I'm unable to get Subversion clients to authenticate properly against an
Apache server, using Windows Domain authentication. A web browser works
ok. Basic authentication works ok. Files other than subversioned ones
work ok.
Could this be a bug (perhaps in Neon?). I don't have enough familiarity
with the code bits and pieces to be sure where the problem is, but the
information in the Apache logs is pretty damning.
More detail follows
====== Installation ======
I've pretty much followed
http://tortoisesvn.tigris.org/serverinstall.html to the letter.
Windows 2000 server (SP2), is a domain controller.
Apache 2.0.47 (no SSL) with mod_auth_sspi
Subversion 0.25.0r6433
Repository in F:\SVN\ (cd F:\SVN; svnadmin create test etc)
====== Test #1 - local file: access - OK ======
Using svn client ON THE SERVER with file:///path/to/repos works fine,
can checkout, commit (rememberring current drive letter issues)
====== Test #2 - remote access using http+basic auth - OK ======
Apache is configured as follows:
<Location /svn>
DAV svn
SVNParentPath "f:/svn"
AuthName "Subversion repositories"
AuthType basic
AuthUserFile "f:/svn/svn_passwd"
Require valid-user
</Location>
Using svn command-line client on a remote windows box, or TortoiseSVN,
can checkout, commit ok.
Looking at Apache access.log, access from a web browser looks like this
192.168.80.64 - walter [25/Jul/2003:17:46:24 +1200] "GET
/svn/test/trunk/ HTTP/1.1" 200 338
svn update --username walter --password WhatIPutInPasswdFile
192.168.80.64 - walter [25/Jul/2003:17:45:16 +1200] "PROPFIND
/svn/test/trunk HTTP/1.1" 207 606
192.168.80.64 - walter [25/Jul/2003:17:45:16 +1200] "REPORT
/svn/test/!svn/vcc/default HTTP/1.1" 200 323
OK so far...
====== Test #3 - remote access using http+NTLM auth - NOT OK ======
Apache configured:
<Location /svn>
DAV svn
SVNParentPath "f:/svn"
AuthName "Subversion repositories"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
# SSPIDomain xyz - doesn't seem to make any difference
Require valid-user
</Location>
Now trying:
C:\work\test\trunk>svn update
svn: Authorization failed
svn: PROPFIND request failed on '/svn/test/trunk'
svn: PROPFIND of '/svn/test/trunk': authorization failed
(http://svn.csl)
None of these work either
svn update --username walter
svn update --username csl\walter
svn update --username walter --password MyRealDomainPassword
svn update --username csl\\walter --password MyRealDomainPassword
(and just about every other combination thereof. Note variation on
csl\walter vs csl\\walter)
Same sort of problems with TortoiseSVN - and it asks for password (left
over from test#2) and then retries asking for username+password, so it
isn't a cached-password issue.
Apache access log is the interesting one.
An access using a web browser (Mozilla firebird as it happens):
192.168.80.64 - CSL\\Walter [25/Jul/2003:17:41:33 +1200] "GET
/svn/test/trunk/ HTTP/1.1" 200 338
But an access using svn update:
192.168.80.64 - - [25/Jul/2003:17:42:38 +1200] "PROPFIND /svn/test/trunk
HTTP/1.1" 401 512
Note two things: No sign of user name, and 401 error result
However if I use the same authentication method to protect a perl
script, I get this:
192.168.80.64 - csl\\walter [25/Jul/2003:17:46:50 +1200] "GET
/cgi-bin/whoami.pl HTTP/1.1" 200 275
(and the perl script in question prints 'you appear to be user "walter"
on domain "csl"' as expected)
====== Test #4 - require auth for commits only ======
Don't think this demonstrates anything not already quite clear, but for
completeness...
If I change
Require valid-user
to
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
Then, fairly predictably, svn update, svn checkout etc work; svn commit
fails with similar error:
C:\work\test\trunk>svn commit --message "blah blah"
svn: Authorization failed
svn: Commit failed (details follow):
svn: MKACTIVITY of
/svn/test/!svn/act/a6cf85f6-94c6-834a-84da-52f08b2b2e29: authorization
failed (http://svn.csl)
======= Summary ======
Since Web browser + SSPI authentication to whoami.pl works, and shows my
user name in the access log, but
Web browser + SSPI authentaction to subversion Does not work, and does
not show my user name in the access log
I conclude it is Subversion's fault. Should this be posted to DEV then?
<g>
Any comments totally and utterly welcome. I'd love to solve this so I
can move on (turn on https, get a real project running etc). I can
provide more detail if the above isn't already totally OTT, although I'd
prefer specific requests for specific config items, or a 'try this'
rather than 'send me all of httpd.conf' kind of thing.
TIA for any help.
--------------------
Walter Nicholls (walter.nicholls@cornerstone.co.nz)
Technology Manager
Cornerstone Software Ltd (www.cornerstone.co.nz)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Jul 25 07:57:33 2003