A client wished to have his employees authenticate to CVSNT using its domain server, using sspi. This works out of the box. But we also needed to allow occasional consultants, logging in over a tunnel, to get access without joining the domain.
After much perusing, the solution turned out to be quite simple. You want your passwd files entries to look like this
where MYLOCALMACHINE is the name of the server where CVS is running.
realcvsuser is a local account on MYLOCALMACHINE. You can use Windows ACL to control what realcvsuser sees and doesn't see.
This works as follows:
1. if the user is not in the passwd file, sspi authentication takes place
2. if the user is in the passwd file, as "consultant" is in our example, then the passwd is matched against the crypted version, and the redirection is to the local user "realcvsuser".
cvs passwd -a -r "MYLOCALMACHINE\realcvsuser" consultant
is the command line required to do the deed.