|
Actions:
|
2017-07-19 07:11 AEST by Glen Starrett - If you specify a domain that isn't the server's current "default domain" with
sserver/pserver, the login will always fail. (just calling it sserver from here on)
In other words, sserver always attempts to authenticate any user credentials
passed to it against the default domain regardless of either the domain passed
in a CVSROOT (e.g. ":sserver:DOMAIN\USERNAME@HOST:/REPO") or if it is included
in the passwd database (e.g. "cvs passwd -a -D DOMAIN username").
The sspi protocol doesn't show this bug.
SSPI TEST:
C:\Users\duser1>cvs -d :sspi:D-W2012X64-M\muser2@d-w2012x64-m:/myrepo login
Logging in to :sspi:D-W2012X64-M\muser2@d-w2012x64-m:2401:/myrepo
CVS Password:
C:\Users\duser1>cvs -d :sspi:D-W2012X64-M\muser2@d-w2012x64-m:/myrepo ls
Listing modules on server
abc
SSERVER CASE:
C:\Users\duser1>cvs -d :sserver:D-W2012X64-M\muser2@d-w2012x64-m:/myrepo login
Logging in to :sserver:D-W2012X64-M\muser2@d-w2012x64-m:2401:/myrepo
CVS Password:
cvs [login aborted]: authorization failed: server d-w2012x64-m rejected access
to /myrepo for user D-W2012X64-M\muser2
C:\Users\duser1>cvs -d :sserver:muser2@d-w2012x64-m:/myrepo login
Logging in to :sserver:muser2@d-w2012x64-m:2401:/myrepo
CVS Password:
cvs [login aborted]: authorization failed: server d-w2012x64-m rejected access
to /myrepo for user muser2 |
|
|
2017-07-19 07:12 AEST by Glen Starrett - Created an attachment (id=3149)
An event appears on the member server showing that the account failed to
authenticate against the DELTA domain.
|
|
|
2017-07-19 07:13 AEST by Glen Starrett - Created an attachment (id=3150)
Server trace
|
|
|
2017-07-19 07:14 AEST by Glen Starrett - Created an attachment (id=3151)
Client diags
|
|
|
2017-07-19 07:15 AEST by Glen Starrett - Created an attachment (id=3152)
Server diags
|
|
|
2017-07-19 07:17 AEST by Glen Starrett - Workaround is to set the "default domain" on the server to the local machine (in
this case). That won't work for customers with multiple domains in their
architecture who can't use SSPI for some reason. |
|
|
2017-07-25 06:22 AEST by Arthur Barrett - Please attach the 'passwd' and 'config' files from CVSROOT just for completeness.
Changing subject from:
Attempting to login to CVSROOT specified domain with sserver/pserver always fails
to:
Server: Win: login to non-default domain with sserver/pserver always fails |
|
|
2017-07-29 02:11 AEST by Glen Starrett - Per request, passwd:
cuser:UjqPGonaY.ji6:muser1
ppwd1:e/dXeFMRsFhDw:muser1
ppwd2:L2900ktsGa9T6:muser1
ppwd3:/4zfIt9jAcZhg:muser1
admin:
muser3:
D-W2012X64-M\muser3:
duser3:
d1:!DELTA:duser1
m1:!D-W2012X64-M:D-W2012X64-M\muser1
D-W2012X64-M\muser2:!D-W2012X64-M
duser2:!DELTA
... and Config:
# Set this to 'no' if pserver shouldn't check system users/passwords
#SystemAuth=yes
# Set the Acl parsing type (none,compat,normal).
#AclMode=compat
# Alternate location of CVS LockServer. Set to 'none' to disable..
#LockServer=localhost:2402
# Set 'TopLevelAdmin' to 'yes' to create a CVS directory at the top
# level of the new working directory when using the 'cvs checkout'
# command.
#TopLevelAdmin=no
# Set 'LogHistory' to 'all' or 'TOFEWGCMAR' to log all transactions to the
# history file, or a subset as needed (ie 'TMAR' logs all write operations)
#LogHistory=TOFEWGCMAR
# Set 'RereadLogAfterVerify' to control rereading of the log file after a verifymsg
# 'always' or 'yes' to always reread the log regardless
# 'never' or 'no' (default) to never reread the log
#RereadLogAfterVerify=no
# Set 'Watcher' to set a user who gets all notify events within the repository
whether
# or not the ifle is watched.
#Watcher=watch_user |