[cvsnt] strange ext->sspi authentication failures as a function of client version
Nathan Ferris
nferris at speakeasy.net
Thu Aug 24 01:59:06 BST 2006
Hi Everyone,
I am encountering a strange error in which I can use the ext protocol
(with sspi) to connect to a CVSNT server (running on Windows 2003
Server), but only with a client version that is earlier than the version
that the server is running. I have been able to replicate the problem
from the client side on two different WindowsXP Pro machines. The details:
CVSNT Server:
Windows 2003 Server
CVSNT version 2.5.03.2382
server belongs to domain "DOMAIN"
passwd file in CVSROOT directory of repository /CVS_REPO:
USER:!DOMAIN
Client machine:
Windows XP Pro
machine belongs to domain "DOMAIN"
CVSNT versions: 2.5.03.1927 and 2.5.03.2382
extnt.ini:
[CVS_SERVER]
protocol=sspi
hostname=CVS_SERVER
directory=/CVS_REPO
Here is how I produce the problem:
with CVSNT 2.5.03.2382 installed:
cvs -d :sspi:DOMAIN\USER at CVS_SERVER:/CVS_REPO login
(enter my password, no errors returned)
cvs -ttt -d :sspi:DOMAIN\USER at CVS_SERVER:/CVSREPO ls
12:19:12: -> Tracelevel set to 3. PID is 304
12:19:12: -> Session ID is 13044ecaa300d25
12:19:12: -> Session time is Wed Aug 23 19:19:12 2006
12:19:12: -> Loading protocol sspi as sspi.dll
12:19:12: -> CLibraryAccess::Load loading
C:\PROGRA~1\CVSNT/protocols/sspi.dll
12:19:12: -> main loop with
CVSROOT=:sspi:DOMAIN\USER at CVS_SERVER:/CVSREPO
12:19:13: -> Server codepage is CP1252
12:19:13: -> Client codepage is CP1252
12:19:13: -> Server version is CVSNT 2.5.03 (Scorpio) Build 2382
12:19:13: -> Client version is CVSNT 2.5.03 (Scorpio) Build 2382
(I get a valid listing of modules in CVS_REPO)
cvs -ttt -d :ext:DOMAIN\USER at CVS_SERVER:/CVSREPO ls
12:02:51: -> Tracelevel set to 3. PID is 2384
12:02:51: -> Session ID is 95044eca65b00a1
12:02:51: -> Session time is Wed Aug 23 19:02:51 2006
12:02:51: -> Loading protocol ext as ext.dll
12:02:51: -> CLibraryAccess::Load loading
C:\PROGRA~1\CVSNT/protocols/ext.dll
12:02:51: -> main loop with CVSROOT=:ext:DOMAIN\USER at CVS_SERVER:/CVSREPO
[extnt] Authentication failed
with CVSNT 2.5.03.1927 installed:
cvs -d :sspi:DOMAIN\USER at CVS_SERVER:/CVS_REPO login
(enter my password, no errors returned)
cvs -d :sspi:DOMAIN\USER at CVS_SERVER:/CVS_REPO ls
(listing of modules in CVS_REPO returned)
cvs -d :ext:DOMAIN\USER at CVS_SERVER:/CVS_REPO ls
(listing of modules in CVS_REPO returned)
I enabled server log output on the server and looked at the resulting
logs. When I try to use a 2.5.03.1927 client and the ext protocol, the
relevant section of the server log looks like this:
11:50:11: S -> Domain found: DOMAIN
11:50:11: S -> CVS Server is acting as member of domain 'DOMAIN'
11:50:11: S -> Client sent 'BEGIN SSPI'
11:50:11: S -> FindPrototocol(BEGIN SSPI)
11:50:11: S -> EnumerateProtocols: C:\PROGRA~1\CVSNT/protocols
11:50:11: S -> Loading protocol sspi as sspi.dll
11:50:11: S -> CLibraryAccess::Load loading
C:\PROGRA~1\CVSNT/protocols/sspi.dll
11:50:11: S -> Checking protocol sspi
11:50:11: S -> Checking key SspiProtocol
11:50:11: S -> Authentication protocol returned user(DOMAIN\USER)
11:50:11: S -> Impersonating preauthenticated user using protocol
specific impersionation
11:50:11: S -> wnt_chmod(C:\WINDOWS\TEMP/cvs-serv5828,0700)
11:50:11: S -> Client compatibility level is 1
However, when I try it with a 2.5.03.2382 client and the ext protocol,
the server log looks like this:
12:02:34: S -> Domain found: DOMAIN
12:02:34: S -> CVS Server is acting as member of domain 'DOMAIN'
12:02:34: S -> Client sent 'BEGIN SSPI'
12:02:34: S -> FindPrototocol(BEGIN SSPI)
12:02:34: S -> EnumerateProtocols: C:\PROGRA~1\CVSNT/protocols
12:02:34: S -> Loading protocol sspi as sspi.dll
12:02:34: S -> CLibraryAccess::Load loading
C:\PROGRA~1\CVSNT/protocols/sspi.dll
12:02:34: S -> Checking protocol sspi
12:02:34: S -> Checking key SspiProtocol
12:02:35: S -> Unloading sspi
12:02:35: S -> Couldn't find a matching authentication protocol
I have read in previous posts that there was a problem with earlier
versions of the CVSNT server (2.0.x) that could be solved by forcing the
sspi protocol to use NTLM instead of Kerberos, but I have forced sspi to
use both NTLM and Kerberos successfully so I don't think that I'm having
the same problem.
Is anyone else having similar issues? Does anything in the above
listings seem like it is misconfigured?
thanks,
Nathan
More information about the cvsnt
mailing list