RE: Re: Getting NT Authorization Right with mod_auth_sspi.so

I'm trying the attempts to get this to work for my domain as well using
the deadbeef precompiled SSPI module. With my current configuration, IE
can browse the repositories and never prompts me for credentials, so the
SSPI auth seems to be working. When I browse the repository via IE, I
get access log entries like the following:

192.168.157.65 - - [13/Jul/2004:14:01:44 -0400] "GET
/svn/ProjectName/Client.ProjectName/CodeFile.cs HTTP/1.1" 401 508
192.168.157.65 - - [13/Jul/2004:14:01:44 -0400] "GET
/svn/ProjectName/Client.ProjectName/CodeFile.cs HTTP/1.1" 401 508
192.168.157.65 - apenn [13/Jul/2004:14:01:44 -0400] "GET
/svn/ProjectName/Client.ProjectName/CodeFile.cs HTTP/1.1" 200 15279

This is where IE tries to log in anonymously before offering the SSPI
credentials. No problem there.

TortoiseSVN, though, can't browse, update, or checkout anything from the
repositories with basic authentication off. I get one of the following
entries per access attempt:

192.168.157.65 - - [13/Jul/2004:14:02:36 -0400] "PROPFIND
/svn/ProjectName HTTP/1.1" 401 508

Does anyone know how to make this work? I'd rather not use basic
authentication. My httpd.conf (significant parts) follow:

<Location /svn>
        DAV svn
        SVNParentPath C:\SVNROOT

        Require valid-user
        AuthAuthoritative On

        AuthType SSPI
        SSPIAuth On
        SSPIDomain mydomain.com
        SSPIOmitDomain On
        SSPIOfferBasic Off
        SSPIAuthoritative On
</Location>

# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule auth_module modules/mod_auth.so
...

Thanks!

Arthur

-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Mark Bohlman
Sent: Tuesday, July 13, 2004 12:35 PM
To: users@subversion.tigris.org
Subject: Re: Getting NT Authorization Right with mod_auth_sspi.so

