Tree Command fails after IDM is enabled

  • 7003250
  • 12-May-2009
  • 27-Apr-2012

Environment

Novell Client 4.91 SP1 for Windows NT/2000/XP
Novell Client v4.91 for Windows 2000/XP
Novell Client 4.9 SP2 for Windows NT/2000/XP
Novell Client 4.9 SP1 for Windows NT/2000/XP
Novell Client 4.9 for Windows NT/2000/XP
Novell Nterprise Branch Office 2.0
Novell Nterprise Branch Office 1.0
Novell NDS to NDS Driver

Situation

Tree command in login script passes old password.
IDM driver changes password in second tree, Tree command logs into second tree with old password, authentication fails.
User changes password in corporate tree first and tries to login to Branch Office and fails
The user is getting prompted for credentials when they attempt to login to the Branch Office appliance.
The user's credentials are missing in the login dialog box when it appears.
NMAS client is installed on the client workstation and is being used for authentication.
The TREE command is being used in the login script in order to login to the Branch Office tree.

Resolution

The problem is resolved in LGNWNT32.DLL that shipped in the Novell Client 4.91 SP1.  Additionally, there are some additional parameters that will need to be passed on the TREE command.  You will need to use the following syntax:

TREE [EXTERNSYNC] <tree>[/<user>[;password]]

Example:  TREE EXTERNSYNC NBO_TREE/.User.Remote.AppUsers

Additional Information

The TREE command, assuming that no password is specified on the command line, when it detects a password change on the primary tree will pass the old password to the other trees.  In most scenarios, this behavior is desired.  However, there are certain scenarios, such as when using the TREE command to connect to a Branch Office tree, or when DirXML is syncronizing passwords between trees, where this behavior is not desireable.  A change has been made to LGNWNT32.DLL to accomodate this synchronization process that can occur in the background.
The EXTERNSYNC option should be specified for a TREE statement where the NDS tree is known to already be in sync if and when an expired password has been handled on the primary NDS tree login. In this case, the "new" password, rather than the "old" password, will be used when trying to login to the NDS tree. Note that if a password is explicitly specified in the TREE syntax (i.e. after a semi-colon), the EXTERNSYNC parameter will be ignored and the script-specified password will be used.

An option was also implemented to allow EXTERNSYNC to be specified in NetWare login scripts that need to be read by older Novell Client installations which are not aware of the EXTERNSYNC syntax. A login script variable named EXTERNSYNCSUPPORTED has been created which is set to "TRUE" when the version of the Novell Client reading the login script knows what EXTERNSYNC means. As such, the following construct could be used in a NetWare login script to ensure login script execution does not fail on older Novell Clients due to the unknown EXTERNSYNC syntax:

IF "%EXTERNSYNCSUPPORTED" = "TRUE" THEN
TREE EXTERNSYNC NBO_TREE/.%1.Remote.AppUsers
ELSE
TREE NBO_TREE/.%1.Remote.AppUsers
END

Note that the older login script processor will still report being unable to recognize the "TREE EXTERNSYNC" line. But because that line is not actually executed, this will not actually "count" as an error and the login script results window will not remain open as though an error occurred. The older login script processor will execute the other TREE command, without the EXTERNSYNC parameter.

An additional option exists with this updated LGNWNT32.DLL too, mainly for testing purposes or an environment where for some reason the login script cannot be immediately changed. Creating a DWORD value named "ForceExternSync" in the [HKEY_LOCAL_MACHINE\Software\Novell\Login] key with a value of 0x00000001 will cause ALL TREE commands processed by the login script processor on that machine to be treated as though EXTERNSYNC had been specified, regardless of whether it was or not.
Formerly known as TID# 10098917

Feedback service temporarily unavailable. For content questions or problems, please contact Support.