[cvsnt] Re: Problem using cvsnt and gssapi

[Tony Hoyle]

andreas_bergen at delmia.de wrote:
> Dear all,
> 
> we have a Linux (RH-Fedora Core 2) Server authenticating to Active 
> Directory using Kerberos 5 and winbind. I've setup cvs (cvs-1.11.18 from 

winbind uses NTLM to connect and is unrelated to active directory. 
kerberos is rather difficult to configure, which is why few people use 
it.  It does work when it's got right though.

 > linux-machines. SSH(!)-GSSAPI-authentication also works from
 > Windows-machines using the newest putty from css-security.com without
 > providing a password simply using the windows-credentials. Is there a 
 > way

They use MIT kerberos not Active Directory.  There is an MIT version of 
gssapi for cvsnt but it's only built by default for the Unix versions - 
it's possible to build a Windows version (probably, haven't done it for 
a while) if you're primarily using MIT to connect.

> I've been trying to use the newest cvsnt using gserver-authentication and 
> I always got the error-message
> GSSAPI authentication failed: The specified target is unknown or 
> unreachable

Your windows machine must be logged into the active directory and the 
server must be registered correctly... this is nontrivial (MS like you 
to use their own tools and don't make running servers on Unix boxes easy).

The error returned there means that cvs at machine is not a registered SPN.
You can do this using ktpass and setspn.

 > providing a password simply using the windows-credentials. Is there a 
way
 > to do Single Sign On (SSO) from Windows-Machines to our CVS-Server? If

If you have winbind working the easiest way is to simply uncomment the 
WinbindWrapper line in /etc/cvsnt/PServer which enables SSPI.

Tony