Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
On Sat, 26 Jul 2003 00:56:17 +0200, Marc Weidner <epost_marc at fritz12.dyndns.org> wrote: > > >Erv Walter wrote: > >>I might be misunderstanding the issue. We have CVSNT 2.0.4 running on >>Windows 2003 with the Impersonation Enabled checkbox checked. We use >>sspi to authenticate against a domain successfully. Authentication is done using the login of the workstation from which the client connects. SSPI manages this transparently. >> >The enabled checkbox is not all. Impersonation is the mapping from one >user to another. It is done via the passwd file in the CVSROOT >directory. There you can map the user, which communicates with the >cvsnt-server to another system or domain-user. Wrong! Impersonation is the ability of the CVSNT service to act on behalf of the user that is sending the cvs command to it. With impersonation enabled CVSNT will perform all operations in the context of the user who is sending the command and so all NTFS file system permissions will be active. >The user who has a cvs-account must not have an account on the machine. Wrong again, the user *must* have a valid account in order to use the SSPI protocol. This account can be either a local account on the CVSNT server PC or a domain account. >It is possible to map all users to one cvs_user, who is the only one >who has an account on that machine. Not with SSPI! You are confusing the issue with the way pserver works! With SSPI there is only one single use for the passwd file and this is to limit the system users who can also use cvs. When you run with SSPI the passwd file can contain a list of valid accounts that are allowed cvs connection. The passwd file in this case is a simple list of account names, one per line. But there are other ways that are not using the passwd file and are more manageable, for example by using NTFS and user groups. > >And that is my problem. On Windows 2000 all is doing very fine, but on >Windows 2003 Server that mapping fails and I get the Impersonation >failed error, when I try to map user via the passwd file. The problem here is that Microsoft upped the security of the W2003 server from that on W2K. On W2K the SYSTEM account had permission to act in place of any user (impersonation) but in W2003 this permission has been denied the SYSTEM account by default. So to make CVSNT work in this scenario you need to explicitly grant this right to the SYSTEM account. (The CVSNT service runs in the context of the SYSTEM account until the user has been verified against the account database.) /Bo Berglund