RE: linux subversion client with Kerberos
From: Steve Zeng <SteveZ_at_airg.com>
Date: Wed, 23 Jul 2008 15:40:57 -0700
Shirish,
I modified the neon.spec file and re-do everything. Problem is about the
By the way, do you use Windows Active Directory as KDC as well?
Steve
1) rebuild the rpm:
# grep -i gssapi config.log
$ ./configure --build=i686-redhat-linux-gnu
configure:29073: checking gssapi/gssapi.h usability
configure:29118: checking gssapi/gssapi.h presence
configure:29189: checking for gssapi/gssapi.h
configure:29269: gcc -o conftest -O2 -g -pipe -Wall
configure:29309: GSSAPI authentication support enabled
configure:29330: checking gssapi/gssapi_generic.h usability
configure:29375: checking gssapi/gssapi_generic.h presence
configure:29446: checking for gssapi/gssapi_generic.h
ac_cv_header_gssapi_gssapi_generic_h=yes
ac_cv_header_gssapi_gssapi_h=yes
NEON_LIBS=' -lz -L/usr/kerberos/lib -lssl -lcrypto -ldl -lz
#define HAVE_GSSAPI 1
#define HAVE_GSSAPI_GSSAPI_GENERIC_H 1
#define HAVE_GSSAPI_GSSAPI_H 1
2) Then I remove the old neon rpm and install the new customized neon
3) kinit SteveZ
Ticket cache: FILE:/tmp/krb5cc_1054_ZbDD0l
Default principal: SteveZ_at_EXAMPLE.COM
Valid starting Expires Service principal
07/23/08 22:23:59 07/24/08 08:24:02 krbtgt/EXAMPLE.COM_at_EXAMPLE.COM
renew until 07/24/08 22:23:59
4) svn ls https://officeg3.example.com/svn/repos/
svn: PROPFIND request failed on '/svn/repos'
svn: PROPFIND of '/svn/repos': 401 Authorization Required
5) Apache logs:
==> /var/log/httpd/ssl_error_log <==
[Wed Jul 23 22:31:42 2008] [error] [client 192.168.1.11]
==> /var/log/httpd/ssl_request_log <==
[23/Jul/2008:22:31:42 +0000] 192.168.1.11 TLSv1 DHE-RSA-AES256-SHA
[23/Jul/2008:22:31:42 +0000] 192.168.1.11 TLSv1 DHE-RSA-AES256-SHA
6) neon debug output:
ah_create, for WWW-Authenticate
Doing DNS lookup on officeg3.example.com...
Running pre_send hooks
Not handling session.
Sending request headers:
PROPFIND /svn/repos HTTP/1.1
Host: officeg3.example.com
User-Agent: SVN/1.4.6 (r28521) neon/0.25.5
Keep-Alive:
Connection: TE, Keep-Alive
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Sending request-line and headers:
Connecting to 192.168.1.205
Sending request body:
Body block (300 bytes):
[<?xml version="1.0" encoding="utf-8"?><propfind
Request sent; retry is 0.
[status-line] < HTTP/1.1 401 Authorization Required
[hdr] Date: Wed, 23 Jul 2008 22:24:10 GMT
Header Name: [date], Value: [Wed, 23 Jul 2008 22:24:10 GMT]
[hdr] Server: Apache/2.2.3 (CentOS)
Header Name: [server], Value: [Apache/2.2.3 (CentOS)]
[hdr] WWW-Authenticate: Negotiate
Header Name: [www-authenticate], Value: [Negotiate]
[hdr] Content-Length: 484
Header Name: [content-length], Value: [484]
[hdr] Connection: close
Header Name: [connection], Value: [close]
[hdr] Content-Type: text/html; charset=iso-8859-1
Header Name: [content-type], Value: [text/html; charset=iso-8859-1]
[hdr]
End of headers.
Reading 484 bytes of response body.
Got 484 bytes.
Read block (484 bytes):
[<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at officeg3.example.com Port
</body></html>
]
Running post_send hooks
ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Negotiate
Got challenge (code 401).
Got new auth challenge: Negotiate
New 'Negotiate' challenge.
Finished parsing parameters.
Looking for GSSAPI.
gssapi: init_sec_context OK. (major=1)
gssapi: Output token:
Running pre_send hooks
Handling auth session.
Sending request headers:
PROPFIND /svn/repos HTTP/1.1
Host: officeg3.example.com
User-Agent: SVN/1.4.6 (r28521) neon/0.25.5
Keep-Alive:
Connection: TE, Keep-Alive
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Authorization:
Sending request-line and headers:
Connecting to 192.168.1.205
Sending request body:
Body block (300 bytes):
[<?xml version="1.0" encoding="utf-8"?><propfind
Request sent; retry is 0.
