[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Antwort: Re: Antwort: Re: Linux mod_auth_ntlm_winbind and TortoiseSVN

From: <Rudolf.Lippert_at_Proleit.de>
Date: Tue, 7 Oct 2008 15:08:03 +0200

Hi.

Still no change.
I get as far as kinit, and I can also retrieve the kvno for my service. It
corresponds to the output of ktutil.
It seems apache doesn't even try to authenticate using kerberos...

Ludek Finstrle <ludek.finstrle_at_pzkagis.cz> schrieb am 07.10.2008 14:35:23:

> Hello,
>
> Mon, Oct 06, 2008 at 11:44:47AM +0200, Rudolf.Lippert_at_Proleit.de
napsal(a):
> > I wish it was that easy. I got a domain admin to create a keytab for
me
> > and installed it according to http://grolmsnet.de/kerbtut. But I still
get
> > a 401 response and no log messages whatsoever.
> > What am I missing?
>
> I'm sorry. I forgot to mention the change in /etc/krb5.conf.
> I have this /etc/krb5.conf:
> [libdefaults]
> default_realm = <REALM>
> ccache_type = 4
> dns_lookup_realm = false
> dns_lookup_kdc = false
> forwardable = yes
> kdc_timesync = 1
> proxiable = no
>
> [realms]
> <REALM> = {
> kdc = <YOUR AD>:88
> admin_server = <YOUR AD>
> default_domain = <YOUR domain>
> }
>
> [domain_realm]
> .<domain name> = <REALM>
> <domain name> = <REALM>
>
> You can test this with
> kinit <login>
> where login is you login to domain (don't type <DOMAIN>\<login>).
> You can check klist and don't forget kdestroy (after test).
>
> Thank you for kicking me to the right way
>
> Luf
>
> > Ludek Finstrle <ludek.finstrle_at_pzkagis.cz> schrieb am 02.10.2008
16:18:59:
> >
> > > Hello,
> > >
> > > Thu, Oct 02, 2008 at 03:41:34PM +0200, Rudolf.Lippert_at_Proleit.de
> > napsal(a):
> > > > I have noticed the mod_auth_kerb module, but I haven't been able
to
> > figure
> > > > out what I need to do to make it work. It seem much more
complicated
> > than
> > > > winbind. Still, if one works and the other doesn't, I'll go for
kerb.
> > > > Could you explain how you got SSO working?
> > >
> > > I don't think so. Here you're steps:
> > >
> > > 1) create account for machine in AD and export host keytab
> > > HTTP/<FQDN> of apache host - IP where apache is listening on
> > > (forward "A" and reverse "PTR" DNS entry have to match)
> > > (http://technet.microsoft.com/en-us/library/bb742433.aspx)
> > > 2) put the keytab with enough secure permissions to apache host
> > > apache process has to have rights to read this keytab
> > > 3) configure mod_auth_kerb this way:
> > > LoadModule auth_kerb_module modules/mod_auth_kerb.so
> > > ...
> > > AuthType Kerberos
> > > AuthName "Whatever you want"
> > > KrbMethodNegotiate on
> > > KrbMethodK5Passwd on
> > > KrbAuthoritative on
> > > KrbAuthRealms <your REALM = AD domain name>
> > > KrbServiceName HTTP/<FQDN of apache host>@<domain>
> > > Krb5Keytab /path/to/keytab/file.keytab
> > > # this should provide some speed up
> > > KrbSaveCredentials on
> > >
> > > That's all. Do you still think it's hard to setup? ;o)
> > >
> > > > Dekuji moc,
> > >
> > > Neni zac,
> > >
> > > Luf
> > >
> > > > Ludek Finstrle <ludek.finstrle_at_pzkagis.cz> schrieb am 02.10.2008
> > 15:26:55:
> > > >
> > > > > Wed, Oct 01, 2008 at 10:35:43AM +0200, Rudolf.Lippert_at_Proleit.de

> > > > napsal(a):
> > > > > > I have a problem with at least two edges here:
> > > > > > First:: mod_auth_ntlm_winbind does not support NTLM over
HTTPS,
> > while
> > > > > > TortoiseSVN does not support NTLM without HTTPS. At least,
this is
> > my
> > > > > > understanding so far.
> > > > >
> > > > > Hello,
> > > > >
> > > > > another point of view. Isn't mod_auth_kerb enough for you? Do
you
> > > > > really need ntlm auth? I've working SSO using windows AD as
kerberos
> > > > > server and a lot of win clients using it without typing their
> > passwords.
> > > > > I'm sorry I have no ntlm configuration at all.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Luf
> > >
> > >
---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe_at_tortoisesvn.tigris.org
> > > For additional commands, e-mail: users-help_at_tortoisesvn.tigris.org
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_tortoisesvn.tigris.org
> For additional commands, e-mail: users-help_at_tortoisesvn.tigris.org
>
Received on 2008-10-07 15:04:13 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.