[Cvsnt] Cant get any remote protocols working - please help

Bo Berglund Bo.Berglund at system3r.se
Mon Feb 18 16:11:40 GMT 2002


I think that Tony added in the requirement that users are specified in the passwd file
in order to make cvsnt more in line with the standard cvs where you validate users in
this file. I think it happened around build 41 too...
So you are indeed relying on a broken part that has later been fixed.

/Bo


-----Original Message-----
From: Brian Smith [mailto:brian-l-smith at uiowa.edu]
Sent: den 18 februari 2002 12:13
To: Bo Berglund
Subject: Re: [Cvsnt] Cant get any remote protocols working - please help


I tried with a passwd file too, with no username. It still doesn't work. 
  Build 41 (the last "stable" build) works fine in the same 
configuration. With the demonstration patch that I put on the mailing 
list, I was able to get impersonated using NTSERVER mode and checkout 
files without any problem.

So, I don't know what the deal is. I expect that this is a bug in the 
beta, or I was relying on some kind of broken behaviour with Build 41.

Thanks,
Brian

Bo Berglund wrote:
> Not knowing the lowlevel details, for what it's worth here is what I found:
> When you use ntserver you are authenticated by Windows using the pipe.
> But the passwd file is still used by the CVS system, because that is a
> secondary validation. CVS will only accept users that have been entered
> into the passwd file. When using the ntserver protocol it does not matter
> which password is stored in the file, in fact I found out that the only
> item needed is the login name of the users who are legitimate CVS users.
> My guess is that this is the normal way for CVS to screen ordinary users
> from cvs users and only allowing certain users access to the repository.
> 
> In any case I am running with cvsnt (latest build from HEAD revision) and
> WinCvs 1.3 (also using HEAD here). I am using ntserver and I had to enter
> usernames into passwd to make it work. But there is no password at all in
> the file.
> 
> /Bo
> 
> -----Original Message-----
> From: Brian Smith [mailto:brian-l-smith at uiowa.edu]
> Sent: den 18 februari 2002 11:44
> To: cvsnt at cvsnt.org
> Subject: Re: [Cvsnt] Cant get any remote protocols working - please help
> 
> 
> Sure, I know the patch isn't acceptable. However, it seems to work 
> (denying and accepting requests correctly) in my testing for NTSERVER 
> mode (no passwd file, SystemAuth=yes). I don't really know anything 
> about this stuff, so I'm learning as I go. Please correct my mistakes.
> 
> My understanding is that NTSERVER mode doesn't need to do the password 
> checking in my situation. Since I used a named pipe to connect (that is 
> what NTSERVER is), then I should have already been authenticated through 
> the named pipe (inside of ntserver_auth_protocol_connect), correct? If 
> so, why does the server try to authenticate me again with a password 
> (which it has no way of knowing)?
> 
> Here is the call-stack that I get for LogonUser (which fails):
> 
>       server_authenticate_connection()
>       check_password()
>       win32_valid_user("SmithBL", NULL, NULL)
>       LogonUser("SmithBl", NULL, NULL,
>                 LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT,
>                 user);
> 
> Thanks,
> Brian
> 
> Tony Hoyle wrote:
> 
>>Brian Smith wrote:
>>
>>
>>>It seems that CVSNT is still trying to authenticate the user with 
>>>LogonUser even when SystemAuth=yes, and even when it doesn't even have 
>>>a password to use. I think that the server needs to check the 
>>>SystemAuth setting before trying any password-checking. For example, 
>>>the attached patch seems to work for my setting (but, I don't use any 
>>>passwd file at all). The patch has a "_asm int 3;" breakpoint in it so 
>>>that you can start debugging at what I think is the right spot.
>>>
>>>
>>SystemAuth=Yes means first check the passwd file, then check the system 
>>users (Using LogonUser).
>>SystemAuth=No means only check the passwd file.
>>
>>There has been a long-standing redundant check in the ntserver case, 
>>which I've removed in the latest CVS, however removing all the checking 
>>is not the correct way to go about it (your patch would break every 
>>other protocol & leaves your cvs server wide open).
>>
>>Tony
>>
>>

_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt



More information about the cvsnt mailing list