[cvsnt] SSPI Problems

Bob Provencher bob at aesirsoft.com
Fri Dec 30 02:43:15 GMT 2005 

Arthur -

The passwords are the same for the client and server by design, I set them
up that way.  The usernames are the same also, but they are not the same
accounts of course since there is no trust.

There is no domain on the server, it is a standlone windows 2003 server that
is not part of any domain.

Previously, sending username and password worked, similar to how you can
connect to a share on another machine with no trust.

I don't think what you are now seeing is correct behavior.  I should be able
to authenticate to a server with no trust using either a local or domain
account username/password on the target server, using either
servermachinename\username or serverdomain\username and a password.  

To see what I mean try mapping a drive.  You can connect using your current
account or a "different username" which is supported for exactly this
reason, mapping in a non-domain or non-trust environment.

>> I imagine that the only way it will work is with:
>> :sspi:SERVERMACHINELOCALDOMAIN\servername:/repositoryname

I don't know how you've implemented, SSPI but that is not correct syntax for
a username.  In a domain environment you specify DOMAIN\username, in a
non-domain it's machinename\username.

>> Depending on the version of windows on your server you may also need to
>> force the encryption to a lower level:
>> :sspi;force=NTLM:SERVERMACHINELOCALDOMAIN\servername:/repositoryname

I'll play with that, but again that is not correct syntax.

-- Bob

-----Original Message-----
From: Arthur Barrett [mailto:arthur.barrett at march-hare.com] 
Sent: Thursday, December 29, 2005 10:18 PM
To: Bob Provencher; cvsnt at cvsnt.org
Subject: RE: [cvsnt] SSPI Problems

Bob,

> A server can authenticate a user as a local account.  
> This has nothing to do with a trust relationship.  
> The usual way to do this is to specify 
> MACHINENAME\username instead of DOMAINNAME\username.

The problem is this (from your original message):
> The username and password on the client are the same 
> as that on the domain.

If you are logging into the client on a domain, and onto the server as a
local user then the passwords will not be the same (or at least not
guarenteed to be the same, and the authentication tokens will certainly
not be the same).

The way that CVSNT Server processes the authentication tokens was
improved (to be more reliable) in 2.5.02, and has probably broken this
setup.  However what you are now seeing I *think* is the correct
behaviour.

I imagine that the only way it will work is with:
:sspi:SERVERMACHINELOCALDOMAIN\servername:/repositoryname

Depending on the version of windows on your server you may also need to
force the encryption to a lower level:
:sspi;force=NTLM:SERVERMACHINELOCALDOMAIN\servername:/repositoryname

If you have ever used the passwords in the CVSROOT, you may have to
clear it from the registry...

Regards,



Arthur Barrett

More information about the cvsnt mailing list