[cvsnt] Repository on shared drive - difference between pserverand SSPI

Thomas Muller ttm at online.no
Fri Mar 14 13:05:32 GMT 2003 

[Tony Hoyle]
| NT Security enforces permission checks on impersonated accounts
| that mean that
| you can't access the network.  I'm surprised it works in pserver, since it
| shouldn't (unless you have impersonation disabled, which would
| normally affect
| sspi too).

Impersonation is in fact disabled, and as I said, pserver works fine, SSPI
doesn't. The strange thing is that in SSPI mode the network is accessed by
CvsNT (the CVSROOT/config file on the shared resource is demonstrably
accessed), but a checkout returns with permission denied.

[Tony Hoyle]
| There is a way around it on Active Directory - you can give the user (or
| service, can't remember which) delegation authority which gives
| network access
| as an impersonated user, however this weakens the security model
| somewhat and
| admins are understandably reluctant to do it.

I'm the administrator of this configuration, and I just want it to work
before I consider the security implications.

[Tony Hoyle]
| Basically, if you want to put the repository on a shared drive,
| despite all
| the recommendations against it, you must:
|
| (a) run the service as a normal user with access to the shared resource,
| (b) disable impersonation

That's what I do! I've even tried to run the service as the same user as the
one logging on to CVS in addition to granting that user all administrator
priviliges. Still won't work.

Any more ideas?

Thanks.

--

Thomas






*************************************************************************
Copyright ERA Technology Ltd. 2003. (www.era.co.uk). All rights reserved. 
The information supplied in this Commercial Communication should be treated
in confidence.
No liability whatsoever is accepted for any loss or damage 
suffered as a result of accessing this message or any attachments.

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________

More information about the cvsnt mailing list