Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
I'm still very new to CVSNT, but I've read through as much as I can find on
the subject of using the integrated login with NT and CVSNT. What I can't
figure out is: Should I be able to have a *local* machine administrator
account be an administrator for that local CVSNT installation? The behavior
I have seen is that the user must be in the *Domain* Administrators group to
get admin rights on the CVSNT installation on the LOCAL machine.
I have a test network set up where I am testing CVSNT. However, our
production environment has thousands of users in a user domain (single
master domain model) and I am NOT an administrator on that domain (or even
the resource domain where the server is). I AM an administrator on my own
server where I want to install CVSNT. I would like to be able to have all
users use :sspi: or :ntserver: to connect using their default logins, but it
won't work if I have to be a Domain Administrator!
Using cvsroot=:sspi:glen:\test
Attempting a cvs passwd -a joeuser
When logged in as DOM\gstarrett, I get "need to be an administrator..."
error.
When logged in as DOM\gstarrett-admin, I get no error--just works.
I tried logging in as DOM\gstarrett then using a couple variants of
cvsroot=:sspi:DOM\gstarrett-admin at glen:\test, but that didn't work at all
("Authentication failed")
[I realize this probably isn't the way to set up domain account users, just
trying to get an admin command to test with ;)]
If I had to guess, based on what I understand of NT's authentication system,
CVSNT isn't looking at the local groups list. The token given by an
authentication server in the DOM domain wouldn't include information on the
local machine group membership info, but it would include info on the DOM
domain groups.
Other notes that may be relevant:
--I have not adjusted my SystemAuth settings, since I do want to use my
domain accounts and not have to mirror them in the server's list.
--In the message http://www.cvsnt.org/pipermail/cvsnt/2002-April/001771.html
there is a suggestion to try adding the domain user to the CVSROOT\admin
file, but I thought that file was for :pserver: only?? Regardless, I tried
it with several variations and it didn't seem to have any effect.
I am using:
WinXP Professional SP1 "GLEN"
Participating in domain "DOM"
CVSNT 1.11.1.3 (build 72)
WinNT4 Server SP6a "MYDC"
PDC (and only DC) for domain "DOM"
User Accounts:
DOM\gstarrett
User account in DOM
Primary login on GLEN
In the GLEN\Administrators group
DOM\gstarrett-admin
In the DOM\Domain Admins group
(DOM\Domain Admins is in the DOM\Administrators group as defaulted)
In the GLEN\Administratos group via DOM\Domain Admins group
I hate to just give up & use pserver for everything, the NT integrated
solution is so much more elegant (and appropriate for our environment). Any
help is appreciated. Thanks!
Glen Starrett