[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Antwort: Re: Linux mod_auth_ntlm_winbind and TortoiseSVN

From: Ludek Finstrle <ludek.finstrle_at_pzkagis.cz>
Date: Tue, 7 Oct 2008 14:35:23 +0200

Hello,

Mon, Oct 06, 2008 at 11:44:47AM +0200, Rudolf.Lippert_at_Proleit.de napsal(a):
> I wish it was that easy. I got a domain admin to create a keytab for me
> and installed it according to http://grolmsnet.de/kerbtut. But I still get
> a 401 response and no log messages whatsoever.
> What am I missing?

I'm sorry. I forgot to mention the change in /etc/krb5.conf.
I have this /etc/krb5.conf:
[libdefaults]
 default_realm = <REALM>
 ccache_type = 4
 dns_lookup_realm = false
 dns_lookup_kdc = false
 forwardable = yes
 kdc_timesync = 1
 proxiable = no

[realms]
 <REALM> = {
   kdc = <YOUR AD>:88
   admin_server = <YOUR AD>
   default_domain = <YOUR domain>
 }

[domain_realm]
 .<domain name> = <REALM>
 <domain name> = <REALM>

You can test this with
kinit <login>
where login is you login to domain (don't type <DOMAIN>\<login>).
You can check klist and don't forget kdestroy (after test).

Thank you for kicking me to the right way

Luf

> Ludek Finstrle <ludek.finstrle_at_pzkagis.cz> schrieb am 02.10.2008 16:18:59:
>
> > Hello,
> >
> > Thu, Oct 02, 2008 at 03:41:34PM +0200, Rudolf.Lippert_at_Proleit.de
> napsal(a):
> > > I have noticed the mod_auth_kerb module, but I haven't been able to
> figure
> > > out what I need to do to make it work. It seem much more complicated
> than
> > > winbind. Still, if one works and the other doesn't, I'll go for kerb.
> > > Could you explain how you got SSO working?
> >
> > I don't think so. Here you're steps:
> >
> > 1) create account for machine in AD and export host keytab
> > HTTP/<FQDN> of apache host - IP where apache is listening on
> > (forward "A" and reverse "PTR" DNS entry have to match)
> > (http://technet.microsoft.com/en-us/library/bb742433.aspx)
> > 2) put the keytab with enough secure permissions to apache host
> > apache process has to have rights to read this keytab
> > 3) configure mod_auth_kerb this way:
> > LoadModule auth_kerb_module modules/mod_auth_kerb.so
> > ...
> > AuthType Kerberos
> > AuthName "Whatever you want"
> > KrbMethodNegotiate on
> > KrbMethodK5Passwd on
> > KrbAuthoritative on
> > KrbAuthRealms <your REALM = AD domain name>
> > KrbServiceName HTTP/<FQDN of apache host>@<domain>
> > Krb5Keytab /path/to/keytab/file.keytab
> > # this should provide some speed up
> > KrbSaveCredentials on
> >
> > That's all. Do you still think it's hard to setup? ;o)
> >
> > > Dekuji moc,
> >
> > Neni zac,
> >
> > Luf
> >
> > > Ludek Finstrle <ludek.finstrle_at_pzkagis.cz> schrieb am 02.10.2008
> 15:26:55:
> > >
> > > > Wed, Oct 01, 2008 at 10:35:43AM +0200, Rudolf.Lippert_at_Proleit.de
> > > napsal(a):
> > > > > I have a problem with at least two edges here:
> > > > > First:: mod_auth_ntlm_winbind does not support NTLM over HTTPS,
> while
> > > > > TortoiseSVN does not support NTLM without HTTPS. At least, this is
> my
> > > > > understanding so far.
> > > >
> > > > Hello,
> > > >
> > > > another point of view. Isn't mod_auth_kerb enough for you? Do you
> > > > really need ntlm auth? I've working SSO using windows AD as kerberos
> > > > server and a lot of win clients using it without typing their
> passwords.
> > > > I'm sorry I have no ntlm configuration at all.
> > > >
> > > > Regards,
> > > >
> > > > Luf
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe_at_tortoisesvn.tigris.org
> > For additional commands, e-mail: users-help_at_tortoisesvn.tigris.org
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_tortoisesvn.tigris.org
For additional commands, e-mail: users-help_at_tortoisesvn.tigris.org
Received on 2008-10-07 14:36:39 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.