[cvsnt] Anyone got :gserver: working from Linux to Win2K ?
tmh at nodomain.org
Thu Sep 19 12:34:48 BST 2002
On Thu, 19 Sep 2002 10:32:10 +0100, "Jon Rabone"
<jon.rabone at criticalblue.com> wrote:
>> You'd need an AD version of gserver. It should be possible to do but
>> code has rotted since I don't have an AD domain to test on any more
>> nobody seems that interested in it.
>> I'm not sure how you'd do it just using the MIT code. I believe it's
>> possible but requires a bit of setting up on the NT site.
>Oh. I rather thought that the point of gserver was interoperability.
>After all, ntserver and sspi are proprietary, plain password is not on
>(nothing on our networks uses plain passwords), and ssh is a hassle.
>Gserver was my great hope.
>I'd be willing to test / maintain an ADS version of cvsnt, but I was
>hoping that there was a simple "how-to" document on making MIT gserver
>work with the CVS server hosted on Win2K. Since there isn't, I will
>write one, if I ever get it going... In the meantime if anyone has any
>pointers (I've read the MS interoperability white papers) I'd be most
The problem I is that AD isn't any kind of 'standard' kerberos, except
at the protocol level. For example it doesn't support GSSAPI (it
supports the wire protocol but not the API), so you can't compile
:gserver: directly onto it (which is why we use MIT for the client),
It doesn't support 'kinit' so you can't login to a"active remote KDC,
etc. The server interface is also completely different and although
I managed to get it to work once it kept breaking so I abandoned it -
it's not very well documented how to use kerberos directly... MS want
you to always use SSPI.
What would be really nice (and a useful project for someone) would be
a native GSSAPI implematation on top of AD. Then I could compile
gserver onto it & it'd stand a chance of working automatically. In
theory all the GSSAPI functions should exist in some form in the AD
More information about the cvsnt