Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
> From: [...] Matt Schuckmann > Are traversal rights read rights, or read write or? Neither. They're traversal rights - the equivalent of 'x' on directories in UNIX if I recall. They allow a user to use a name in a directory path in order to reach another file, even though they cannot read or write files in that directory, or even list the contents of the directory. > So even though he will never acces the repository files > directly I need to > give him read/write access to the repository? > That doesn't seem right? This is what SSPI does. If you use SSPI, then I believe CVS impersonates the user as it performs the file operations on the server (no doubt Tony will correct me if I'm off here). This has the advantage that you can control access to the CVS repository using NTFS permissions. It works exactly the same way as IIS using any of its authentication mechanisms, for example. If you don't want the system to work in this way, you should not be using SSPI; use one of the other protocols where the CVSNT server doesn't have enough information to impersonate a Windows user. As I only use SSPI on the server I manage, I'm afraid I can't give you further hints as to what might be an appropriate protocol in this case. > Should I be using a proxy user for the service to run under > or am I not understanding something? No. The CVSNT service must run as LocalSystem, otherwise it can't do the impersonation mentioned above. I can demonstrate a working system where the user accessing the repository (on Win2K, not 2K3) is an Active Directory user, and the CVS repository is not on the domain controller. So, no, you don't need to create a user on the CVSNT server as long as both it and the client are domain members and the user is logged in using their domain account. By the way, you mentioned that you could perform a CVS login? Under SSPI, this is one thing you definitely should *not* be doing. Have you tried SSPI without starting with a login? (and, indeed, after forcing a logout)? - Peter