Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
On Wed, 17 Mar 2004, Tim Carlson wrote:
> I'm struggling a bit with how to make a Linux box running cvsnt server
> authenticate users to our windows domain.
>
> Here are the specifics.
>
> CVSNT version 2.0.34
> Linux Redhat AW 3.0
> ./configure --enable-gserver --enable-sspi
>
> I enabled the gserver bit because I though I might be able to go this
> route down the road (same with sspi).
>
> Now I have the "standard" pserver bits up and running so I can
> authenticate users against the CVSROOT/passwd file. I've set up cvs.org
> versions of cvs before so this is pretty straight forward after learning
> about the /etc/cvsnt/PServer file.
>
> What I really want to do is have the users authenticate against the active
> directory domain. I actually have this working well on the Linux machine
> for regular logins by using the krb5 pam bits and pointing kerberos to our
> AD domain. I've also joined the machine to the AD domain using Samba and
> Samba is able to authenticate shares against AD without a problem.
>
> Is there anyway I can tell the pserver to authenticate against AD instead
> of the local password file? Or do I need to use some different mechanism?
>
> I read through the Linux Install WIKI http://www.cvsnt.org/wiki/InstallationLinux
> but wasn't able to glean much more information.
>
> Any help would be appreciated.
Here is some more information about my setup. I have an
/etc/xinetd.d/cvspserver entry that takes this form
service cvspserver
{
disable = no
socket_type = stream
wait = no
user = root
group = root
log_type = FILE /var/log/cvspserver
env = 'HOME=/files0/CVS'
server = /usr/local/bin/cvs
server_args = pserver
}
I've played with setting the user/group to a user name "cvs" who is a
valid user on the system. I've done this on the past using cvs.org cvs so
that all operations run as the cvs user. If I do change the root entries
to be "cvs", then I get the following error when trying to authenticate
cvs [login aborted]: setgid failed: Operation not permitted
Not exactly sure what that implies. The cvs binary isn't setgid. For now
I'm leaving the above xinetd file with the "root" entries. I've also seen
different sources that say I should be using "authserver" instead of
"pserver" for my server_args. I assume "authserver" catches any mechanism
the client is trying to use and does the appropriate thing. I've replaced
"pserver" with "authserver" and still have the same problems.
I've uncommented the "SystemAuth=yes" line CVSROOT/config file and removed
the "CVSROOT/passwd" file following the instructions listed here
http://betty.magenta-logic.com/cvs/cvs_30.html#SEC30
but still haven't managed to authenticate users to either the krb5 server
(in my system-auth pam stack) or a local /etc/password entry.
As inidcated in the docs, if I have a CVSROOT/passwd entry like this
username:
then any supplied password will authenticate the user. This is still with
the SystemAuth=yes line in place.
Tim Carlson
Voice: (509) 376 3423
Email: Tim.Carlson at pnl.gov
EMSL UNIX System Support