Are you right about trustee rights?

So just where are file and folder trustee rights kept? Many otherwise knowledgeable NetWare veterans are under the mistaken impression that file system trustee rights are stored within the directory. And, on two out of three levels, they’re right.

But it’s not the “directory” as in eDirectory, a.k.a. Novell Directory Services (NDS). Nope, it’s the “directory” as in “A node in a hierarchical file system which contains zero or more other nodes – generally, files or other directories,” – from The Free On-line Dictionary of Computing. It’s the use of the same word, “directory” for two very different computer-based entities that leads to this confusion.

That, and the fact that we use the term “trustee rights” in taking about what are generally known as “access control lists” (ACL) for both the file system as well as the directory service. NDS objects have trustee rights associated with them just as files do. Some of the enumerated rights have similar names which further confuses the issue.

On top of all that are the file and folder trustee rights. These are not stored in the network directory service but are nevertheless associated with the object in NDS through the use of an object ID number to indicate which object (user, group, etc.) has which rights to which files and folders. This isn’t the ID number in the directory, though. Confused? You’re not alone.

Each server on your network has a local database that holds NDS information (replicas of partitions for the most part). In many ways, this local database is similar to the NetWare 3 (and earlier) bindery because it also holds information specifically about the server on which it resides – including a local ID number for each object in the database.

The actual file system trustee rights are carried as attributes of the file (or folder) in the file system’s Directory Entry Table (DET) which lists the pointers to the physical locations of the files and folders so that the operating system can navigate to them as needed. This system is almost as old as NetWare (since it’s simply an adaptation of the system used by DOS) and the architects of NDS enabled NetWare (Versions 4 and higher) saw no need to change it. They certainly didn’t want to keep records of every file and folder (some of which – temporary files in an e-mail folder, for example – can come and go in less than a second or two) with the directory service. That would significantly impact its performance. So they adapted the tried and true system to the new paradigm.

Still, no one wanted to put the trustee object’s Distinguished Name (DN) in the DET entry because it would take up a large amount of space so they continued to use the ID number associated with that object. But the local database has its own set of unique ID numbers, inherited from the older Bindery systems, so that’s what is continued to be used for file system trustee rights.

All of this goes to explain why you can’t simply use a DOS COPY command to move files and trustee rights either to a different location on a server or to a different server. Specialized tools, which look up the trustee holder’s information, are used to move files. Even so, early implementations (with NetWare 4) led to problems when files were restored to a different server than they were backed up from – suddenly all the trustee rights were different. This was because the same user or group object might have a different local ID number (in fact, most likely had a different ID number) on different servers.

So now you know. Probably more than you needed to know, or wanted to know. But, at least, you can feel superior to those who don’t know. See you next time.