Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
On Wed, 09 Oct 2002 15:43:06 +0300, Andrus Suitsu wrote: > It fails in the nt_setuid method of setuid.c. Around line 330 there is twice > a call to LsaEnumerateAccountRights. It looks like the first call never > succeeds; it returned FILE_NOT_FOUND system error after I converted the > NTSTATUS code to system error code. The second occurence I didn't do a > complete trace since it was a loop, but encountered error codes 2 and 5 > (access denied) in the first few loop cycles. The net result is that the > final call to NtCreateToken fails always. The account that cvs is initially running as must have 'Create a process token'. It probably must also be an administrator, but I haven't checked too deeply on that. Running as LocalSystem should give you enough rights to do this. On an Active Directory domain this right can be quite difficult to enable - I had to enable it in about 3 or 4 different places before it 'stuck' (mostly due to my lack of knowledge about AD, probably). > What could be wrong? Why can SSPI impersonate and pserver cannot? Pserver needs to use a hack to impersonate because of a deficiency in the Win32 API (even administrators can't impersonate without the plaintext password of the user, which is too insecure to be worth even thinking about). > I really need pserver, lots of programs we use around here have built-in > support only for pserver. SSPI is only useful for WinCVS usage. Anything which calls a cvs.exe should be able to use sspi if you just swap it with the cvsnt exe/dlls. I could backport gserver from the development tree now I've got it working with AD, which is standard enough that even unix clients should be able to use it. That'll have to wait a few days though. Tony