Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
> >with 1.10.8 do you still get nt domain integration for accounts (in >pserver mode)? Not that I know of, you either use :ntserver: from NT class clients using the named pipe or you use :pserver: as original CVS from any client machine type. In the first case CVS-NT works in the context of the user and all file system permissions are applied, in the other it works in the service account context (normaly SYSTEM) which has access to everything. Version 1.11.1.x has changed this, I gather, but I don't use it myself so I cannot comment... > >this is where i start to get confused, especially with the impersonation >stuff. i don't care about ntserver, i have unix and 95/98 clients that >needs access and if i understand correctly ntserver will not work at all >in that model. If you don't have NT only clients then forget about :ntserver: you have to use :ext: with ssh or :pserver: with whatever limitations that gives. > >so i need pserver with domain integration (since that's the whole reason >we want to move to cvsnt). however any domain user that is created has >full access to all the repositories unless you can implement file systems >permissions. right? Given that 1.11.1.x can impersonate a valid domain user even if invoked using :pserver: (as I said I have not tested), then of course the file system permissions will come into play here. In NT (but only if you use the NTFS file system!) you can make the access permission granularity really fine. You have to be careful here. A domain user belongs to the Everybody group per default and also per default the Everybody group will have full control on a disk directory on a domain connected PC. But this is only initially, first create a directory d:\CVSREPO and then set the permissions for the directory to only include SYSTEM and a group "CVSUsers". Now this directory cannot be accessed by anyone not belonging to these two entities, including domain admins (unless they are part of the CVSUsers group. Any directory you create below this will inherit the security properties from its parent so you are almost done here. >now i thought that with pserver and ntserver impersonation turned on, i >got a system where file system permissions could be implemented to control >access. With 1.11.1.x I guess that would be true. > >if this doesn't work how do you control access to your repositories? Only through the passwd file and onece accepted all users have the same rights. > >> To be able to use pserver securely you must implemnt some form of SSH >> systemm, something I tried but abandoned 6 months ago. Too much work >> and we use NT only clients anyway. > >ugg, yeah, that's a pain. we just use stunnel. it's not as secure as ssh >but you can use cvs' account database and nothing is plain text. I personally use Cisco's VPN system to access my corporate LAN from the web and once logged in I am authenticated by the domain. But I am using NT4 and W2000 clienst exclusively of course... > >> This issue is with the way WinCvs finds out which files to show as >> modified. WinCvs uses a Windows API that basically puts a watch on a >> directory which fires as soon as any file in the directory has >> changed. This API works fine on local drives (which are maintained by >> the local CPU), but for network mapped drives it seems to >> automatically convert to a polling system that creates a *lot* of >> network traffic and also ups the WinCvs CPU cycle usage something >> awful. If the users will work with WinCvs by starting it when they >> want to do some CVS stuff and then immediately closes WinCvs when they >> are done then it will be OK to use a sandbox on a mapped drive, but in >> my view not otherwise. > >okay so more questions. what are the SANDBOX, HOME and TEMP variables >that i'm supposed to set actually used for? I don't give much for this issue with all the env variables. I have set up my *server* with TMP and TEMP variables, that is all. Don't understand why people seem so keen on discussing these, the other vars seem not to be needed at all. I have never set any and my installations work just fine both on server and client side... Anyway, the sandbox I refer to above is the workspace into which the developer checks out the project files and in which he works during his development effort. WinCvs will watch this directory structure as long as it is running and look for file changes so it can mark changed files with a clear (red) icon and so notify the developer of a need to commit the changes to the server. This watch process is what is so CPU intensive across network connections. > >> But if you and your users are careful and not too many you might get >> away with this, but I doubt that you will sleep very well if your data >> are anywhere close to valuable..... > >yah, our data is important. I think data are more valuable than any hardware you can come up with today after only a small time of development. Value >= <number of developers> * <avg time per developer> * <salary> Value monotonically increases as time goes by (hopefully). > >thanks for all the info. You're welcome > >adam. > /Bo _______________________________________________ Cvsnt mailing list Cvsnt at cvsnt.org http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs