Why can't I use a diffrent user for SVN checkout - windows

I trying to make SVN work on a Windows 2016 Server. I am using SVN over commandline. SVN is always using the user which is logged in. Let's say the logged in user is USER. The user needed for SVN is called SVNUSER. We are using a VisualSVN Server. Both Servers are inside a company network and they use the same AD for authentication.
I tried following stuff:
svn checkout --username SVNUSER http://svn01.de/svn/Application/trunk/FSW
or
svn checkout --username e102365 --password pass http://svn01.w3.de/svn/Application/trunk/FSW
didn't work. I get following error:
svn: E175013: Unable to connect to a repository at URL 'http://svn01.de/svn/Application/trunk/FSW'
svn: E175013: Access to '/svn/Application/trunk/FSW' forbidden
The serverlog says i tried to connect with USER.
The only way I was able to make the checkout work is using run as with the SVNUSER but I need it for automation and run as is interactive so it does not help.
The folder C:\Users\USER\AppData\Roaming\Subversion\auth is empty. When using tortoise SVN it says there is no saved authentication.

I assume that your VisualSVN Server installation is configured for Integrated Windows Authentication (Active Directory Single Sign-On) (see KB182 for details).
Since it's Single Sign-On, you have to run your scripts as the user account that has permissions to access the repository. Specifying credentials in the command-line won't work - it will always authenticate as the user account who started the svn.exe client. You can try running your script from Windows Task Scheduler, custom Windows Service, etc.
Or you can enable Basic Windows authentication on the server in addition to Integrated Windows Authentication. And force your svn client to always prefer Basic auth (i.e., disable Integrated Windows Authentication on the client side). You can append the following option to your svn.exe commands:
--config-option servers:global:http-auth-types=basic
Or modify the %APPDATA%\Subversion\servers file. Add the http-auth-types=basic string under [Global].

Related

Could not add identity "": agent refused operation on windows server 2012

Im using Open SSH and trying to use ssh-add on windows server 2012 but keep receiving the following error
Could not add identity "C:\Users\SERVICE_ACCOUNT/.ssh/id_rsa": agent refused operation
I have made sure all my permissions are intact with all files within C:\Users\SERVICE_ACCOUNT.ssh
Icacls C:\Users\SERVICE_ACCOUNT\
C:\Users\SERVICE_ACCOUNT\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
CP\SERVICE_ACCOUNT:(OI)(CI)(F)
Icacls C:\Users\SERVICE_ACCOUNT\.ssh
C:\Users\SERVICE_ACCOUNT\.ssh CP\SERVICE_ACCOUNT:(OI)(CI)(F)
I have tried ssh-add using a different user on my windows and im able to successfully do so without any issues, i have also made sure that the permissions for the other user match my service account as well

How to specify svn url to access a repos on a Windows machine from a mac on a local network?

I don't use mac very often and am trying to figure out what the correct URL is to connect to a repository shared from my windows machine. I was thinking of something like file://\winMachine/svnrepo, but that's not working.
I don't see how that would differ from normal ways of accessing network shared resources. The only issue here would be that OSX might not resolve NETBIOS names, so you might want to use the IP.
You should clone the repository through command line or GUI using the URL provided by the SVN Server, ex.: http://10.0.0.1:8080/svn/Project/
[yurieastwood#mbp ~]$ svn checkout --username yeastwood http://10.0.0.1:8080/svn/SampleProject/trunk/
Authentication realm: <http://10.0.0.1:8080> VisualSVN Server
Password for 'yeastwood': *********
A trunk/SampleProject.XmlImporter
A trunk/SampleProject.XmlImporter/SampleProject.XmlImporter.csproj
A trunk/SampleProject.XmlImporter/JsonConvertTask.cs
A trunk/SampleProject.XmlImporter/packages.config
A trunk/SampleProject.XmlImporter/bin
A trunk/SampleProject.XmlImporter/bin/Release
A trunk/SampleProject.XmlImporter/bin/Debug
A trunk/SampleProject.XmlImporter/bin/Debug/SampleProject.Framework.pdb
A trunk/SampleProject.XmlImporter/bin/Debug/Autorun.mdf
A trunk/SampleProject.XmlImporter/bin/Debug/Autorun_log.LDF
A trunk/SampleProject.XmlImporter/bin/Debug/SampleProject.XmlImporter.pdb
A trunk/SampleProject.XmlImporter/bin/Debug/SampleProject.Framework.dll
A trunk/SampleProject.XmlImporter/bin/Debug/Newtonsoft.Json.dll
A trunk/SampleProject.XmlImporter/bin/Debug/SampleProject.XmlImporter.dll
A trunk/SampleProject.XmlImporter/bin/Debug/Newtonsoft.Json.xml
Checked out revision 7.
[yurieastwood#mbp ~]$
P.S.: If you want to access shared folders from Windows machines you should use the SMB protocol, ex.: smb://10.0.0.1, through Finder -> Go -> Connect to Servers.

How to connect as NT AUTHORITY\SYSTEM to svn?

I have a service running at local system account (NT AUTHORITY\SYSTEM). This service shall connect to local subversion repository. Is this possible?
I tried this
svn export --non-interactive http://localhost/svn/MyRepository TargetFolder
but it does not work. As far as I know I cannot set any password for "NT AUTHORITY\SYSTEM". I don't like to use my personal account and put my password there as clear text.
My SVN runs on VisualSVN-Server
You should never use SYSTEM account for such tasks for numerous security reasons. Create and use a dedicated local Windows or Active Directory account with limited permissions.
Setting up the cached authentication credentials for the System user requires running an svn.exe command as the System user. Windows Vista+/Server 2008+ doesn't make that easy.
​Install psexec from https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
Start an elevated cmd.exe as Administrator.
Run "psexec -i -s cmd.exe".
A new cmd.exe should appear which is running as the System user.
Type whoami. Verify the output reads something like "nt authority\system".
Perform a subversion command like "svn --username your-svn-user list your-https-repo-url".​
When prompted by svn.exe, enter the password for your-svn-user.
​The "svn auth" command allows you to examine the cached credentials.
Note if a new SSL certificate is installed on the Subversion server, you'll have to repeat this process.
For more responses on this topic: How do you run CMD.exe under the Local System Account?

