[cvsnt] Problem using cvsnt and gssapi

Douglas E. Engert deengert at anl.gov
Wed Feb 2 13:47:43 GMT 2005 


andreas_bergen at delmia.de wrote:

> Dear all,
> 
> we have a Linux (RH-Fedora Core 2) Server authenticating to Active 
> Directory using Kerberos 5 and winbind. I've setup cvs (cvs-1.11.18 from 
> cvshome.org) to use the :gserver:-protocol for 
> GSSAPI-kerberos5-authentication which works perfectly well from other 
> linux-machines. SSH(!)-GSSAPI-authentication also works from 
> Windows-machines using the newest putty from css-security.com without 
> providing a password simply using the windows-credentials. Is there a way 
> to do Single Sign On (SSO) from Windows-Machines to our CVS-Server? If 
> possible I'd like to use CVSNT with the :gserver:-protocol but other 
> SSO-solutions are very welcome. I'd be important though that no cleartext 
> password be transferred over the network and users don't have their 
> password stored in nearly-cleartext on their computer as default 
> :pserver:-login does.
> 
> I've been trying to use the newest cvsnt using gserver-authentication and 
> I always got the error-message
> GSSAPI authentication failed: The specified target is unknown or 
> unreachable

An Ethereal trace from the client might help.
Is the principal cvs/<hostname>@<realm> registered?
What version of the Windows Kerberos code do you have?
What is in the cvsnt protocal_map.ini?
Is there any cross realm? i.e. users in one realm, the CVS server
in another other?
Are the user's in AD, and server in MIT based realm?

I have had cvsnt-2.0.58a working, to a unix based gserver cvs-1.12.9
using the MIT gssapi on both sides, with users registered in Windows.

> 
> A thread in the internet (
> http://www.cvsnt.org/pipermail/cvsnt/2004-February/010551.html and 
> http://www.cvsnt.org/pipermail/cvsnt/2003-July/007684.html) says that 
> gserver-authentication isn't under active development. Is this still the 
> case? Can you point me to a working version (1.11.1.3 ?) or another 
> windows-gssapi-capable cvs? I'm I doing something wrong?
> 
> Are there other solutions?
> 
> Any help is very greatly appreciated,
> Yours
>   Andreas Bergen
> 
> _______________________________________________
> cvsnt mailing list
> cvsnt at cvsnt.org
> http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the cvsnt mailing list