Roehl, Dan wrote:
> So I have been trying to get mod_auth_sspi to authenticate me. I think
that
> this has really become an Apache issue rather than an SVN issue.
>
> I have tried the package from:
> http://www.deadbeef.com/software/sspi.html
>
> As well as the package from:
> http://www.gknw.net/development/apache/httpd-2.0/win32/modules/
>
> It just plain is not working.
>
> Has anyone got this to work on a Win2k/sp3-4 box with Apache 2.0?
> Can you walk me through?
>
> Here is my load module from conf:
>
> LoadModule access_module modules/mod_access.so
> LoadModule actions_module modules/mod_actions.so
> LoadModule alias_module modules/mod_alias.so
> LoadModule asis_module modules/mod_asis.so
> #LoadModule auth_anon_module modules/mod_auth_anon.so
> #LoadModule auth_dbm_module modules/mod_auth_dbm.so
> #LoadModule auth_digest_module modules/mod_auth_digest.so
> LoadModule autoindex_module modules/mod_autoindex.so
> #LoadModule cern_meta_module modules/mod_cern_meta.so
> LoadModule cgi_module modules/mod_cgi.so
> LoadModule dav_module modules/mod_dav.so
> LoadModule dav_fs_module modules/mod_dav_fs.so
> LoadModule dir_module modules/mod_dir.so
> LoadModule env_module modules/mod_env.so
> #LoadModule expires_module modules/mod_expires.so
> #LoadModule file_cache_module modules/mod_file_cache.so
> #LoadModule headers_module modules/mod_headers.so
> LoadModule imap_module modules/mod_imap.so
> LoadModule include_module modules/mod_include.so
> #LoadModule info_module modules/mod_info.so
> LoadModule isapi_module modules/mod_isapi.so
> LoadModule log_config_module modules/mod_log_config.so
> LoadModule mime_module modules/mod_mime.so
> #LoadModule mime_magic_module modules/mod_mime_magic.so
> #LoadModule proxy_module modules/mod_proxy.so
> #LoadModule proxy_connect_module modules/mod_proxy_connect.so
> #LoadModule proxy_http_module modules/mod_proxy_http.so
> #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
> LoadModule negotiation_module modules/mod_negotiation.so
> #LoadModule rewrite_module modules/mod_rewrite.so
> LoadModule setenvif_module modules/mod_setenvif.so
> #LoadModule speling_module modules/mod_speling.so
> #LoadModule status_module modules/mod_status.so
> #LoadModule unique_id_module modules/mod_unique_id.so
> LoadModule userdir_module modules/mod_userdir.so
> #LoadModule usertrack_module modules/mod_usertrack.so
> #LoadModule vhost_alias_module modules/mod_vhost_alias.so
> #LoadModule ssl_module modules/mod_ssl.so
> LoadModule dav_svn_module modules/mod_dav_svn.so
> LoadModule authz_svn_module modules/mod_authz_svn.so
> LoadModule sspi_auth_module modules/mod_auth_sspi.so <-- Docs
suggested
> placing toward end of list
> LoadModule auth_module modules/mod_auth.so <-- Other docs suggested
that
> _auth_sspi.so need to be declared B4 mod_auth
>
>
> Here is the relevant directory settings in conf
> ### DJR Subversion settings
> <Location /svn/repos>
> DAV svn
> SVNPath /svn/repos
> AuthzSVNAccessFile D:/Apache2/etc/svnaccessfile
> AuthName "Austin Energy Subversion Repositories"
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative On
> SSPIOfferBasic On
> SSPIBasicPreferred On
> # SSPIOmitDomain On
> require valid-user
> </Location>
>
> When uncommented SSPIOmitDomain Produces error: (invalid command
> 'SSPIOmitDomain', perhaps mis-spelled or defined by a module not
included in
> the server configuration)
>
> Here is my svn acl:
>
> [groups]
> foo = myDomain\roehld
>
> # [/]
> # to allow everyone read access
> # * = r
>
> [/]
> # developers get read write to entire repository
> @developers = rw
>
> [/svn/repos/app]
> myDomain\roehld = rw
>
>
> -----Original Message-----
> From: Toby Johnson [mailto:toby@etjohnson.us]
> Sent: Monday, July 12, 2004 6:08 PM
> To: 'users@subversion.tigris.org'
> Subject: Re: Getting NT Authorization Right with mod_auth_sspi.so
>
> Roehl, Dan wrote:
>
>
>>In my http.conf
>>
>>Where
>>SSPIDomain <value>
>>What should <value> be?
>>I have tried:
>>- The fully qual name of the domain controller itself
>>- ip address of the controller
>>- myDomain.net
>>- myDomain
>>
>>
>
> I use only "myDomain", i.e. the part you see before the backslash when

> logged in and you hit CTRL+ALT+DEL.
>
>
>>None seem to work. Also placing the directive
>>SSPIOmitDomain on
>>In httpd hoses the service completely (won't even start).
>>
>>
>
> Use the version of the SSPI module from this website:
> http://www.deadbeef.com/software/sspi.html and try the "SSPIOmitDomain

> On" again. Then get rid of the domain\ in your AuthZ file, leaving
only
> the username. You don't want that ugly "domain\user" in all your
> logfiles anyway!
>
> The password special char problem only happened to me with the Unix
> client on HP-UX; I've never had problems on Windows so it's probably
> something particular to that platform.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org

Here is one that works for me:
<Location "/repos">
   AuthType SSPI
   SSPIAuth On
   SSPIAuthoritative On
   SSPIDomain "DOMAIN-A"
   SSPIOmitDomain On
   SSPIOfferBasic On
   AuthName "Project"
   Require valid-user
</Location>

Note that I am NOT using the "AuthzSVNAccessFile" setting as you do -
could this be conflicting?
-- Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jul 13 20:18:32 2004