Why is subversion using system-name as username when running as system user?

This has got me the whole day digging for answers. The bottom line is that when I run svn as system user it seems to use the system-name to authenticate against the SVN server regardless of what credentials are passed. Following is the long explanation that made arrive at that conclusion.
When running from a Windows 7 Professional, if I run svn from the console under any normal user, the application works as expected: if credentials have been cached in %AppData%/Roaming/Subversion it will use them, if not it will prompt for username and password unless I use the options --username and --password. If I enter credentials using the options then the commit works with no problem. All good so far.
But when I try to run svn as the system user (nt authority\system) in the same computer, it behaves differently. To begin with, %AppData%/Roaming/Subversion points to C:\Windows\System32\config\systemprofile\AppData\Roaming\Subversion, and I make sure there is no auth folder there, so no credentials cached. Then I run svn without any parameters and it doesn't prompt for username/password, instead it executes the action and receives an error from subversion:
svn: E175013: Commit failed (details follow):
svn: E175013: MKACTIVITY of '/svn/Development/!svn/act/f20db493-48f1-9c43-a957-541584be555e': 403 Forbidden (http://<ip-address>)
If I run it indicating --username and --password, it gets the same error. But then I check the error logs from subversion and find this:
[Fri Aug 08 17:32:18 2014] [error] [client <client IP>] Access denied: '<clienthostname>$' MKACTIVITY Development:
[Fri Aug 08 17:32:18 2014] [error] [client <client IP>] Access denied: '<clienthostname>$' DELETE Development:
Where <clienthostname> is the hostname of the computer where I'm trying to commit from (note the '$' at the end of the subversion log, that's not part of the hostname but it does appear in the log as part of the username).
So that's the question: why is svn behaving differently when running as system user? Why does it use the hostname as username when authenticating against the SVN server? And why do other users work correctly?
Note: I believe my problem is different from the following questions in stackoverflow:
Subversion ignoring “--password” and “--username” options: I don't get any prompts to enter username and password, regardless of whether I indicate the options --username and --password or I don't
SVN Error when commiting Access denied: 'foobar' MKACTIVITY MYREPO: I saw this question and I tried double checking the case of all the items in the URL, no luck.
svn: MKACTIVITY 403 Forbidden: I have checked that no credentials are cached in %AppData%/Roaming/Subversion
For those who are wondering why I'm trying to run svn as system user, the answer is that I am trying to make a commit from TeamCity, which means it is the Build Agent the one executing the svn command. The Build Agent is a Windows Service and runs as system user, and the svn command fails in the way explained above.
Use the "--no-auth-cache" in your svn commands and you won't see this issues. You might however run into other set of issues.
If you do not use the no-auth-cache it tries to figure out default username and password anyways
A better way would be to create a .subversion folder and store the authentication in that folder. So for the system account, you can specify a differrent userid and password for the login.

In SVN how do I override automatic Windows domain authentication

I have a build server that is not part of a Windows domain trying to connect to a VisualSVN server running HTTPS via apache with domain login via Active Directory. When I try to connect to the server using specifying a domain username I observe a client hang:
svn ls --username=domainuser https://subversion.mydomain/svn/repo1/
The logs on the server show Windows authentication failures using the login-name for the build-machine, and the build-machine's hostname in the Domain name field. The username provided on the command-line is completely ignored.
SVN Client: TortoiseSVN commandline tools: svn, version 1.8.1 (r1503906)
On a separate machine (on the domain) - I found that the --username would not be ignored if I used the cygwin svn instead.
The solution I found was to disable the http-auth-type 'negotiate'. This prevents Windows credentials being automatically shared.
I verified this using a command-line override, it asked for password for the user on the command-line:
svn ls --username=domainuser --config-option servers:global:http-auth-types=basic;digest https://subversion.mydomain/svn/repo1/
Authentication realm: <https://subversion.mydomain/svn/repo1/> VisualSVN Server
Password for 'domainuser':
(Note for Cygwin users: If you use SVN under Windows via Cygwin then you will need to add quotes to your command like this: $ svn ls --username=domainuser --config-option "servers:global:http-auth-types=basic;digest" https://subversion.mydomain/svn/repo1/ -- Otherwise the semicolon will be treated as a command delimiter.)
To configure this more permanently you can make a servers config file entry for all matching servers. For Win7 that's C:\Users\<User>\AppData\Roaming\Subversion\servers.
[groups]
mydomain = *.mydomain
[mydomain]
http-auth-types=basic;digest
Instead of disabling negotiate in client's config, I'd suggest using Windows Credential Manager to store the other account's credentials for Single Sign-On.
The following instruction shows how to put other domain credentials to access VisualSVN Server into Windows Credential Manager:
Start | Control Panel | Credential Manager,
Click 'Add a Windows Credential',
As 'Internet or network address' enter the FQDN of VisualSVN
Server's machine,
As 'Username' enter the <DOMAIN>\<username> of user account that
exists in domain and has access rights to VisualSVN Server,
Complete the password field and click OK,
Verify that you can authenticate to VisualSVN Server under the selected user account after completing the above steps.

Resources