[cvsnt] WinXP sspi Admin authentication: Local vs Domain?

Elliot Murphy elliot.murphy at veritas.com
Wed Feb 19 13:40:13 GMT 2003 

Is your domain account DOM\gstarrett a member of the local Administrator
group?
That would be the first thing I would try.
-elliot

|-----Original Message-----
|From: Glen Starrett [mailto:grstarrett at cox.net] 
|Sent: Wednesday, February 19, 2003 12:29 AM
|To: cvsnt at cvsnt.org
|Subject: [cvsnt] WinXP sspi Admin authentication: Local vs Domain?
|
|
|I'm still very new to CVSNT, but I've read through as much as 
|I can find on the subject of using the integrated login with 
|NT and CVSNT.  What I can't figure out is:  Should I be able 
|to have a *local* machine administrator account be an 
|administrator for that local CVSNT installation?  The behavior 
|I have seen is that the user must be in the *Domain* 
|Administrators group to get admin rights on the CVSNT 
|installation on the LOCAL machine.
|
|I have a test network set up where I am testing CVSNT.  
|However, our production environment has thousands of users in 
|a user domain (single master domain model) and I am NOT an 
|administrator on that domain (or even the resource domain 
|where the server is).  I AM an administrator on my own server 
|where I want to install CVSNT.  I would like to be able to 
|have all users use :sspi: or :ntserver: to connect using their 
|default logins, but it won't work if I have to be a Domain 
|Administrator!
|
|Using cvsroot=:sspi:glen:\test
|Attempting a cvs passwd -a joeuser
|
|When logged in as DOM\gstarrett, I get "need to be an 
|administrator..." error. When logged in as 
|DOM\gstarrett-admin, I get no error--just works.
|
|I tried logging in as DOM\gstarrett then using a couple 
|variants of cvsroot=:sspi:DOM\gstarrett-admin at glen:\test, but 
|that didn't work at all ("Authentication failed")
|
|[I realize this probably isn't the way to set up domain 
|account users, just trying to get an admin command to test with ;)]
|
|If I had to guess, based on what I understand of NT's 
|authentication system, CVSNT isn't looking at the local groups 
|list.  The token given by an authentication server in the DOM 
|domain wouldn't include information on the local machine group 
|membership info, but it would include info on the DOM domain groups.
|
|Other notes that may be relevant:
|--I have not adjusted my SystemAuth settings, since I do want 
|to use my domain accounts and not have to mirror them in the 
|server's list.
|
|--In the message 
|http://www.cvsnt.org/pipermail/cvsnt/2002-|April/001771.html
|
|there is a suggestion to try adding the domain user to the 
|CVSROOT\admin file, but I thought that file was for :pserver: 
|only??  Regardless, I tried it with several variations and it 
|didn't seem to have any effect.
|
|
|
|I am using:
|
|WinXP Professional SP1 "GLEN"
|    Participating in domain "DOM"
|    CVSNT 1.11.1.3 (build 72)
|
|WinNT4 Server SP6a "MYDC"
|    PDC (and only DC) for domain "DOM"
|
|User Accounts:
|DOM\gstarrett
|    User account in DOM
|    Primary login on GLEN
|    In the GLEN\Administrators group
|
|DOM\gstarrett-admin
|    In the DOM\Domain Admins group
|      (DOM\Domain Admins is in the DOM\Administrators group as 
|defaulted)
|    In the GLEN\Administratos group via DOM\Domain Admins group
|
|I hate to just give up & use pserver for everything, the NT 
|integrated solution is so much more elegant (and appropriate 
|for our environment).  Any help is appreciated.  Thanks!
|
|
|Glen Starrett
|
|_______________________________________________
|cvsnt mailing list
|cvsnt at cvsnt.org http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
|

More information about the cvsnt mailing list