Fw: [cvsnt] Problem using cvsnt and gssapi

Tony Hoyle tmh at nodomain.org
Fri Feb 4 14:38:55 GMT 2005


andreas_bergen at delmia.de wrote:
> Well there you are right. It was rather difficult to configure, but after 
> quite some time I got it working (on Unix). Why doesn't it work the same 
> on Windows?

It does, once you get AD to play ball.  On a pure Windows->Windows 
connection it even works seamlessly, and Unix->Windows is hard but can 
work (I can't work it out at the moment but have had it work in the 
past) pretty easy.  Unix servers are the pain (I once got one of those 
to work by accident and never repeated it).

> Is it possible that there's a problem with the encryption types or 
> case-settings of the SPN? I have one single SPN called 
> cvs/wodka2deg.deg.ds at DS. Should I have additional like CVS/... or 
> CVS/WODKA2DEG or cvs/wodkadeg?

You'll need an SPN for the exact machine name you're using to connect. 
(Active directory servers always create two - one for the DNS name and 
one for the Netbios name).

I've actually changed the code recently to try a lot harder to work out 
the FQDN, but it's still a good idea to have both.

> What exactly does this WinbindWrapper do? Is there some documentation 
> about that? How does the Unix-CVSNT-Server verify the credentials? Do I 

http://www.samba.org/samba/docs/man/ntlm_auth.1.html

It isn't particularly well documented but there's enough there to make 
servers with.

> Why can't I connect directly using gssapi from the Windows-machine as 
> there's MIT-kerberos installed, too?

You'd need the MIT version of the gserver protocol, which isn't shipped 
by default on Win32.

Tony



More information about the cvsnt mailing list