[cvsnt] Switch to user failed due to configuration error

Arthur Barrett arthur.barrett at march-hare.com
Fri Sep 19 07:25:04 BST 2008


OK - after a lot of fiddling around I think the problem is that you
started trying to do this with 2.5.03 then upgraded to 2.5.04 without
deleting the passwd file and starting again.  If you start with 2.5.04
the error messages make the problem very clear.

The alternative is that you only wrote half the error message and the
problem is actually RunAsUser.

I strongly recommend that you start by reading the manual:

What you said you did was this:

> 1. I create a repository - set it as default and initialise.
> 2. in the console I set "cvsroot=:sspi:host:/repository"
> 3. add cvsuser: "cvs passwd -a cvsuser" and set its password
> 4. I create alias users: "cvs passwd -r cvsuser -a user1"
> 5. set "cvsroot=:pserver:user1 at host:/repository"
> 6. try to login with "cvs login"

That simply cannot work.  Basically you can either use 'system
authentication' (ie: windows active directory) or you can use passwd
authentication.  You can optionally use passwd authentication but there
still needs to be an active directory user.

So following your steps I get clear error messages indicating the

C:\Documents and Settings\Administrator.T3>set

C:\Documents and Settings\Administrator.T3>echo %CVSROOT%

C:\Documents and Settings\Administrator.T3>cvs passwd -a cvsuser
Adding user cvsuser at xp64test
New Password:
Verify Password:
cvs server: *WARNING* CVS user 'cvsuser' will not be able to log in
until they are aliased to a valid system user.

C:\Documents and Settings\Administrator.T3>cvs passwd -r cvsuser -a
Adding user user1 at xp64test
New Password:
Verify Password:
cvs [server aborted]: User 'cvsuser' is not a real user on the system.

Now I can turn systemauth off in CVSROOT/config at which point I should
in theory be able to log in as cvsuser, but clarly that wont work:

C:\Documents and Settings\Administrator.T3>set
CVSROOT=:pserver:cvsuser at xp64test:/repo

C:\Documents and Settings\Administrator.T3>cvs login
Logging in to :pserver:cvsuser at xp64test:2401:/repo
CVS Password:
Fatal error, aborting.
cvs [login aborted]: cvsuser: no such user

So I also need to use the CVSNT Server Control Panel Server Settings tab
to change the "run as user" setting to something other than "client

If I do that I get a new error:

C:\Documents and Settings\Administrator.T3>cvs login
Logging in to :pserver:cvsuser at xp64test:2401:/repo
CVS Password:
Fatal error, aborting.
cvs [login aborted]: XP64TEST\Administrator: Switch to user failed due
to configuration error.  Contact your System Administrator.

And the ServerTraceFile shows:
21:43:18: S -> Checking protocol pserver
21:43:18: S -> Checking key PserverProtocol
21:43:18: S -> Authentication protocol :pserver: returned user cvsuser
21:43:18: S -> User in CVSROOT/passwd, password correct
21:43:18: S -> Host user is cvsuser
21:43:18: S -> win32switchtouser(XP64TEST\Administrator)
21:43:18: S -> win32getpwnam(XP64TEST\Administrator)
21:43:18: S -> Find netapi32.dll with the symbol DsGetDcNameW
21:43:18: S -> Call GetComputerNameW
21:43:18: S -> Authenticating server: (local)
21:43:18: S -> Trying S4u...
21:43:18: S -> S4U untranslated name: XP64TEST\Administrator
21:43:18: S -> IADS query failed: Name translation: Could not find the
name or insufficient right to see name.
21:43:18: S -> S4U login returned 00000001
21:43:18: S -> Trying Setuid helper... (XP64TEST\Administrator)
21:43:18: S -> SuidGetImpersonationToken returned 00000554
21:43:18: S -> Trying NTCreateToken...
21:43:18: S -> NTCreateToken failed
21:43:18: S -> Eraseing pserver

As can be seen it is the NTCreateToken function that is failing.

The user right SeCreateTokenPrivilege (Create a Token) is requited to
call NTCreateToken - on most/many editions of Windows this is already
assigned to the local system account.  On XP x64 I believe that you may
need to add it using the Local Security Policy: Computer
Configuration\Windows Settings\Security Settings\Local Policies\User
Rights Assignment.

Once that is done then restart the computer and then open the CVSNT
Server Control Panel and set the RunAsUser on the Server Settings tab to
a "normal" domain user (not an admin account).  I couldn't get it to
work unless the RunAsUser was set to a domain account - but that may be
because I'm on a domain...

Now alternatively if I follow the "normal" procedure and create an alias
user to a system user (with systemauth=yes and runasuser=clientuser)
then it all works OK without any of that fiddling around with RunAsUser
and Token rights:

C:\Documents and Settings\Administrator.T3\CVSROOT>set

C:\Documents and Settings\Administrator.T3\CVSROOT>cvs passwd -r
abarrett -a cvszuser
Adding user cvszuser at xp64test
New Password:
Verify Password:

C:\Documents and Settings\Administrator.T3\CVSROOT>set
CVSROOT=:pserver:cvszuser at xp64test:/repo

C:\Documents and Settings\Administrator.T3\CVSROOT>cvs login
Logging in to :sspi:Administrator at xp64test:2401:/repo
CVS Password:

> The problem persist only on win xp pro 64bit. The same 
> procedure on the same machine on xp pro 32bit works 
> without a problem - but the 32bit system is 
> not an option...

I suspect what you are seeing with the 32 bit system is 2.5.03
performing badly - as far as I can tell 2.5.04 on x32 and x64 are both
performing identically and correctly.  

It may be easier to bypass all this token stuff if we switched from
using setuid.dll to use cyglsa64.dll and modify the calling codein
trysuid() of cvsnt/Windows-NT/win32.cpp:

All my testing was done using the 2.5.04 minimum server installer form
the web site and a clean install of XP x64 (no patches or servicepacks).


Arthur Barrett

More information about the cvsnt mailing list