markus.schuh@sdm.de wrote:
> Two hints:
>
> 1.)
> When using the windows svn cli oder TSVN the sspnego authentication
> is handled by the used neon library. You should be aware that not
> all versions support this and that not all precompiled versions
> of svn or tsvn has enabled the necessary functionality. It is
> a compile time option.
>
> Test with tsvn 1.4.0 RC1 or svn 1.3.2, not the tsvn 1.3.x versions.
Thanks for that. Just in case anyone else is interested, here are the
versions of software that I have been using to test with:
On the Windows client (not working):
Windows 2000 SP4 (which is not joined to a domain)
TortoiseSVN 1.4.0, Build 7195 - 32 Bit -RC1, 2006/08/05 14:31:55
Subversion 1.4.0, -dev
apr 0.9.12
apr-iconv 0.9.7
apr-utils 0.9.12
berkeley db 4.4.20
neon 0.25.5
OpenSSL 0.9.8b 04 May 2006
zlib 1.2.3
MIT Kerberos for Windows 3.1.0 beta 1 with Network Identity Manager 1.1.0.1.
On the Linux client (working fine):
Fedora Core 5 (Linux xxxx.yyyyy 2.6.17-1.2174_FC5smp #1 SMP Tue Aug 8
16:00:39 EDT 2006 i686 i686 i386 GNU/Linux)
krb5-workstation-1.4.3-5.1
subversion-1.3.2-2.1
On the Linux webserver and KDC:
Fedora Core 5 (Linux xxxx.yyyyy 2.6.17-1.2174_FC5 #1 Tue Aug 8 15:30:55
EDT 2006 i686 i686 i386 GNU/Linux)
krb5-workstation-1.4.3-5.1
krb5-libs-1.4.3-5.1
krb5-auth-dialog-0.6.cvs20060212-1
krb5-server-1.4.3-5.1
krb5-devel-1.4.3-5.1
httpd-2.2.2-1.2
mod_auth_kerb-5.0-8.2.1
mod_ssl-2.2.2-1.2
mod_dav_svn-1.3.2-2.1
subversion-devel-1.3.2-2.1
subversion-1.3.2-2.1
My httpd.conf file contains
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
AuthzSVNAccessFile /var/www/svn-acl
SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms MY.REALM
KrbVerifyKDC off
Krb5KeyTab /etc/httpd/conf.d/keytab
Require valid-user
</Location>
> 2.)
> I personally don't think neon under windows supports MIT kerberos.
> (I may be wrong.)
> But you should be able to get a "windows" kdc ticket for your windows
> workstation from the MIT kdc
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EVCAC
> If your windows workstation is already part of a Windows AD you
> should integrate the linux server into the Windows AD.
Thanks for the link. That looks like it might work, but it will require
so much configuration of every client that I can't see it being a winner.
I guess my aim in using kerberos was to get a neat single-sign-on for
subversion which didn't involve storing a plaintext password on disk
(ouch!). With Linux clients, kerberos seems to do this very nicely, but
it's clearly not going to be viable unless it works from Windows without
major reconfiguration of every client.
Many thanks once again,
Chris Rodgers.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Fri Aug 25 12:45:19 2006