[cvsnt] Impersonation Windows 2003 Server

Bo Berglund bo.berglund at system3r.se
Sat Jul 26 14:31:26 BST 2003

Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.

On Sat, 26 Jul 2003 00:56:17 +0200, Marc Weidner
<epost_marc at fritz12.dyndns.org> wrote:

>Erv Walter wrote:
>>I might be misunderstanding the issue.  We have CVSNT 2.0.4 running on
>>Windows 2003 with the Impersonation Enabled checkbox checked.  We use
>>sspi to authenticate against a domain successfully.

Authentication is done using the login of the workstation from which
the client connects. SSPI manages this transparently.

>The enabled checkbox is not all. Impersonation is the mapping from one 
>user to another. It is done via the passwd file in the CVSROOT 
>directory. There you can map the user, which communicates with the 
>cvsnt-server to another system or domain-user. 

Wrong! Impersonation is the ability of the CVSNT service to act on
behalf of the user that is sending the cvs command to it. With
impersonation enabled CVSNT will perform all operations in the context
of the user who is sending the command and so all NTFS file system
permissions will be active.

>The user who has a cvs-account must not have an account on the machine.

Wrong again, the user *must* have a valid account in order to use the
SSPI protocol. This account can be either a local account on the CVSNT
server PC or a domain account.

>It is possible to map all users to one cvs_user, who is the only one
>who has an account on that machine.

Not with SSPI! You are confusing the issue with the way pserver works!
With SSPI there is only one single use for the passwd file and this is
to limit the system users who can also use cvs. When you run with SSPI
the passwd file can contain a list of valid accounts that are allowed
cvs connection. The passwd file in this case is a simple list of
account names, one per line. But there are other ways that are not
using the passwd file and are more manageable, for example by using
NTFS and user groups.

>And that is my problem. On Windows 2000 all is doing very fine, but on 
>Windows 2003 Server that mapping fails and I get the Impersonation 
>failed error, when I try to map user via the passwd file.

The problem here is that Microsoft upped the security of the W2003
server from that on W2K. On W2K the SYSTEM account had permission to
act in place of any user (impersonation) but in W2003 this permission
has been denied the SYSTEM account by default. So to make CVSNT work
in this scenario you need to explicitly grant this right to the SYSTEM
(The CVSNT service runs in the context of the SYSTEM account until the
user has been verified against the account database.)

/Bo Berglund

More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook