Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Is your domain account DOM\gstarrett a member of the local Administrator
group?
That would be the first thing I would try.
-elliot
|-----Original Message-----
|From: Glen Starrett [mailto:grstarrett at cox.net]
|Sent: Wednesday, February 19, 2003 12:29 AM
|To: cvsnt at cvsnt.org
|Subject: [cvsnt] WinXP sspi Admin authentication: Local vs Domain?
|
|
|I'm still very new to CVSNT, but I've read through as much as
|I can find on the subject of using the integrated login with
|NT and CVSNT. What I can't figure out is: Should I be able
|to have a *local* machine administrator account be an
|administrator for that local CVSNT installation? The behavior
|I have seen is that the user must be in the *Domain*
|Administrators group to get admin rights on the CVSNT
|installation on the LOCAL machine.
|
|I have a test network set up where I am testing CVSNT.
|However, our production environment has thousands of users in
|a user domain (single master domain model) and I am NOT an
|administrator on that domain (or even the resource domain
|where the server is). I AM an administrator on my own server
|where I want to install CVSNT. I would like to be able to
|have all users use :sspi: or :ntserver: to connect using their
|default logins, but it won't work if I have to be a Domain
|Administrator!
|
|Using cvsroot=:sspi:glen:\test
|Attempting a cvs passwd -a joeuser
|
|When logged in as DOM\gstarrett, I get "need to be an
|administrator..." error. When logged in as
|DOM\gstarrett-admin, I get no error--just works.
|
|I tried logging in as DOM\gstarrett then using a couple
|variants of cvsroot=:sspi:DOM\gstarrett-admin at glen:\test, but
|that didn't work at all ("Authentication failed")
|
|[I realize this probably isn't the way to set up domain
|account users, just trying to get an admin command to test with ;)]
|
|If I had to guess, based on what I understand of NT's
|authentication system, CVSNT isn't looking at the local groups
|list. The token given by an authentication server in the DOM
|domain wouldn't include information on the local machine group
|membership info, but it would include info on the DOM domain groups.
|
|Other notes that may be relevant:
|--I have not adjusted my SystemAuth settings, since I do want
|to use my domain accounts and not have to mirror them in the
|server's list.
|
|--In the message
|http://www.cvsnt.org/pipermail/cvsnt/2002-|April/001771.html
|
|there is a suggestion to try adding the domain user to the
|CVSROOT\admin file, but I thought that file was for :pserver:
|only?? Regardless, I tried it with several variations and it
|didn't seem to have any effect.
|
|
|
|I am using:
|
|WinXP Professional SP1 "GLEN"
| Participating in domain "DOM"
| CVSNT 1.11.1.3 (build 72)
|
|WinNT4 Server SP6a "MYDC"
| PDC (and only DC) for domain "DOM"
|
|User Accounts:
|DOM\gstarrett
| User account in DOM
| Primary login on GLEN
| In the GLEN\Administrators group
|
|DOM\gstarrett-admin
| In the DOM\Domain Admins group
| (DOM\Domain Admins is in the DOM\Administrators group as
|defaulted)
| In the GLEN\Administratos group via DOM\Domain Admins group
|
|I hate to just give up & use pserver for everything, the NT
|integrated solution is so much more elegant (and appropriate
|for our environment). Any help is appreciated. Thanks!
|
|
|Glen Starrett
|
|_______________________________________________
|cvsnt mailing list
|cvsnt at cvsnt.org http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt cvsnt downloads at march-hare.com https://www.march-hare.com/cvspro/en.asp#downcvs @CVSNT on Twitter CVSNT on Facebook
|