[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Apache 2 and Windows domain authentication - authorization failure (almost certainly a bug?)

From: Walter Nicholls <walter.nicholls_at_cornerstone.co.nz>
Date: 2003-07-25 08:00:59 CEST

I'm unable to get Subversion clients to authenticate properly against an
Apache server, using Windows Domain authentication. A web browser works
ok. Basic authentication works ok. Files other than subversioned ones
work ok.

Could this be a bug (perhaps in Neon?). I don't have enough familiarity
with the code bits and pieces to be sure where the problem is, but the
information in the Apache logs is pretty damning.

More detail follows

====== Installation ======
I've pretty much followed
http://tortoisesvn.tigris.org/serverinstall.html to the letter.
   Windows 2000 server (SP2), is a domain controller.
   Apache 2.0.47 (no SSL) with mod_auth_sspi
   Subversion 0.25.0r6433
   Repository in F:\SVN\ (cd F:\SVN; svnadmin create test etc)

====== Test #1 - local file: access - OK ======
Using svn client ON THE SERVER with file:///path/to/repos works fine,
can checkout, commit (rememberring current drive letter issues)

====== Test #2 - remote access using http+basic auth - OK ======
Apache is configured as follows:
 <Location /svn>
   DAV svn
   SVNParentPath "f:/svn"
   AuthName "Subversion repositories"
   AuthType basic
   AuthUserFile "f:/svn/svn_passwd"
   Require valid-user
 </Location>

Using svn command-line client on a remote windows box, or TortoiseSVN,
can checkout, commit ok.

Looking at Apache access.log, access from a web browser looks like this
192.168.80.64 - walter [25/Jul/2003:17:46:24 +1200] "GET
/svn/test/trunk/ HTTP/1.1" 200 338

svn update --username walter --password WhatIPutInPasswdFile
192.168.80.64 - walter [25/Jul/2003:17:45:16 +1200] "PROPFIND
/svn/test/trunk HTTP/1.1" 207 606
192.168.80.64 - walter [25/Jul/2003:17:45:16 +1200] "REPORT
/svn/test/!svn/vcc/default HTTP/1.1" 200 323

OK so far...

====== Test #3 - remote access using http+NTLM auth - NOT OK ======
Apache configured:
 <Location /svn>
   DAV svn
   SVNParentPath "f:/svn"
   AuthName "Subversion repositories"
   AuthType SSPI
   SSPIAuth On
   SSPIAuthoritative On
# SSPIDomain xyz - doesn't seem to make any difference
   Require valid-user
 </Location>

Now trying:
  C:\work\test\trunk>svn update
  svn: Authorization failed
  svn: PROPFIND request failed on '/svn/test/trunk'
  svn: PROPFIND of '/svn/test/trunk': authorization failed
(http://svn.csl)

None of these work either
  svn update --username walter
  svn update --username csl\walter
  svn update --username walter --password MyRealDomainPassword
  svn update --username csl\\walter --password MyRealDomainPassword
(and just about every other combination thereof. Note variation on
csl\walter vs csl\\walter)

Same sort of problems with TortoiseSVN - and it asks for password (left
over from test#2) and then retries asking for username+password, so it
isn't a cached-password issue.

Apache access log is the interesting one.
An access using a web browser (Mozilla firebird as it happens):
192.168.80.64 - CSL\\Walter [25/Jul/2003:17:41:33 +1200] "GET
/svn/test/trunk/ HTTP/1.1" 200 338

But an access using svn update:
192.168.80.64 - - [25/Jul/2003:17:42:38 +1200] "PROPFIND /svn/test/trunk
HTTP/1.1" 401 512

Note two things: No sign of user name, and 401 error result

However if I use the same authentication method to protect a perl
script, I get this:
192.168.80.64 - csl\\walter [25/Jul/2003:17:46:50 +1200] "GET
/cgi-bin/whoami.pl HTTP/1.1" 200 275

(and the perl script in question prints 'you appear to be user "walter"
on domain "csl"' as expected)

====== Test #4 - require auth for commits only ======
Don't think this demonstrates anything not already quite clear, but for
completeness...

If I change
   Require valid-user
to
   <LimitExcept GET PROPFIND OPTIONS REPORT>
     Require valid-user
   </LimitExcept>

Then, fairly predictably, svn update, svn checkout etc work; svn commit
fails with similar error:

C:\work\test\trunk>svn commit --message "blah blah"
svn: Authorization failed
svn: Commit failed (details follow):
svn: MKACTIVITY of
/svn/test/!svn/act/a6cf85f6-94c6-834a-84da-52f08b2b2e29: authorization
failed (http://svn.csl)

======= Summary ======
Since Web browser + SSPI authentication to whoami.pl works, and shows my
user name in the access log, but
 Web browser + SSPI authentaction to subversion Does not work, and does
not show my user name in the access log

I conclude it is Subversion's fault. Should this be posted to DEV then?
<g>

Any comments totally and utterly welcome. I'd love to solve this so I
can move on (turn on https, get a real project running etc). I can
provide more detail if the above isn't already totally OTT, although I'd
prefer specific requests for specific config items, or a 'try this'
rather than 'send me all of httpd.conf' kind of thing.

TIA for any help.

--------------------
Walter Nicholls (walter.nicholls@cornerstone.co.nz)
Technology Manager
Cornerstone Software Ltd (www.cornerstone.co.nz)
 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Jul 25 07:57:33 2003

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.