[cvsnt] Can I use pserver on Linux and authenticate to Windows domain?

Wed Mar 17 17:47:55 GMT 2004

On Wed, 17 Mar 2004, Tim Carlson wrote:

> I'm struggling a bit with how to make a Linux box running cvsnt server
> authenticate users to our windows domain.
>
> Here are the specifics.
>
> CVSNT version 2.0.34
> Linux Redhat AW 3.0
> ./configure --enable-gserver --enable-sspi
>
> I enabled the gserver bit because I though I might be able to go this
> route down the road (same with sspi).
>
> Now I have the "standard" pserver bits up and running so I can
> authenticate users against the CVSROOT/passwd file. I've set up cvs.org
> versions of cvs before so this is pretty straight forward after learning
> about the /etc/cvsnt/PServer file.
>
> What I really want to do is have the users authenticate against the active
> directory domain. I actually have this working well on the Linux machine
> for regular logins by using the krb5 pam bits and pointing kerberos to our
> AD domain. I've also joined the machine to the AD domain using Samba and
> Samba is able to authenticate shares against AD without a problem.
>
> Is there anyway I can tell the pserver to authenticate against AD instead
> of the local password file?  Or do I need to use some different mechanism?
>
> I read through the Linux Install WIKI http://www.cvsnt.org/wiki/InstallationLinux
> but wasn't able to glean much more information.
>
> Any help would be appreciated.

Here is some more information about my setup. I have an
/etc/xinetd.d/cvspserver entry that takes this form

service cvspserver
        {
                disable        = no
                socket_type    = stream
                wait           = no
                user           = root
                group          = root
                log_type       = FILE /var/log/cvspserver
                env            = 'HOME=/files0/CVS'
                server         = /usr/local/bin/cvs
                server_args    = pserver
        }

I've played with setting the user/group to a user name "cvs" who is a
valid user on the system. I've done this on the past using cvs.org cvs so
that all operations run as the cvs user. If I do change the root entries
to be "cvs", then I get the following error when trying to authenticate

cvs [login aborted]: setgid failed: Operation not permitted

Not exactly sure what that implies. The cvs binary isn't setgid. For now
I'm leaving the above xinetd file with the "root" entries. I've also seen
different sources that say I should be using "authserver" instead of
"pserver" for my server_args. I assume "authserver" catches any mechanism
the client is trying to use and does the appropriate thing. I've replaced
"pserver" with "authserver" and still have the same problems.

I've uncommented the "SystemAuth=yes" line CVSROOT/config file and removed
the "CVSROOT/passwd" file following the instructions listed here

http://betty.magenta-logic.com/cvs/cvs_30.html#SEC30

but still haven't managed to authenticate users to either the krb5 server
(in my system-auth pam stack) or a local /etc/password entry.

As inidcated in the docs, if I have a CVSROOT/passwd entry like this

username:

then any supplied password will authenticate the user. This is still with
the SystemAuth=yes line in place.

Tim Carlson
Voice: (509) 376 3423
Email: Tim.Carlson at pnl.gov
EMSL UNIX System Support