Re: Client authentication with Kerberos ticket

From: Yves Martin <yves.martin_at_elca.ch>
Date: 2006-12-20 15:20:32 CET

On Tue, 2006-11-28 at 16:09 +0100, Yves Martin wrote:
> Hello,
>
> I'm currently deploying Subversion (1.2.3 on Debian Linux server)
> with Apache2/mod_dav/svn/mod_auth_krb
> and a svn client in version 1.4.2 (Linux)
>
> If I allow kerberos password (KrbMethodK5Passwd on)
> it works but the client asks me for the password each time.
>
> If I disable kerberos password (KrbMethodK5Passwd on)
> with KrbMethodNegotiate on,
> the client fails directly without trying my ticket, just
> successfully created with kinit (checked with klist).
>
> I have found no tutorial or FAQ concerning svn+kerberos+ticket
> With neon debug messages enabled, but it does not help me (see below).
> I have compiled neon lib (client) with gssapi. But is it enough ?

Hello,

The following Kerberos tutorial enables me to improve
my configuration:
http://www.grolmsnet.de/kerbtut/

Now the SPNEGO seems to work between a IE navigator and
my Apache2 server.

But I still have troubles with svn clients:
. TurtoiseSVN 1.4.1 / SVN 1.4.2 on Windows
    asks me for a user/password to do basic authentication

. svn 1.4.2 command line on Linux also asks me for a password
    even after creating my principal ticket with kinit
    and the service ticket with kvno !

Neon in debug mode 138 shows:
Got new auth challenge: Negotiate, Basic realm="Domain Login"
New 'Negotiate' challenge.
New 'Basic' challenge.
Got pair: [realm] = [Domain Login]
Finished parsing parameters.
Looking for Digest challenges.
No good Digest challenges, looking for Basic.
Got Basic challenge with realm [Domain Login]

Why I want to avoid basic authentication ? Because I want to
avoid https for performance reason. And SPNEGO/Negotiate seems
to be the right path thanks to Kerberos tickets.

Is Neon supposed to work with Negotiate and Kerberos ?

My svn Linux client is properly compiled with GSS
$ grep GSS subversion-1.4.2/neon/config.h
/* Define if GSS_C_NT_HOSTBASED_SERVICE is not defined otherwise */
/* #undef GSS_C_NT_HOSTBASED_SERVICE */
/* Define if GSSAPI support is enabled */
#define HAVE_GSSAPI 1
#define HAVE_GSSAPI_GSSAPI_GENERIC_H 1
#define HAVE_GSSAPI_GSSAPI_H 1
/* #undef HAVE_GSSAPI_H */
#define HAVE_GSS_INIT_SEC_CONTEXT 1

Have you already experienced such configuration ?
Thank you in advance for any hint

-- 
Yves Martin - RP/Iliade - ADS / BL2
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Received on Wed Dec 20 15:21:29 2006

This message: [ Message body ]
Next message: Steve.Nelson_at_uk.delarue.com: "RE: Merging branch into trunk"
Previous message: Chris.Fouts_at_qimonda.com: "RE: Merging branch into trunk"
Next in thread: Yves Martin: "Re: Client authentication with Kerberos ticket"
Reply: Yves Martin: "Re: Client authentication with Kerberos ticket"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]