[cvsnt] Does gserver support impersonation (Windows Active Directory)?
tony.hoyle at march-hare.com
Fri Nov 28 18:31:41 GMT 2008
Dirk Weinhardt wrote:
> I'm using CVSNT 2.5.04 with Windows XP (server and client). I have
> managed to set up a CVSNT server that authenticates users against a
> Windows Server 2003 AD domain (I'm using the gserver protocol).
> cvsservice.exe is run as mydomain\cvs, SPN cvs/myclient.mydomain is
> mapped to mydomain\cvs. "Run as user" is set to "(client user)".
> I'd expect cvsservice.exe to spawn an instance of cvs.exe as the user
> that connects to the server (e.g. mydomain\dirk). But instead cvs.exe is
> started as mydomain\cvs.
cvs.exe is always started as LocalSystem, then it changes just after
authenication. Don't change the user for cvsservice.exe unless you're
sure you know the consequences - and when setting up definately don't as
it'll just introduce other issues.
cvsservice.exe creates its own SPN - I'm not sure it'll even
authenticate unless it's mapped to the machine account - kerberos is
very picky about what it allows.
> Unfortunately that prevents me from using NTFS permissions to control
> who may access the repository.
If it's not impersonating it's probably a result of changing to a
nonstandard configuration - get it working first, then start changing
things one at a time.
More information about the cvsnt