[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Kerberos support

From: <markus.schuh_at_sdm.de>
Date: 2006-08-24 20:32:24 CEST

Chris Rodgers wrote:
>
> Should it be possible to use a kerberos-enabled SVN repository with
> TortoiseSVN?

I think so. I don't have this in use at the moment but I was able to
access a linux based Apache 2.x with mod_auth_kerb and mod_dav_svn from
Windows XP with SSPNEGO in the past during testing different setups.

But both my server and client tickets came from W2003-AD, not a MIT kdc.

>
> If so, does anyone have any tips for getting it to work?
>

Two hints:

1.)
When using the windows svn cli oder TSVN the sspnego authentication
is handled by the used neon library. You should be aware that not
all versions support this and that not all precompiled versions
of svn or tsvn has enabled the necessary functionality. It is
a compile time option.

Test with tsvn 1.4.0 RC1 or svn 1.3.2, not the tsvn 1.3.x versions.

2.)
I personally don't think neon under windows supports MIT kerberos.
(I may be wrong.)
But you should be able to get a "windows" kdc ticket for your windows
workstation from the MIT kdc
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EVCAC
If your windows workstation is already part of a Windows AD you
should integrate the linux server into the Windows AD.

But even if you succeed accessing your repository with kerberos
authentication from your windows workstation, you should do
a lot of testing. The influence of the negotiation authentication
on the webdav requests is not trivial. There is a least the
possibility that some packets have to be sent more than once and
therefore more bandwidth utilisation.

Stefan Küng had good reasons to deactivate SSPI support in tsvn 1.3.x.
which uses neon < 0.25.5
Please search the dev mailing list archive or the tsvn repository log
for more details.

But I don't know if these problems were relevant both for sspnego
with NTLM and sspnego with kerberos.

see also http://svn.haxx.se/users/archive-2005-07/0858.shtml

-- 
Markus Schuh
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Thu Aug 24 20:32:41 2006

This is an archived mail posted to the TortoiseSVN Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.