[cvsnt] Repository on shared drive - difference between pserver and SSPI

Tony Hoyle tmh at nodomain.org
Fri Mar 14 12:33:49 GMT 2003


On Fri, 14 Mar 2003 12:19:20 -0000, "Thomas Muller" <ttm at online.no> wrote:

>All,
>
>Accessing a repository on a different host than the one hosting CvsNT works
>fine in pserver mode, but not in SSPI. In SSPI mode authentication works
>fine, CVSROOT/config is read OK, but upon checkout a "permission denied" is
>returned to the client.
>
NT Security enforces permission checks on impersonated accounts that mean that
you can't access the network.  I'm surprised it works in pserver, since it
shouldn't (unless you have impersonation disabled, which would normally affect
sspi too).

There is a way around it on Active Directory - you can give the user (or
service, can't remember which) delegation authority which gives network access
as an impersonated user, however this weakens the security model somewhat and
admins are understandably reluctant to do it.

Basically, if you want to put the repository on a shared drive, despite all
the recommendations against it, you must:

(a) run the service as a normal user with access to the shared resource,
(b) disable impersonation

Obviously you lose any NTFS based access checks in this scheme.

Tony



More information about the cvsnt mailing list