Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Hi, pserver definitely needs the passwd file since the protocol starts out authenticating users against that file and only after successful verification here goes on to either use that login or the alias in the passwd file as the account to perform the actual cvs tasks with. If you use :ntserver: as the connection protocol (as I do in two separate installations), then you need the passwd file as well because it tells cvs which users are accepted to work with the cvs repository. In this case it is enough to have a list of login names without the password part (create using cvs passwd -a <username> and enter nothing as the password), because ntserver will authenticate using the login from tghe workstation over the named pipe that is set up for the connection. The use of the passwd file was introduced when CVSNT went from 1.10.8 to 1.11.1.x, in 1.10.8 the passwd file was not used for ntserver. Recently there was another protocol added called sspi, which uses strong encryption over TCP/IP (I think on a single port) and uses the workstation login as well. I have not experimented a lot using this protocol, but what i have seen looks good. It also needs the passwd file. If you are setting up things now I recommend that you check out sspi since it seems like that will be what is most convenient over the Internet. What all this boils down to is that you need to manage the CVS user access separately from the NT user database. Not all valid domain accounts are given CVS access and this is controlled with the passwd file. But when you continue with granular access control using NTFS you need to also manage the NT user groups additionally to the passwd file. /Bo ----- Original Message ----- From: "Brennan, Dennis" <DBrennan at seic.com> To: "'Bo Berglund'" <bo.berglund at telia.com> Sent: Tuesday, July 16, 2002 9:41 PM Subject: RE: [Cvsnt] cvsnt pserver ntfs permissions - please help > Thanks Bo. I'll give your instructions a try. > > One question - do we need the passwd file if we only want to pserver with > impersonation? Our client wants to be able to use NT security so they don't > have to maintain additional sets of uids/psswds. > > I thought if the passwd didn't exist and you modify the config file to > SystemAuth=yes, then nt domain authentication was the default. With this > set up, it looks like the System user is actually making the changes and > then changing the owner of the files to the user that made the request. > > Any thoughts? > > -Dennis > > -----Original Message----- > From: Bo Berglund [mailto:bo.berglund at telia.com] > Sent: Tuesday, July 16, 2002 2:56 PM > To: Brennan, Dennis > Cc: 'CVS-NT List' > Subject: Re: [Cvsnt] cvsnt pserver ntfs permissions - please help > > > First of all: > I had not yet tested the setup you describe, namely having a module > directory on the server > set to readonly for a certain user group and then trying to import stuff > into that module. > > But now I have done this on my test server at my summer house: > > 1. I have created a few usergroups for this test: > - CVSReaders (readonly access everywhere) > - CVSUsers (normal access everywhere except to CVSROOT which is readonly) > - CVSAdmins (full control to all CVS directories) > > 2. I have added myself to CVSAdmins (obviously) and added one of the users > of this machine to CVSREaders. > > 3. I have set the repository security as follows: > c:\cvsrepo = remove security inheritance, then add the following groups (my > PC ia named antares): > antares\CVSAdmins (full control) > antares\CVSUsers (full control) > antares\CVSReaders (read only) > SYSTEM (full control) - this is really impotant! > Remove Everyone from the list! Also very important! > > 4. I have created a new directory c:\cvslocks with full access for everybody > > 5. As myself I have checked out CVSROOT of teh repository and then entered > this modification to config: > LockDir=c:/cvslocks > Then I have committed this important change, it is needed if you are to get > granular access using NTFS. > > 6. On a command prompt in an empty directory I have entered this: > set cvsroot=:ntserver:antares:/test > cvs passwd -a brittis > <typed her password twice> > This adds the user brittis to the passwd file which is used for pserver and > some other protocols as well. > > 7. Then in WinCvs I have checked out a test module ModuleA from the server > using pserver with the user account 'brittis' > This worked fine and the locks are placed in c:\cvslocks > > 8. Now I have created a directory with one text file in a temp location > > 9. Then I have navigated to ModuleA in WinCvs and activated Create/Import to > start the import process. > I have specified the import to become ModuleA\Imported > > When I click OK WinCvs tries to do the import but fails with these errors: > > cvs -z3 import -I ! -I CVS -m "Testar att importera till en readonly module" > ModuleA/Imported Start brittis (in directory C:\test\Imported) > > cvs server: cannot make path to C:/cvsrepo/test/ModuleA/Imported: Permission > denied > > N ModuleA/Imported/Newreadme.txt > > cvs server: ERROR: cannot write file > C:/cvsrepo/test/ModuleA/Imported/Newreadme.txt,v: No such file or directory > > No conflicts created by this import > > *****CVS exited normally with code 1***** > > As you can see there are two cases of failure, one to create the new module > dir and the other to write the file. > > So it all works OK as far as I can see... > > /Bo > > ----- Original Message ----- > From: "Brennan, Dennis" <DBrennan at seic.com> > To: <bo.berglund at telia.com> > Sent: Tuesday, July 16, 2002 7:38 PM > Subject: cvsnt pserver ntfs permissions - please help > > > > Bo, > > > > I've seen a lot of material on the web regarding cvsnt and creating fine > > grain security access with ntfs permissions. I'm trying to set up module > > level read only access using standard windows 2000 security, but with no > > luck. Most of the things I've read indicate it should work. > > > > Specifically I deny write access to a module for a given group but I am > > still able to import a new module connecting as a user in that group. I'm > > using pserver with impersonation turned on (build 57f) - and yes I did > make > > sure the local system account has the 'Create a token object' privilege:) > > > > Any help you could provide would be greatly appreciated. Thanks. > > > > -Dennis _______________________________________________ Cvsnt mailing list Cvsnt at cvsnt.org http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs