[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Getting NT Authorization Right with mod_auth_sspi.so

From: Mark Bohlman <mbohlman_at_tcicredit.com>
Date: 2004-07-13 20:53:05 CEST

Arthur Penn wrote:
> I'm trying the attempts to get this to work for my domain as well using
> the deadbeef precompiled SSPI module. With my current configuration, IE
> can browse the repositories and never prompts me for credentials, so the
> SSPI auth seems to be working. When I browse the repository via IE, I
> get access log entries like the following:
>
> 192.168.157.65 - - [13/Jul/2004:14:01:44 -0400] "GET
> /svn/ProjectName/Client.ProjectName/CodeFile.cs HTTP/1.1" 401 508
> 192.168.157.65 - - [13/Jul/2004:14:01:44 -0400] "GET
> /svn/ProjectName/Client.ProjectName/CodeFile.cs HTTP/1.1" 401 508
> 192.168.157.65 - apenn [13/Jul/2004:14:01:44 -0400] "GET
> /svn/ProjectName/Client.ProjectName/CodeFile.cs HTTP/1.1" 200 15279
>
> This is where IE tries to log in anonymously before offering the SSPI
> credentials. No problem there.
>
> TortoiseSVN, though, can't browse, update, or checkout anything from the
> repositories with basic authentication off. I get one of the following
> entries per access attempt:
>
> 192.168.157.65 - - [13/Jul/2004:14:02:36 -0400] "PROPFIND
> /svn/ProjectName HTTP/1.1" 401 508
>
> Does anyone know how to make this work? I'd rather not use basic
> authentication. My httpd.conf (significant parts) follow:
>
> <Location /svn>
> DAV svn
> SVNParentPath C:\SVNROOT
>
> Require valid-user
> AuthAuthoritative On
>
> AuthType SSPI
> SSPIAuth On
> SSPIDomain mydomain.com
> SSPIOmitDomain On
> SSPIOfferBasic Off
> SSPIAuthoritative On
> </Location>
>
>
> # Example:
> # LoadModule foo_module modules/mod_foo.so
> #
> LoadModule access_module modules/mod_access.so
> LoadModule actions_module modules/mod_actions.so
> LoadModule alias_module modules/mod_alias.so
> LoadModule asis_module modules/mod_asis.so
> LoadModule sspi_auth_module modules/mod_auth_sspi.so
> LoadModule auth_module modules/mod_auth.so
> ...
>
>
> Thanks!
>
> Arthur
>
>
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org] On Behalf Of Mark Bohlman
> Sent: Tuesday, July 13, 2004 12:35 PM
> To: users@subversion.tigris.org
> Subject: Re: Getting NT Authorization Right with mod_auth_sspi.so
>
> Roehl, Dan wrote:
>
>>So I have been trying to get mod_auth_sspi to authenticate me. I think
>
> that
>
>>this has really become an Apache issue rather than an SVN issue.
>>
>>I have tried the package from:
>>http://www.deadbeef.com/software/sspi.html
>>
>>As well as the package from:
>>http://www.gknw.net/development/apache/httpd-2.0/win32/modules/
>>
>>It just plain is not working.
>>
>>Has anyone got this to work on a Win2k/sp3-4 box with Apache 2.0?
>>Can you walk me through?
>>
>>Here is my load module from conf:
>>
>>LoadModule access_module modules/mod_access.so
>>LoadModule actions_module modules/mod_actions.so
>>LoadModule alias_module modules/mod_alias.so
>>LoadModule asis_module modules/mod_asis.so
>>#LoadModule auth_anon_module modules/mod_auth_anon.so
>>#LoadModule auth_dbm_module modules/mod_auth_dbm.so
>>#LoadModule auth_digest_module modules/mod_auth_digest.so
>>LoadModule autoindex_module modules/mod_autoindex.so
>>#LoadModule cern_meta_module modules/mod_cern_meta.so
>>LoadModule cgi_module modules/mod_cgi.so
>>LoadModule dav_module modules/mod_dav.so
>>LoadModule dav_fs_module modules/mod_dav_fs.so
>>LoadModule dir_module modules/mod_dir.so
>>LoadModule env_module modules/mod_env.so
>>#LoadModule expires_module modules/mod_expires.so
>>#LoadModule file_cache_module modules/mod_file_cache.so
>>#LoadModule headers_module modules/mod_headers.so
>>LoadModule imap_module modules/mod_imap.so
>>LoadModule include_module modules/mod_include.so
>>#LoadModule info_module modules/mod_info.so
>>LoadModule isapi_module modules/mod_isapi.so
>>LoadModule log_config_module modules/mod_log_config.so
>>LoadModule mime_module modules/mod_mime.so
>>#LoadModule mime_magic_module modules/mod_mime_magic.so
>>#LoadModule proxy_module modules/mod_proxy.so
>>#LoadModule proxy_connect_module modules/mod_proxy_connect.so
>>#LoadModule proxy_http_module modules/mod_proxy_http.so
