[cvsnt] Disabling Windows Authentication
rfplctu02 at sneakemail.com
rfplctu02 at sneakemail.com
Thu Jul 22 21:59:40 BST 2004
On Wednesday, July 21, 2004 at 4:34 PM, Terry Lacy wrote:
> I'm using CVSNT on a Windows domain. Currently, we're using
> the default setup, which uses windows authentication.
>
> I'd like to to disable the windows authentication completely
> and just use user names and passwords in the CVSROOT/passwd
> file. I'm having trouble finding step-by-step documentation
> on doing this. Is it possible? If so, how should things be set
> up on the client and server sides to accomplish this?
Okay, I'm back to answer my own question. I think I've pieced
together the steps necessary to make this happen. I'm sure that
this process is a lot more convoluted than it needs to be, but
at least it works. Your comments would be greatly appreciated.
Note that our setup is in a relatively secure intranet, so we're
not worried, for example, that pserver isn't very secure. However,
we did at least set things up so that domain passwords weren't being
transmitted over the intranet in clear-text.
Here's our procedure (apologies for the ugly formatting, I
copied it straight off of my wiki):
Server Installation
(We're using CVSNT 2.0.51 for this)
1. Create a local "cvsuser" on the server.
2. Install CVSNT. We'll start with the default installation, which
uses domain authentication, then we'll switch to CVS authentication
later (see below).
3. Check that the CVSNT install created a local group called
"CVSUsers". If it didn't, create the group manually.
4. Add the cvsuser to the CVSUsers group.
5. Using CVSNT's service control panel, create the CVS repository.
We'll call it "CVS_REPOSITORY". Using CVSNT 2.0.50 and later, it is
possible to map the location of the repository to a unix-style path
(e.g. e:\CVS_REPOSITORY can be mapped to /CVS_REPOSITORY). This should
be done when creating the repository.
6. Open up an explorer windows and browse to the repository's root
directory. On the security settings for the directory, add the CVSUsers
group and give that group full control of the repository.
7. Now, we're going to "bootstrap" into the desired configuration in
the following steps.
8. First, create a CVSROOT entry with a domain user in it. The user
must have administrator rights on the server (don't worry, we'll fix
things up later so that even CVS administrators don't need to have
administrative rights). You'll have to do this in Control
Panel/System/Advanced/Environment Variables. CVSNT doesn't seem to pick
it up if you do it from a command prompt.
For example: "set
CVSROOT=:pserver:tlacy at is-tlacy:/CVS_REPOSITORY".
9. Create a directory where you can check out modules and work on
them (e.g. c:\work). Open a new command prompt in that directory.
10. Next, you'll need to log in to cvs:
cvs login (cvs will ask for your domain password)
(note: the server cvsnt is on must be on the same domain as
the user for this to work)
11. Now, check-out the CVSROOT module:
cvs co CVSROOT (this will check out the CVSROOT module under
the CWD)
12. Edit the "config" file and add the line "SystemAuth=no" near the
top of the file. Check it back in like so:
cvs commit
13. Close the current command prompt.
14. CVS is now in a state where you can't log in or use any cvs
commands. Don't try to. You could lock yourself out. We'll fix this in
the next few steps.
15. In the repository CVSROOT directory (not the one you checked out
above), create an "admin" file and a "passwd" file.
16. The "admin" file should contain a single entry: "cvsuser" (without
the quotes)
17. The "passwd" file should contain a single entry: "cvsuser:"
(without the quotes, but you must include the colon). Note that we're
initially creating this entry without a password. We'll fix that later,
don't worry.
18. Using the CVSNT service control panel, go to the "Advanced" page
and turn on "Use local users for pserver authentication instead of
domain users".
19. On the "Service Status" page, stop and then start the services.
20. Open a new command window and cd into the "work" directory you
created above.
21. Change your CVSROOT to use cvsuser:
set CVSROOT=:pserver:cvsuser at is-tlacy:/CVS_REPOSITORY
22. Log in to cvs (you'll be logging in as cvsuser this time)
cvs login
(Just hit enter at the password prompt. The current password
is blank.)
23. To add users, do something like the following:
cvs passwd -a -r cvsuser tlacy
(Do not use blank passwords when asked. You'll want to have
users enter their own passwords here (instruct them not to use their
domain passwords).
24. One of the users you've added should be the admin user. To do
this, add the user to the "admin" file you created in the repository's
CVSROOT directory.
25. Now we'll make sure the cvsuser has a non-blank password:
cvs passwd -a cvsuser
(enter a non-blank password. do not use the same password as
the local "cvsuser")
26. Log in with the new password.
cvs login
(enter cvsuser's new password)
27. Now, we don't want to use cvsuser for admin purposes on the server
machine any more, so log out:
cvs logout
28. Close the command prompt.
29. Change the CVSROOT environment variable to point to the admin user
you created above.
30. Open a command prompt and do a "cvs login" for the new user.
31. That's it! You are now ready to set up client machines.
Client Installation
We'll also install CVSNT on the client machines. However, we won't
activate the server components.
1. Install CVSNT. At the "Server Components" page, uncheck "Server
Components" and "Setuid LSA Helper". Use the defaults for everything
else.
2. Set the CVSROOT environment variable. You'll have to do this in
Control Panel/System/Advanced/Environment Variables. CVSNT doesn't seem
to pick it up if you do it from a command prompt.
For example: "set
CVSROOT=:pserver:tlacy at is-tlacy:/CVS_REPOSITORY".
3. Login using "cvs login". Use the password for the user added in
the server setup above. (This is not your domain password). Note that
this password does not expire.
Once you've logged in using CVSNT, you won't have to enter the password
again to use any of the CVSNT command-line tools. You will have to enter
the password when you create new workspaces in WSAD, since WSAD uses a
separate CVS library to talk to the server.
More information about the cvsnt
mailing list