[cvsnt] problem with domain users and impersonation

Thu Jul 3 20:03:17 BST 2003

On a domain controller, you may specify that a user may
 a) log on on all computers in the domain or
 b) specify a list of up to eight computers the user may log on to

If option b) is used and the CVSNT server is not on the list of these eight
computers, CVSNT does not allow this user to login. The message is:

 C:\>cvs -d :pserver:dseTest at 127.0.0.1:d:\cvsntroot login
 Logging in to :pserver:dseTest at 127.0.0.1:2401d:\cvsntroot
 CVS password: *******
 cvs [login aborted]: authorization failed: server 127.0.0.1 rejected access
to d:\cvsntroot for user dseTest

If option a) is used and the CVSNT server is on the list of these eight
computers, there is no problem. However in this case the user may login to
the server's terminal, which is not wanted.

The problem also applies to SSPI, not only pserver.

We've found ways around this, i.e. using local users instead of domain users
(double admin work) or revoking the right to log in on the server locally
(but the CVSNT server still blocks one of these eight valuable slots).

As far as I've seen, CVSNT uses the Windows functions LookupAccountName and
LogonUser. I've written a small test program which uses these functions to
check for which users they work. LookupAccountName works in any case
(options a and b), but LogonUser only for option b). The GetLastError code
then is 1329 (user may not log on to this computer).

An idea now would be the following: instead of using LogonUser for
authentication, use SSPI APIs as described in
 http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b180548

However I'm not sure if this would work. Using the SSPI protocol (from the
client to the CVSNT server) already doesn't work with option b). In this
case, does the server use the SSPI protocol to authenticate the user
(against the domain), or does it also use LogonUser here?

Or any other clue to avoid specifying the CVSNT server on that list of eight
computers?

Thanks,
Rolf