Re: Possible bug in win32- 1.4.0 when accessing repository via https
From: John Szakmeister <john_at_szakmeister.net>
Date: 2006-09-25 21:05:29 CEST
----- D.J. Heap <djheap@gmail.com> wrote:
DJ, I haven't been ignoring you. I was extremely busy last week, and getting the configuration off of the machine is actually pretty difficult (we have to go through a security process, which takes a while). I will give a better outline of what I have though.
I'm currently running Subversion under SLES 9 SP2. It's using the native Apache 2.0.x, and I've got the latest mod_auth_kerb on there. It's authenticating against Active Directory running on Windows 2003. To get Kerberos authentication working is a sizeable hassle. You've got to create a principal for the linux server, export a keytab, and load it onto the server. It sounds easy, but I've mad mixed results in getting usable keytabs from Windows (each version of the os seems to be a little different in the exact parameters you need to export the keytab).
I've got mod_auth_kerb enabled for authentication, and I'm allowing it to fall back to Basic authentication in the event the client doesn't support negotiate, or fails to authenticate. To my knowledge, the Subversion client has never done the negotiate thing correctly on Windows (or more precisely, Neon), so it always falls back to basic authentication. It all occurs over https://, and I've got the root ca certificate added to my configuration, so that it can verify the server's certificate. Firefox works (it does the negotiate and forwards the ticket information). Subversion dies.
I'd recommend putting the binaries based on Neon 0.25.x up there. We definitely seen problems, and 0.25.5 seems to cope better. I think something more has changed in the 0.26 version of Neon... data structures are definitely getting cleared or clobbered. :-(
I'm working to get the configuration, but it'll take a little more time.
-John
---------------------------------------------------------------------
|
This is an archived mail posted to the Subversion Users mailing list.
This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.