Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
I've done some more investigation of this problem. I installed
CVSNT 2.0.51 on an XP box and got the same behavior. Apparently,
the problem isn't specific to Windows Server 2003.
Here's what a failure audit looks like on my XP box:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: CVSNT
Authentication Package: Negotiate
Workstation Name: IS-TLACY
Status code: 0x80090302
Substatus code: 0x0
First, I was mistaken, I'm not seeing these failure audits
all the time. They're happening only when cvs operations
happen (e.g. I can make one happen with just a "cvs ls").
Since Tony says this has to do with SSPI, I installed the
server (and client - I'm testing from the same machine that
the server is installed on) without the SSPI protocol
enabled. Only pserver is enabled. That didn't make any
difference. I still see the failure audits in the log.
It appears to me that the CVSNT client (or maybe *any*
CVS client, since we usually use the CVS client built into
WSAD 5.1.2 - basically Eclipse 2.x ) is causing this.
Here's some more configuration detail:
Here's our config file:
----------
# Set this to `no' if pserver shouldn't check system users/passwords
#SystemAuth=yes
SystemAuth=no
# Put CVS lock files in this directory rather than directly in the
repository.
# (Depreciated. Only honoured if LockServer=none)
#LockDir=/var/lock/cvs
# Alternate location of CVS LockServer. Set to 'none' to disable..
#LockServer=localhost:2402
# Set `TopLevelAdmin' to `yes' to create a CVS directory at the top
# level of the new working directory when using the `cvs checkout'
# command.
#TopLevelAdmin=no
# Set `LogHistory' to `all' or `TOFEWGCMAR' to log all transactions to
the
# history file, or a subset as needed (ie `TMAR' logs all write
operations)
#LogHistory=TOFEWGCMAR
# Set `RereadLogAfterVerify` to control rereading of the log file after
a verifymsg
# `always` or `yes` to always reread the log regardless
# `never` or `no` (default) to never reread the log
#RereadLogAfterVerify=no
----------
In the "Advanced" tab of the CVSNT service control panel, we've
got the following options enabled (only)
"Impersonation enabled"
"Use local users for pserver authentication instead of domain users"
"Lockserver listens locally only"
"Encryption" and "Compression" are set to "Optional"
We've got a local "cvsuser" in the local "CVSUsers" group. The CVSUsers
group
has permission to access the repository and the "Temp" directory under
C:\Program Files\cvsnt.
All other users are aliased to "cvsuser" in the passwd file. The admin
file lists cvsuser.
The cvsnt services are running as the "local system" user.
Is it safe to ignore these failure audits? Its just that
my system admin is bugging me about it because we're
seeing thousands of these in the log.
I can't find any other service that's using SSPI, and I'm
definitely only seeing the failure audits when a CVS client
accesses the server. The PIDs listed in the failure audits
on the Win2k3 server appear to be transient, since we don't
see them in the task manager.
------------------------------------------------------------
Terry Lacy
Systems Analyst
SL County IS "It is better to light a
flamethrower than curse the
darkness."
Terry Pratchett
------------------------------------------------------------