[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Possible bug in win32- 1.4.0 when accessing repository via https

From: John Szakmeister <john_at_szakmeister.net>
Date: 2006-09-25 21:05:29 CEST

----- D.J. Heap <djheap@gmail.com> wrote:
> The binaries on the site are still built on neon 0.26.1. Can you post
> more details of your auth configuration so when I have time I can try
> to set it up and debug the problem? I'd rather fix the issue than go
> back unless it turns out to be unreasonable to do so.

DJ, I haven't been ignoring you. I was extremely busy last week, and getting the configuration off of the machine is actually pretty difficult (we have to go through a security process, which takes a while). I will give a better outline of what I have though.

I'm currently running Subversion under SLES 9 SP2. It's using the native Apache 2.0.x, and I've got the latest mod_auth_kerb on there. It's authenticating against Active Directory running on Windows 2003. To get Kerberos authentication working is a sizeable hassle. You've got to create a principal for the linux server, export a keytab, and load it onto the server. It sounds easy, but I've mad mixed results in getting usable keytabs from Windows (each version of the os seems to be a little different in the exact parameters you need to export the keytab).

I've got mod_auth_kerb enabled for authentication, and I'm allowing it to fall back to Basic authentication in the event the client doesn't support negotiate, or fails to authenticate. To my knowledge, the Subversion client has never done the negotiate thing correctly on Windows (or more precisely, Neon), so it always falls back to basic authentication. It all occurs over https://, and I've got the root ca certificate added to my configuration, so that it can verify the server's certificate. Firefox works (it does the negotiate and forwards the ticket information). Subversion dies.

I'd recommend putting the binaries based on Neon 0.25.x up there. We definitely seen problems, and 0.25.5 seems to cope better. I think something more has changed in the 0.26 version of Neon... data structures are definitely getting cleared or clobbered. :-(

I'm working to get the configuration, but it'll take a little more time.


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Sep 25 21:08:20 2006

This is an archived mail posted to the Subversion Users mailing list.