Fw: [cvsnt] Problem using cvsnt and gssapi

andreas_bergen at delmia.de andreas_bergen at delmia.de
Fri Feb 4 14:01:28 GMT 2005 

> > we have a Linux (RH-Fedora Core 2) Server authenticating to Active 
> > Directory using Kerberos 5 and winbind. I've setup cvs (cvs-1.11.18 
from 
> 
> winbind uses NTLM to connect and is unrelated to active directory. 
> kerberos is rather difficult to configure, which is why few people use 
> it.  It does work when it's got right though.

Well there you are right. It was rather difficult to configure, but after 
quite some time I got it working (on Unix). Why doesn't it work the same 
on Windows?

> 
> > linux-machines. SSH(!)-GSSAPI-authentication also works from
> > Windows-machines using the newest putty from css-security.com without
> > providing a password simply using the windows-credentials. Is there a 
> > way
>
> They use MIT kerberos not Active Directory. 

Do you mean SSH/Putty? This version actually works from Windows with no 
MIT kerberos installed on the Windows-machine authenticating to an 
MIT-kerberos Unix-ssh-server without providing a password, using the 
default windows-credentials!

> There is an MIT version of 
> gssapi for cvsnt but it's only built by default for the Unix versions - 
> it's possible to build a Windows version (probably, haven't done it for 
> a while) if you're primarily using MIT to connect.

No, I don't really want to install MIT-kerberos on the Windows machines 
(I'm responsible for several of them).

> 
>  > I've been trying to use the newest cvsnt using gserver-authentication 
and 
> > I always got the error-message
> > GSSAPI authentication failed: The specified target is unknown or 
> > unreachable

> Your windows machine must be logged into the active directory and the 
> server must be registered correctly... this is nontrivial (MS like you 
> to use their own tools and don't make running servers on Unix boxes 
easy).

> The error returned there means that cvs at machine is not a registered 
SPN.
> You can do this using ktpass and setspn.


I've gone through all of this. cvs/machine is a registered SPN and as I 
said, everything works perfectly from Unix-CVS-Clients. As you state this 
hasn't been trivial but now it works!

Is it possible that there's a problem with the encryption types or 
case-settings of the SPN? I have one single SPN called 
cvs/wodka2deg.deg.ds at DS. Should I have additional like CVS/... or 
CVS/WODKA2DEG or cvs/wodkadeg?

> > providing a password simply using the windows-credentials. Is there a 
> way
> > to do Single Sign On (SSO) from Windows-Machines to our CVS-Server? If

> If you have winbind working the easiest way is to simply uncomment the 
> WinbindWrapper line in /etc/cvsnt/PServer which enables SSPI.

What exactly does this WinbindWrapper do? Is there some documentation 
about that? How does the Unix-CVSNT-Server verify the credentials? Do I 
have to configure it itself or does it take its configuration from 
MIT-kerberos?
Why can't I connect directly using gssapi from the Windows-machine as 
there's MIT-kerberos installed, too?

Thanks in advance for any help.

Yours
  Andreas Bergen

More information about the cvsnt mailing list