[cvsnt] Re: After upgrade CVSNT requires domainname in username
Luigi D. Sandon
cp at sandon.it
Tue May 3 11:11:24 BST 2005
Here are the traces:
----------------------------------------
1) [client user], pserver authentication
-----------------------------------------
11:43:01: S -> CVS Server is acting as member of domain 'RD'
11:43:01: S -> Client sent 'BEGIN AUTH REQUEST'
11:43:01: S -> Authentication protocol returned user(luigi)
11:43:01: S -> win32switchtouser(RD\cvsuser)
11:43:01: S -> win32getpwnam(RD\cvsuser)
11:43:01: S -> Authenticating server: \\RD-DOMAIN
11:43:01: S -> Trying S4u...
11:43:01: S -> S4U UPN: cvsuser at RD
11:43:01: S -> S4U login returned 00000544
11:43:01: S -> Trying Setuid helper...
11:43:01: S -> SuidGetImpersonationToken returned 00000000
11:43:01: S -> User verified - calling ImpersonateLoggedOnUser
11:43:01: S -> unlink_file_dir(D:\CVS\TEMP/cvs-serv1636)
------------------------------------------
2) RD\Administrator, pserver authentication
------------------------------------------
11:45:57: S -> CVS Server is acting as member of domain 'RD'
11:45:57: S -> Client sent 'BEGIN AUTH REQUEST'
11:45:57: S -> Authentication protocol returned user(luigi)
11:45:57: S -> win32switchtouser(RD\Administrator)
11:45:57: S -> win32getpwnam(RD\Administrator)
11:45:57: S -> Authenticating server: \\RD-DOMAIN
11:45:57: S -> Trying S4u...
11:45:57: S -> S4U UPN: Administrator at RD
11:45:57: S -> S4U login returned 00000544
11:45:57: S -> Trying Setuid helper...
11:45:57: S -> SuidGetImpersonationToken returned 00000000
11:45:57: S -> User verified - calling ImpersonateLoggedOnUser
11:45:57: S -> wnt_chmod(D:\CVS\TEMP/cvs-serv1572,0700)
11:45:57: S -> Client compatibility level is 1
11:45:57: S -> mapping D:\CVS\CVS -> D:/CVS/CVS
11:45:57: S -> normalize_path(D:/CVS/CVS)
11:45:57: S -> ...returns D:/CVS/CVS
11:45:57: S -> Lock server connect to 127.0.0.1 port 2402
[rest of trace cut]
--------------------------------------------
3) RD\CVSUser, pserver authentication
--------------------------------------------
11:47:10: S -> CVS Server is acting as member of domain 'RD'
11:47:10: S -> Client sent 'BEGIN AUTH REQUEST'
11:47:10: S -> Authentication protocol returned user(luigi)
11:47:10: S -> win32switchtouser(RD\cvsuser)
11:47:10: S -> win32getpwnam(RD\cvsuser)
11:47:10: S -> Authenticating server: \\RD-DOMAIN
11:47:10: S -> Trying S4u...
11:47:10: S -> S4U UPN: cvsuser at RD
11:47:10: S -> S4U login returned 00000544
11:47:10: S -> Trying Setuid helper...
11:47:10: S -> SuidGetImpersonationToken returned 00000000
11:47:10: S -> User verified - calling ImpersonateLoggedOnUser
11:47:10: S -> unlink_file_dir(D:\CVS\TEMP/cvs-serv968)
---------------------------------------------
4) RD\ldsandon, pserver authetication (my user, works with sspi and gserver)
----------------------------------------------
11:50:08: S -> CVS Server is acting as member of domain 'RD'
11:50:08: S -> Client sent 'BEGIN AUTH REQUEST'
11:50:08: S -> Authentication protocol returned user(luigi)
11:50:08: S -> win32switchtouser(RD\ldsandon)
11:50:08: S -> win32getpwnam(RD\ldsandon)
11:50:08: S -> Authenticating server: \\RD-DOMAIN
11:50:08: S -> Trying S4u...
11:50:08: S -> S4U UPN: ldsandon at RD
11:50:08: S -> S4U login returned 00000544
11:50:08: S -> Trying Setuid helper...
11:50:08: S -> SuidGetImpersonationToken returned 00000000
11:50:08: S -> User verified - calling ImpersonateLoggedOnUser
11:50:08: S -> unlink_file_dir(D:\CVS\TEMP/cvs-serv1572)
I enabled auditing of that folder also, it was not very informative.
There is an event 537 error for the SYSTEM user, unluckily the server is
the Italian version of W2K and I do not know what is the proper
translation of it. It says something like "Can't access, unknown error,
access type: 3, process: CVSNT, authentication package: negotiate".
Then there is an event 540 (cvsuser, success, setuid) and 538 (cvs user,
success, session end).
The event 537 appears using the administrator user too, anyway, when
everything works.
I was able to use sspi from XP Home (thanks!), but here are telling me
there are some Linux PCs connecting via pserver also, therefore I should
be able to have them work too - they were using an old CVS version and I
had them switch to CVSNT, and I am trying to keep security tight enough
while allowing them to work as usual...
More information about the cvsnt
mailing list