[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Kerberos support

From: Chris Rodgers <rodgers_at_physchem.ox.ac.uk>
Date: 2006-08-25 12:40:43 CEST

markus.schuh@sdm.de wrote:
> Two hints:
>
> 1.)
> When using the windows svn cli oder TSVN the sspnego authentication
> is handled by the used neon library. You should be aware that not
> all versions support this and that not all precompiled versions
> of svn or tsvn has enabled the necessary functionality. It is
> a compile time option.
>
> Test with tsvn 1.4.0 RC1 or svn 1.3.2, not the tsvn 1.3.x versions.

Thanks for that. Just in case anyone else is interested, here are the
versions of software that I have been using to test with:

On the Windows client (not working):

Windows 2000 SP4 (which is not joined to a domain)

TortoiseSVN 1.4.0, Build 7195 - 32 Bit -RC1, 2006/08/05 14:31:55
Subversion 1.4.0, -dev
apr 0.9.12
apr-iconv 0.9.7
apr-utils 0.9.12
berkeley db 4.4.20
neon 0.25.5
OpenSSL 0.9.8b 04 May 2006
zlib 1.2.3

MIT Kerberos for Windows 3.1.0 beta 1 with Network Identity Manager 1.1.0.1.

On the Linux client (working fine):

Fedora Core 5 (Linux xxxx.yyyyy 2.6.17-1.2174_FC5smp #1 SMP Tue Aug 8
16:00:39 EDT 2006 i686 i686 i386 GNU/Linux)

krb5-workstation-1.4.3-5.1
subversion-1.3.2-2.1

On the Linux webserver and KDC:

Fedora Core 5 (Linux xxxx.yyyyy 2.6.17-1.2174_FC5 #1 Tue Aug 8 15:30:55
EDT 2006 i686 i686 i386 GNU/Linux)

krb5-workstation-1.4.3-5.1
krb5-libs-1.4.3-5.1
krb5-auth-dialog-0.6.cvs20060212-1
krb5-server-1.4.3-5.1
krb5-devel-1.4.3-5.1
httpd-2.2.2-1.2
mod_auth_kerb-5.0-8.2.1
mod_ssl-2.2.2-1.2
mod_dav_svn-1.3.2-2.1
subversion-devel-1.3.2-2.1
subversion-1.3.2-2.1

My httpd.conf file contains

<Location /svn>
    DAV svn
    SVNParentPath /var/www/svn

    AuthzSVNAccessFile /var/www/svn-acl

    SSLRequireSSL

    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbAuthRealms MY.REALM
    KrbVerifyKDC off
    Krb5KeyTab /etc/httpd/conf.d/keytab

    Require valid-user
</Location>

> 2.)
> I personally don't think neon under windows supports MIT kerberos.
> (I may be wrong.)
> But you should be able to get a "windows" kdc ticket for your windows
> workstation from the MIT kdc
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EVCAC
> If your windows workstation is already part of a Windows AD you
> should integrate the linux server into the Windows AD.

Thanks for the link. That looks like it might work, but it will require
so much configuration of every client that I can't see it being a winner.

I guess my aim in using kerberos was to get a neat single-sign-on for
subversion which didn't involve storing a plaintext password on disk
(ouch!). With Linux clients, kerberos seems to do this very nicely, but
it's clearly not going to be viable unless it works from Windows without
major reconfiguration of every client.

Many thanks once again,

Chris Rodgers.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Fri Aug 25 12:45:19 2006

This is an archived mail posted to the TortoiseSVN Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.