.