Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
> > we have a Linux (RH-Fedora Core 2) Server authenticating to Active > > Directory using Kerberos 5 and winbind. I've setup cvs (cvs-1.11.18 from > > winbind uses NTLM to connect and is unrelated to active directory. > kerberos is rather difficult to configure, which is why few people use > it. It does work when it's got right though. Well there you are right. It was rather difficult to configure, but after quite some time I got it working (on Unix). Why doesn't it work the same on Windows? > > > linux-machines. SSH(!)-GSSAPI-authentication also works from > > Windows-machines using the newest putty from css-security.com without > > providing a password simply using the windows-credentials. Is there a > > way > > They use MIT kerberos not Active Directory. Do you mean SSH/Putty? This version actually works from Windows with no MIT kerberos installed on the Windows-machine authenticating to an MIT-kerberos Unix-ssh-server without providing a password, using the default windows-credentials! > There is an MIT version of > gssapi for cvsnt but it's only built by default for the Unix versions - > it's possible to build a Windows version (probably, haven't done it for > a while) if you're primarily using MIT to connect. No, I don't really want to install MIT-kerberos on the Windows machines (I'm responsible for several of them). > > > I've been trying to use the newest cvsnt using gserver-authentication and > > I always got the error-message > > GSSAPI authentication failed: The specified target is unknown or > > unreachable > Your windows machine must be logged into the active directory and the > server must be registered correctly... this is nontrivial (MS like you > to use their own tools and don't make running servers on Unix boxes easy). > The error returned there means that cvs at machine is not a registered SPN. > You can do this using ktpass and setspn. I've gone through all of this. cvs/machine is a registered SPN and as I said, everything works perfectly from Unix-CVS-Clients. As you state this hasn't been trivial but now it works! Is it possible that there's a problem with the encryption types or case-settings of the SPN? I have one single SPN called cvs/wodka2deg.deg.ds at DS. Should I have additional like CVS/... or CVS/WODKA2DEG or cvs/wodkadeg? > > providing a password simply using the windows-credentials. Is there a > way > > to do Single Sign On (SSO) from Windows-Machines to our CVS-Server? If > If you have winbind working the easiest way is to simply uncomment the > WinbindWrapper line in /etc/cvsnt/PServer which enables SSPI. What exactly does this WinbindWrapper do? Is there some documentation about that? How does the Unix-CVSNT-Server verify the credentials? Do I have to configure it itself or does it take its configuration from MIT-kerberos? Why can't I connect directly using gssapi from the Windows-machine as there's MIT-kerberos installed, too? Thanks in advance for any help. Yours Andreas Bergen