[cvsnt] RE: Impersonation failed

Tony Hoyle tmh at nodomain.org
Thu Oct 10 09:10:42 BST 2002


On Wed, 09 Oct 2002 15:43:06 +0300, Andrus Suitsu wrote:

> It fails in the nt_setuid method of setuid.c. Around line 330 there is twice
> a call to LsaEnumerateAccountRights. It looks like the first call never
> succeeds; it returned FILE_NOT_FOUND system error after I converted the
> NTSTATUS code to system error code. The second occurence I didn't do a
> complete trace since it was a loop, but encountered error codes 2 and 5
> (access denied) in the first few loop cycles. The net result is that the
> final call to NtCreateToken fails always.

The account that cvs is initially running as must have 'Create a process
token'.  It probably must also be an administrator, but I haven't checked
too deeply on that.  Running as LocalSystem should give you enough rights
to do this.

On an Active Directory domain this right can be quite difficult to enable
- I had to enable it in about 3 or 4 different places before it 'stuck'
(mostly due to my lack of knowledge about AD, probably).

> What could be wrong? Why can SSPI impersonate and pserver cannot?

Pserver needs to use a hack to impersonate because of a deficiency
in the Win32 API (even administrators can't impersonate without the
plaintext password of the user, which is too insecure to be worth even
thinking about).
 
> I really need pserver, lots of programs we use around here have built-in
> support only for pserver. SSPI is only useful for WinCVS usage.

Anything which calls a cvs.exe should be able to use sspi if you just swap
it with the cvsnt exe/dlls.  

I could backport gserver from the development tree now I've got it working
with AD, which is standard enough that even unix clients should be able to
use it.  That'll have to wait a few days though.

Tony




More information about the cvsnt mailing list