[cvsnt] Permission denied error

Jonas Bergvall jonas.bergvall at ibitec.se
Thu Dec 19 10:10:53 GMT 2002 

Hi,

Now I know, this is an Win2k/AD error (now I've looked at the readme.nt file :)). Impersonation using pserver and using an AD domain requires the 'Create a token object' permission. However, enabling this for "Everyone" on the CVS server box (Local Security Policy/Local Policies/User rights Assignment) gives the same poor result. Turning of Impersonation for the CVS service does the trick. But that's not a sustainable solution.

Anyone with a complete answer to the question in http://www.cvsnt.org/pipermail/cvsnt/2002-February/000804.html?

Thanks,
Jonas

-----Original Message-----
From: Jonas Bergvall [mailto:jonas.bergvall at ibitec.se]
Sent: den 18 december 2002 14:08
To: Cvsnt at Cvsnt. Org (E-mail)
Subject: RE: [cvsnt] Permission denied error


Hi,

Adding some info to last post:

If I try with "Use local users instead of domain" checked I get a "cvs [edit aborted]: jonasb: no such user". This I take as a sign that the server can identify my domain user if the option is not checked as I don't get the error message then.

What are the requirements for the CVS service to be able to execute the notify scripts? Can someone explain the permission denied for "Echo Hello" below?

Am I to wierd in my explanations? If this is a newbie question I'm happy with a RTFM answer.

Thanks,
Jonas

-----Original Message-----
From: Jonas Bergvall [mailto:jonas.bergvall at ibitec.se]
Sent: den 18 december 2002 11:09
To: Cvsnt at Cvsnt. Org (E-mail)
Subject: [cvsnt] Permission denied error


Hi all,

Earlier I complained about errors trying to migrate to build 62 from 57f. Now I think I have narrowed down the problem to some kind of authentication/permisson error. In 62 I couldn't login at all (my guess is the server couldn't impersonate to the user account). However, this works in 57f.

Server setup is:
 * CVSNT build 57f (installed using a local admin account) running as LocalSystem.
 * Windows 2000 in AD domain (not a DC or anything)
 * Repository and temp folders are fully controlled by everyone
 * SystemAuth=no
 * Users in passwd map to their domain user names (ok, not correct case, but does it matter?)
 * I used to have DevGuy's PCTK exe dist v. 1.6.16, but I uninstalled it to debug

In CVSROOT\notify I have:

ALL echo Hello
ALL dgnotify "%s"

Last line shouldn't be possible to execute as I have uninstalled the PCTK dist.

However, the symptom is this result from a cvs edit:

D:\Projects\cvsserver\cvsroot>cvs -t edit notify
 -> main loop with CVSROOT=:pserver:jonasb at cvs-server:/cvs
notify  jonasb  Wed Dec 18 08:12:38 2002 GMT    jonasb  D:\Projects\cvsserver\cvsroot
 -> chmod(notify,100666)
 -> copy(notify,CVS/Base/notify)
 -> rename(CVS/Baserev.tmp,CVS/Baserev)
 -> ParseInfo(E:/repositories/cvs/CVSROOT/notify, cvsroot, ALL)
S-> run_popen(echo Hello)
cvs server: Script execution failed
cvs server: cannot write entry to notify filter: echo Hello: Permission denied
S-> run_popen(dgnotify "JonasB")
cvs server: Script execution failed
cvs server: cannot write entry to notify filter: dgnotify "JonasB": Permission denied

Note that I get a permission denied trying to execute a script/exe that doesn't exist! Do I miss some fork priviliges or what for LocalSystem (or the JonasB account)? When the server tries to execute the scripts (S-> run_popen(echo Hello)), isn't it still running as LocalSystem?

When I tried to run the service under the local admin account I got an impersonation error, so I guess the impersonation works using the LocalSystem account. The question is the what could cause the permission error? Can the server silently fail the impersonation if it can't find the doma user? But the same user can check in/out and commit files.

I wish I was more familiar with the Windows security system... :(

Hope anyone has a clue.

Regards,
Jonas

_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt

_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt

More information about the cvsnt mailing list