>>#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
>>LoadModule negotiation_module modules/mod_negotiation.so
>>#LoadModule rewrite_module modules/mod_rewrite.so
>>LoadModule setenvif_module modules/mod_setenvif.so
>>#LoadModule speling_module modules/mod_speling.so
>>#LoadModule status_module modules/mod_status.so
>>#LoadModule unique_id_module modules/mod_unique_id.so
>>LoadModule userdir_module modules/mod_userdir.so
>>#LoadModule usertrack_module modules/mod_usertrack.so
>>#LoadModule vhost_alias_module modules/mod_vhost_alias.so
>>#LoadModule ssl_module modules/mod_ssl.so
>>LoadModule dav_svn_module modules/mod_dav_svn.so
>>LoadModule authz_svn_module modules/mod_authz_svn.so
>>LoadModule sspi_auth_module modules/mod_auth_sspi.so <-- Docs
>
> suggested
>
>>placing toward end of list
>>LoadModule auth_module modules/mod_auth.so <-- Other docs suggested
>
> that
>
>>_auth_sspi.so need to be declared B4 mod_auth
>>
>>
>>Here is the relevant directory settings in conf
>>### DJR Subversion settings
>> <Location /svn/repos>
>> DAV svn
>> SVNPath /svn/repos
>> AuthzSVNAccessFile D:/Apache2/etc/svnaccessfile
>> AuthName "Austin Energy Subversion Repositories"
>> AuthType SSPI
>> SSPIAuth On
>> SSPIAuthoritative On
>> SSPIOfferBasic On
>> SSPIBasicPreferred On
>> # SSPIOmitDomain On
>> require valid-user
>> </Location>
>>
>>When uncommented SSPIOmitDomain Produces error: (invalid command
>>'SSPIOmitDomain', perhaps mis-spelled or defined by a module not
>
> included in
>
>>the server configuration)
>>
>>Here is my svn acl:
>>
>>[groups]
>>foo = myDomain\roehld
>>
>># [/]
>># to allow everyone read access
>># * = r
>>
>> [/]
>># developers get read write to entire repository
>>@developers = rw
>>
>> [/svn/repos/app]
>>myDomain\roehld = rw
>>
>>
>>-----Original Message-----
>>From: Toby Johnson [mailto:toby@etjohnson.us]
>>Sent: Monday, July 12, 2004 6:08 PM
>>To: 'users@subversion.tigris.org'
>>Subject: Re: Getting NT Authorization Right with mod_auth_sspi.so
>>
>>Roehl, Dan wrote:
>>
>>
>>
>>>In my http.conf
>>>
>>>Where
>>>SSPIDomain <value>
>>>What should <value> be?
>>>I have tried:
>>>- The fully qual name of the domain controller itself
>>>- ip address of the controller
>>>- myDomain.net
>>>- myDomain
>>>
>>>
>>
>>I use only "myDomain", i.e. the part you see before the backslash when
>
>
>>logged in and you hit CTRL+ALT+DEL.
>>
>>
>>
>>>None seem to work. Also placing the directive
>>>SSPIOmitDomain on
>>>In httpd hoses the service completely (won't even start).
>>>
>>>
>>
>>Use the version of the SSPI module from this website:
>>http://www.deadbeef.com/software/sspi.html and try the "SSPIOmitDomain
>
>
>>On" again. Then get rid of the domain\ in your AuthZ file, leaving
>
> only
>
>>the username. You don't want that ugly "domain\user" in all your
>>logfiles anyway!
>>
>>The password special char problem only happened to me with the Unix
>>client on HP-UX; I've never had problems on Windows so it's probably
>>something particular to that platform.
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>>For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
> Here is one that works for me:
> <Location "/repos">
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain "DOMAIN-A"
> SSPIOmitDomain On
> SSPIOfferBasic On
> AuthName "Project"
> Require valid-user
> </Location>
>
> Note that I am NOT using the "AuthzSVNAccessFile" setting as you do -
> could this be conflicting?
> -- Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org

Arthur,
    Are you sure you're pointing to the proper location using Tortoise?
  Create a new folder, go to that in Win Explorer, check out your
project using Tortoise. If still not allowing you access to your
project go to a command window (cmd or bash, if cygwin user) and try
from the command line via "svn co http://server/project". If the
credentials for svn haven't been set this will set them, after prompting
you, in %APPDATA%/Subversion/auth/svn.simple.

   I seem to recall a similar problem corrected by this.
-- Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jul 13 20:53:31 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.