[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

svn 1.3, apache on windows, NTLM

From: Norbert Unterberg <nunterberg_at_gmail.com>
Date: 2005-10-12 22:59:40 CEST

Short:
NTLM is making some trouble with svn 1.3 on windows with apache. Not
sure yet if this is a configuration or svn problem.

Long story:
I tried a recent nightly version of TortoiseSVN which uses the
subversion 1.3 branch, and did the same tests with a 1.3 svn command
line client that Steve KŘng mailed me.

Our server is one of the subversion 1.1 versions running on Windows
Server 2003, with apache 2.0.52 (mod_dav_svn, mod_authz_svn). The
authorization with the windows domain is done using mod_auth_sspi. The
client is running on Windows XP SP2.
The repositoy has read access for everyone, but you need a password
for write access.

After I installed the 1.3 client, I could no longer commit. The error
message I got was something like:

Commit failed (details follow):
CHECKOUT of
'/svn/repos/!svn/ver/877/some/path/branches/project/file.c':
401 Authorization Required (http://servername)

The apache error log was flooded with entries like this one:

(OS 87)Falscher Parameter. : authentication failure for
"/svn/repos/!svn/act/52b0b04e-e62a-c24a-a89a-68689f41f236": user
unknown, reason: cannot generate context

I guess this is what happens:
 * svn 1.3 uses a newer version of neon which supports NTLM authorization.
 * NTLM provides the logon user name in mixed case (upper- and lower
case letters) to the server.
 * Our svn access file only has the user names in lower case.

That's why the authorization fails in the first case. NTLM used a user
name with upper case letters, but svnaccessfile has lower case user
names. It would not even help to correct the authz file, because
windows might even use lower case one day and upper case the other
day.
But then SVN did not use the saved authorization, nor did it ask for a
user name. Apache just logged the "user unknown, reason: cannot
generate context" message.
Is that intentional or a bug? The user credentials stored in the auth
cache are correct, because a test with the current svn 1.2.3 worked
without problems.
Is there a way to make the user name comparison case-insensitive? I
have learned that windows does not use consistent casing when
providing a user name with NTLM (the internet explorer has the same
problems)?

I was able to solve this problem by using a more recent version of
mod_auth_sspi that supports a "SSPIUserNameCase lower" config option.
But windows users might fall into this trap when upgrading to 1.3, and
I think it is worth investigating what the "correct" behaviour in this
case might be.

I am on vacation for a few weeks, so I can not do more testing on this
topic, but maybe some other windows user can do more tests?

Norbert

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Oct 12 23:01:16 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.