[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Client authentication with Kerberos ticket

From: Yves Martin <yves.martin_at_elca.ch>
Date: 2006-12-20 15:20:32 CET

On Tue, 2006-11-28 at 16:09 +0100, Yves Martin wrote:
> Hello,
>
> I'm currently deploying Subversion (1.2.3 on Debian Linux server)
> with Apache2/mod_dav/svn/mod_auth_krb
> and a svn client in version 1.4.2 (Linux)
>
> If I allow kerberos password (KrbMethodK5Passwd on)
> it works but the client asks me for the password each time.
>
> If I disable kerberos password (KrbMethodK5Passwd on)
> with KrbMethodNegotiate on,
> the client fails directly without trying my ticket, just
> successfully created with kinit (checked with klist).
>
> I have found no tutorial or FAQ concerning svn+kerberos+ticket
> With neon debug messages enabled, but it does not help me (see below).
> I have compiled neon lib (client) with gssapi. But is it enough ?

    Hello,

 The following Kerberos tutorial enables me to improve
 my configuration:
   http://www.grolmsnet.de/kerbtut/

 Now the SPNEGO seems to work between a IE navigator and
 my Apache2 server.

 But I still have troubles with svn clients:
 . TurtoiseSVN 1.4.1 / SVN 1.4.2 on Windows
    asks me for a user/password to do basic authentication
   
 . svn 1.4.2 command line on Linux also asks me for a password
    even after creating my principal ticket with kinit
    and the service ticket with kvno !

 Neon in debug mode 138 shows:
Got new auth challenge: Negotiate, Basic realm="Domain Login"
New 'Negotiate' challenge.
New 'Basic' challenge.
Got pair: [realm] = [Domain Login]
Finished parsing parameters.
Looking for Digest challenges.
No good Digest challenges, looking for Basic.
Got Basic challenge with realm [Domain Login]

 Why I want to avoid basic authentication ? Because I want to
 avoid https for performance reason. And SPNEGO/Negotiate seems
 to be the right path thanks to Kerberos tickets.

 Is Neon supposed to work with Negotiate and Kerberos ?

 My svn Linux client is properly compiled with GSS
$ grep GSS subversion-1.4.2/neon/config.h
/* Define if GSS_C_NT_HOSTBASED_SERVICE is not defined otherwise */
/* #undef GSS_C_NT_HOSTBASED_SERVICE */
/* Define if GSSAPI support is enabled */
#define HAVE_GSSAPI 1
#define HAVE_GSSAPI_GSSAPI_GENERIC_H 1
#define HAVE_GSSAPI_GSSAPI_H 1
/* #undef HAVE_GSSAPI_H */
#define HAVE_GSS_INIT_SEC_CONTEXT 1

 Have you already experienced such configuration ?
 Thank you in advance for any hint

-- 
Yves Martin - RP/Iliade - ADS / BL2
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Dec 20 15:21:29 2006

This is an archived mail posted to the Subversion Users mailing list.