[cvsnt] Re: Problem connecting to repository using SSPI

Peter Crowther Peter.Crowther at melandra.com
Tue Aug 2 09:31:43 BST 2005

Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.

> From: [...] Matt Schuckmann
> Are traversal rights read rights, or read write or?

Neither.  They're traversal rights - the equivalent of 'x' on
directories in UNIX if I recall.  They allow a user to use a name in a
directory path in order to reach another file, even though they cannot
read or write files in that directory, or even list the contents of the
directory.

> So even though he will never acces the repository files 
> directly I need to
> give him read/write access to the repository?
> That doesn't seem right?

This is what SSPI does.  If you use SSPI, then I believe CVS
impersonates the user as it performs the file operations on the server
(no doubt Tony will correct me if I'm off here).  This has the advantage
that you can control access to the CVS repository using NTFS
permissions.  It works exactly the same way as IIS using any of its
authentication mechanisms, for example.

If you don't want the system to work in this way, you should not be
using SSPI; use one of the other protocols where the CVSNT server
doesn't have enough information to impersonate a Windows user.  As I
only use SSPI on the server I manage, I'm afraid I can't give you
further hints as to what might be an appropriate protocol in this case.

> Should I be using a proxy user for the service to run under 
> or am I not understanding something?

No.  The CVSNT service must run as LocalSystem, otherwise it can't do
the impersonation mentioned above.

I can demonstrate a working system where the user accessing the
repository (on Win2K, not 2K3) is an Active Directory user, and the CVS
repository is not on the domain controller.  So, no, you don't need to
create a user on the CVSNT server as long as both it and the client are
domain members and the user is logged in using their domain account.

By the way, you mentioned that you could perform a CVS login?  Under
SSPI, this is one thing you definitely should *not* be doing.  Have you
tried SSPI without starting with a login?  (and, indeed, after forcing a
logout)?

		- Peter

More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook