Victor Sudakov wrote on Wed, Dec 07, 2011 at 18:22:03 +0700:
> Philip Martin wrote:
> > >>>
> > >>> Have you tried with "mech_list: gssapi" so that the client has no choice?
> > >>
> > >> Yes, in fact I wrote about it in the original post. I repeat:
> > >>
> > >> If I disable the digest-md5 mech on the server, like
> > >> (mech_list: gssapi anonymous), I get:
> > >
> > > I'm not a SASL expert, what does anonymous do? Does that give the
> > > client a choice? Can you use "mech_list: gssapi"?
> > One other thing is there is a note in
> > http://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt that
> > states that setting the client's max-encryption to more than 56 will
> > prevent GSSAPI working. I don't know whether that is still true or
> > out-of-date, or why this should suddenly be an issue when going from 1.6
> > to 1.7.
> min-encryption and max-encryption are server-side settings, and the
> issue is more probably in the client.
> Yes, I tried specifying min-encryption = 0; max-encryption = 56 on the
> server side (in conf/svnserve.conf) but it makes no difference. It's
> the client that does not even try to contact the KDC for a service
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
Received on 2011-12-07 12:31:39 CET