I am seeing users granted access to files they should not be able to see, and also not
seeing files they should.

I posted a less detailed version to the bordermanager list and they said is likely a
client issue.

History and scenario:

2 Netware 6.5 small business servers, different trees, same context, running a
Bordermanager site to site tunnel between the two locations via the web. The system had
been in operation for a couple years before the issue was noticed. The master had its sys:
volume rebuilt from scratch recently due (I believe) to NDS corruption. The data volume
was not rebuilt, simply added intact. I do not know if the situation existed prior to the
server re-do. The user data is all on the "data" volumes of the two servers. Each server
has each user setup with the same password as on the other server. We are using different
trees so that access through the tunnel is not required to function locally, and identical
contexts so users can authenticate to both servers when/if the tunnel is up. Both servers
have nearly identical directory structures, as in there is a users folder, and an "exec"
folder for more secure stuff. Access is controlled by denying all rights to the volume
root, then granting folder rights to groups, and making users members of groups. Users are
not granted rights individually. I do not believe we are synchronizing the NDS through the
tunnel. I have done all the rights management through nwadmin, if that matters. I updated
to the latest client (4.9 sp3)and observed no difference.

In the system login script I do a "map delete" and then re-map the drive to the remote
server's data volume. I am not using individual login scripts.

The problem was first noted when a user who is a member of "exec" on the local server but
not a member of "exec" on the remote could see/access files in the "exec" folder on the
remote server. Since then I have noted other access related issues that are not right.

For example-

Admin logs in. Has total access to both servers. User with rights to local exec folder but
no rights to remote exec folder logs in via Novell Client (same workstation), has
appropriate access to local server but has admin level access to remote. This sometimes
persists through a reboot. Then User's access to the local exec folder is revoked, login
again and has local rights as expected but still has rights to the exec on the remote,
although does not have rights to all the other folders as admin would. (?!) Admin then
logs in and has the appropriate rights locally but does not have the expected rights
remotely. (?!?!) Sometimes this will persist through a reboot, and sometimes admin gets
appropriate access to both servers.


Does windoze cache/store/override mappings, rights, etc?
Can the "in two identical groups/ in two identical contexts/ in two different trees" cause
Would the NDS sync between servers in this scenario and could this be part of the issue?
Can I force re-authentication to the remote on login?
Should it re-authenticate automatically when changing users?
Could the re-creation of NDS on one of the servers (not the other) cause/allow this?
Where else should I look for rights to sneak into the process?
What else should I be looking for?

Big Thanks-

Bill McCullough