[cvsnt] WinXP sspi Admin authentication: Local vs Domain? (SOLVED)

Glen Starrett grstarrett at cox.net
Wed Feb 19 18:11:15 GMT 2003 

Sorry if I wasn't clear in my original post--Yes, my DOM\gstarrett account
is in the local Administrators group.  I also managed to solve my own
problem, but I'm still uncertain this is the way it is supposed to work (see
QUESTION: below).

I found out what I was doing wrong with specifying the username in the
CVSROOT env var, I had failed to do a cvs login to send the password
(oops!).  Furthermore, I discovered how the admin file actually DOES work (I
had tried it but did it wrong).

FYI:  Specifying alternate NT username with :sspi:
===================================================
While logged in as DOM\gstarrett,
set cvsroot=:sspi:DOM\gstarrett-admin at glen:\test
cvs login
[password entry]
cvs passwd -a newuserhere
==> Works, but doesn't solve my real problem as described.

SOLUTION:  Adding non-domain admins as CVS administrators
==========================================================
I discovered that the username of the desired administrator should be
included in the admin file in CVSROOT in *each repository*, not in the
repository root.

That is, I have my CVS Repository prefix set to "c:\cvs\cvsrepos".  I had
created "c:\cvs\cvsrepos\CVSROOT\admin" file and added my username to it,
but still wasn't admin in my \test repository.  Once I realized I needed to
create this admin file as "c:\cvs\cvsrepos\test\CVSROOT\admin", everything
started working properly.

QUESTION:
=========
I would have thought the admin file would have been for site-wide admin list
(that's why I put it in the c:\cvs\cvsrepos\CVSROOT directory to start).
Was it intended to only work for one repository at a time?

Note to self:  RTFM *closer*, or in this case, Read The Fine Readme closer.

All in all, this is a VERY functional integrated CVS system.  I'm still
going to need to experiment with it to see how permissions get applied and
the level of integration with the chown / chacl / etc. commands relative
NTFS file permissions, but it's looking very nice indeed.  If I get time,
I'll try to write up a "NT Integrated" focused version of the setup guide,
since that is the main reason why I am looking at CVSNT.

Thanks,

Glen Starrett

-----Original Message-----
From: Elliot Murphy [mailto:elliot.murphy at veritas.com]
Sent: Wednesday, February 19, 2003 6:40 AM
To: 'Glen Starrett'; cvsnt at cvsnt.org
Subject: RE: [cvsnt] WinXP sspi Admin authentication: Local vs Domain?


Is your domain account DOM\gstarrett a member of the local Administrator
group?
That would be the first thing I would try.
-elliot

|-----Original Message-----
|From: Glen Starrett [mailto:grstarrett at cox.net]
|Sent: Wednesday, February 19, 2003 12:29 AM
|To: cvsnt at cvsnt.org
|Subject: [cvsnt] WinXP sspi Admin authentication: Local vs Domain?
|
|
|I'm still very new to CVSNT, but I've read through as much as
|I can find on the subject of using the integrated login with
|NT and CVSNT.  What I can't figure out is:  Should I be able
|to have a *local* machine administrator account be an
|administrator for that local CVSNT installation?  The behavior
|I have seen is that the user must be in the *Domain*
|Administrators group to get admin rights on the CVSNT
|installation on the LOCAL machine.
|
|I have a test network set up where I am testing CVSNT.
|However, our production environment has thousands of users in
|a user domain (single master domain model) and I am NOT an
|administrator on that domain (or even the resource domain
|where the server is).  I AM an administrator on my own server
|where I want to install CVSNT.  I would like to be able to
|have all users use :sspi: or :ntserver: to connect using their
|default logins, but it won't work if I have to be a Domain
|Administrator!
|
|Using cvsroot=:sspi:glen:\test
|Attempting a cvs passwd -a joeuser
|
|When logged in as DOM\gstarrett, I get "need to be an
|administrator..." error. When logged in as
|DOM\gstarrett-admin, I get no error--just works.
|
|I tried logging in as DOM\gstarrett then using a couple
|variants of cvsroot=:sspi:DOM\gstarrett-admin at glen:\test, but
|that didn't work at all ("Authentication failed")
|
|[I realize this probably isn't the way to set up domain
|account users, just trying to get an admin command to test with ;)]
|
|If I had to guess, based on what I understand of NT's
|authentication system, CVSNT isn't looking at the local groups
|list.  The token given by an authentication server in the DOM
|domain wouldn't include information on the local machine group
|membership info, but it would include info on the DOM domain groups.
|
|Other notes that may be relevant:
|--I have not adjusted my SystemAuth settings, since I do want
|to use my domain accounts and not have to mirror them in the
|server's list.
|
|--In the message
|http://www.cvsnt.org/pipermail/cvsnt/2002-|April/001771.html
|
|there is a suggestion to try adding the domain user to the
|CVSROOT\admin file, but I thought that file was for :pserver:
|only??  Regardless, I tried it with several variations and it
|didn't seem to have any effect.
|
|
|
|I am using:
|
|WinXP Professional SP1 "GLEN"
|    Participating in domain "DOM"
|    CVSNT 1.11.1.3 (build 72)
|
|WinNT4 Server SP6a "MYDC"
|    PDC (and only DC) for domain "DOM"
|
|User Accounts:
|DOM\gstarrett
|    User account in DOM
|    Primary login on GLEN
|    In the GLEN\Administrators group
|
|DOM\gstarrett-admin
|    In the DOM\Domain Admins group
|      (DOM\Domain Admins is in the DOM\Administrators group as
|defaulted)
|    In the GLEN\Administratos group via DOM\Domain Admins group
|
|I hate to just give up & use pserver for everything, the NT
|integrated solution is so much more elegant (and appropriate
|for our environment).  Any help is appreciated.  Thanks!
|
|
|Glen Starrett
|
|_______________________________________________
|cvsnt mailing list
|cvsnt at cvsnt.org http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
|

More information about the cvsnt mailing list