[cvsnt] Re: Problem connecting to repository using SSPI

Matt Schuckmann matthew_schuckmann at amat.com
Tue Aug 2 16:58:06 BST 2005


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


I would assume that if the user has full control he has traversal rights, am
I correct? My user currently has full control and he is still unable to
access the repository. Furthermore since I have the repository directory
shared he can browse into the repository from Explorer so I'm almost
positive that he has traversal rights. (yes I know I don't need share this
forlder for CVS to work, but having direct access to the repository is
helping me setup the repository.)

When I said use a proxy user I didn't mean run the service as a differnet
user I was talking about the option in the CVS control pannel applet called
"Run as user" or maybe this is the same thing.

I don't understand your statement about not logging in. The CVSNT
documentation discusses logining in using this protocol. It does appear to
work equally well for me either logged in or logged out.

I'm only using SSPI because it seemed like the best option for working in a
largely windows environment.

Thanks,
Matt S.

"Peter Crowther" <Peter.Crowther at melandra.com> wrote in message
news:mailman.336.1122971512.448.cvsnt at cvsnt.org...
> From: [...] Matt Schuckmann
> Are traversal rights read rights, or read write or?

Neither.  They're traversal rights - the equivalent of 'x' on
directories in UNIX if I recall.  They allow a user to use a name in a
directory path in order to reach another file, even though they cannot
read or write files in that directory, or even list the contents of the
directory.

> So even though he will never acces the repository files
> directly I need to
> give him read/write access to the repository?
> That doesn't seem right?

This is what SSPI does.  If you use SSPI, then I believe CVS
impersonates the user as it performs the file operations on the server
(no doubt Tony will correct me if I'm off here).  This has the advantage
that you can control access to the CVS repository using NTFS
permissions.  It works exactly the same way as IIS using any of its
authentication mechanisms, for example.

If you don't want the system to work in this way, you should not be
using SSPI; use one of the other protocols where the CVSNT server
doesn't have enough information to impersonate a Windows user.  As I
only use SSPI on the server I manage, I'm afraid I can't give you
further hints as to what might be an appropriate protocol in this case.

> Should I be using a proxy user for the service to run under
> or am I not understanding something?

No.  The CVSNT service must run as LocalSystem, otherwise it can't do
the impersonation mentioned above.


I can demonstrate a working system where the user accessing the
repository (on Win2K, not 2K3) is an Active Directory user, and the CVS
repository is not on the domain controller.  So, no, you don't need to
create a user on the CVSNT server as long as both it and the client are
domain members and the user is logged in using their domain account.

By the way, you mentioned that you could perform a CVS login?  Under
SSPI, this is one thing you definitely should *not* be doing.  Have you
tried SSPI without starting with a login?  (and, indeed, after forcing a
logout)?

- Peter





More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook