OVER32.EXE Utility to allow over 32 Security Equivalences Read this document carefully before running OVER32.EXE. Problem: All current versions of NetWare (v2.2/v3.11) will allow that users are members of more than 32 groups, but only a maximum of 32 security equivalences will be checked by NetWare when determining a users' trustee rights. OVER32 will allow NetWare to handle over 32 group memberships correctly. Solution 1: Re-think your servers security structure, reduce the number of groups a user is member of. This can be done by combining groups, or by deleting unneeded groups. This solution is should be preferred to using OVER32 ! Solution 2: If you definitely have to handle users with more than 32 group memberships, you can use OVER32 as a workaround. Be aware of the limitations of OVER32 that are listed below. * Background: Security equivalences are stored in the NetWare bindery in 128-byte segments. Each segment can contain up to 32 ID's (with 4 bytes each). If a user has more than 32 security equivalences, those will be stored in additional segments. However, only the first segment will be interpreted when NetWare determines directory rights. Therefor the trustee rights of groups stored behind the first segment will not affect a user's directory rights. Another problem might occur when security equivalences are added and removed: Assumed that you add a user to 50 groups, group #1-#32 will be stored in the first, #33-#50 in the 2nd segment. If you remove memberships #1-#20 later, the IDs #21-#32 will stay in the 1st, #33-#50 will remain in the 2nd segment and will not affect the user's rights at all: only the remaining groups from the first segment (#21-#32) will affect this user's rights. OVER32 sees 3 types of users and treats them according to their needs ("OVER32 /I" will show those different user types without taking any action): Type A: All security equivalences (32 or less) are stored in segment one. No action is required. Type B: The user currently has no more than 32 security equivalences, but these are distributed on 2 or more segments. OVER32 will restructure the segments and move all IDs to the first segment. Type C: The user currently has over 32 security equivalences, and NetWare ignores all but those stored in the first segment. OVER32 will create a new bindery object. This object is of type '32032' and has the name of the user preceded by '32_'. OVER32 will make the user security equivalent to this new object. Then the new object will be assigned the trustee rights of all groups not stored in the first segment. This new object will therefor have the trustee assignments of all groups that NetWare couldn't handle. * Syntax Function OVER32 /? Display this help information OVER32 /I Show the users that might need OVER32 OVER32 All users matching the specified pattern (wildcards allowed) will be checked and (if necessary) adapted to support over 32 security equivalences. OVER32 /C Cancel effects of OVER32; delete all objects created by OVER32. This option will normally not be needed since OVER32 automatically deletes a hidden object it created if it is no longer needed. Examples: OVER32 * Check and adapt all users OVER32 WSCHREIB Check and adapt specified user OVER32 W* Check multiple users * Error messages: When OVER32 displays error messages during its operation write down the message and follow its instructions. Precautions: Though it is not expected that OVER32 will cause any trouble it is strongly recommended that you run a NetWare utility like NBACKUP to backup your bindery before using OVER32. Limitations: - while NetWare can handle no more than 32 security equivalences, OVER32 is restricted to 1000 security equivalences. - due to the way NetWare handles security equivalences, only the first 32 security equivalences can be dynamically handled (changes in group rights affect changes in member rights automatically). Changes in trustee assignments of the 33rd group and all following groups will not be handled automatically by OVER32 ! Whenever group rights or group memberships are changed you should run OVER32 to let those changes take effect on the users' trustee rights ! * Side effects: - The new objects created by OVER32 will appear in SYSCON as in the menu option 'Security Equivalences' and begin with the string '32_'. This is expected and desired. - The new objects may show up in utilities that display trustee assignments (FILER, SLIST). This is expected and desired.