[status-line] < HTTP/1.1 401 Authorization Required
[hdr] Date: Wed, 23 Jul 2008 22:24:10 GMT
Header Name: [date], Value: [Wed, 23 Jul 2008 22:24:10 GMT]
[hdr] Server: Apache/2.2.3 (CentOS)
Header Name: [server], Value: [Apache/2.2.3 (CentOS)]
[hdr] Content-Length: 484
Header Name: [content-length], Value: [484]
[hdr] Connection: close
Header Name: [connection], Value: [close]
[hdr] Content-Type: text/html; charset=iso-8859-1
Header Name: [content-type], Value: [text/html; charset=iso-8859-1]
[hdr]
End of headers.
Reading 484 bytes of response body.
Got 484 bytes.
Read block (484 bytes):
[<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at officeg3.example.com Port
</body></html>
]
Running post_send hooks
ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is (none)
Request ends, status 401 class 4xx, error line:
401 Authorization Required
Running destroy hooks.
Request ends.
svn: PROPFIND request failed on '/svn/repos'
svn: PROPFIND of '/svn/repos': 401 Authorization Required
ne_session_destroy called.
ne_session_destroy called.
> -----Original Message-----
> From: Shirish Jain [mailto:lists_at_getafix.net]
> Sent: July 23, 2008 3:10 PM
> To: Steve Zeng
> Subject: Re: linux subversion client with Kerberos
>
> Steve,
>
> You will need to
> a) modify the spec file to include '--with-gssapi'. (AFAIK)
> (edit this line %configure --with-ssl --with-expat --enable-shared
> --enable-warnings)
> b) build rpm with modified spec file (rpm -bb , should do it, however
> refer to ur distro documentation on it please). watch the build output
> for messages referring to GSSAPI.
> c) install the new RPM
>
> try steps from kinit to svn again. post errors (and corresponding
> entries in apache error & access logs, too)
>
> ..SJ
>
> Steve Zeng wrote:
> > Shirish,
> >
> > I download and installed the src RPM and below is neon.spec. How can
> > tell if GSSAPI is enabled or not? I assume it is enabled by default,
> > correct?
> >
> > Steve
> >
> >
> > ==
> > #cat neon.spec
> > Summary: An HTTP and WebDAV client library
> > Name: neon
> > Version: 0.25.5
> > Release: 5.1
> > License: LGPL
> > Group: Applications/Publishing
> > Prefix: %{_prefix}
> > URL: http://www.webdav.org/neon/
> > Source0: http://www.webdav.org/neon/neon-%{version}.tar.gz
> > Patch0: neon-0.25.5-multilib.patch
> > BuildRequires: expat-devel, openssl-devel, zlib-devel, krb5-devel
> > BuildRequires: pkgconfig
> > BuildRoot: %{_tmppath}/%{name}-root
> > Conflicts: subversion < 0.22.2-4
> >
> > %description
> > neon is an HTTP and WebDAV client library, with a C interface;
> > providing a high-level interface to HTTP and WebDAV methods along
> > with a low-level interface for HTTP request handling. neon
> > supports persistent connections, proxy servers, basic, digest and
> > Kerberos authentication, and has complete SSL support.
> >
> > %package devel
> > Summary: Development libraries and C header files for the neon
> > Group: Development/Libraries
> > Requires: neon = %{version}-%{release}, openssl-devel, zlib-devel,
> > expat-devel
> > Requires: pkgconfig
> > Conflicts: subversion-devel < 0.22.2-4
> >
> > %description devel
> > The development library for the C language HTTP and WebDAV client
> > library.
> >
> > %prep
> > %setup -q
> > %patch0 -p1 -b .multilib
> >
> > %build
> > %configure --with-ssl --with-expat --enable-shared --enable-warnings
> > make %{?_smp_mflags}
> >
> > %install
> > rm -rf $RPM_BUILD_ROOT
> > %makeinstall
> >
> > %clean
> > rm -rf $RPM_BUILD_ROOT
> >
> > %post -p /sbin/ldconfig
> >
> > %postun -p /sbin/ldconfig
> >
> > %files
> > %defattr(-,root,root)
> > %doc AUTHORS BUGS TODO src/COPYING.LIB NEWS README THANKS
> > %{_libdir}/*.so.*
> >
> > %files devel
> > %defattr(-,root,root)
> > %{_bindir}/*
> > %{_includedir}/*
> > %{_libdir}/pkgconfig/neon.pc
> > %{_mandir}/man1/*
> > %{_mandir}/man3/*
> > %{_libdir}/*.*a
> > %{_libdir}/*.so
> >
> > %changelog
> > * Wed Jul 12 2006 Jesse Keating <jkeating_at_redhat.com> - 0.25.5-5.1
> > - rebuild
> >
> > * Thu Jun 1 2006 Joe Orton <jorton_at_redhat.com> 0.25.5-5
> > - have -devel require pkgconfig (#193355)
> >
> > * Wed May 24 2006 Joe Orton <jorton_at_redhat.com> 0.25.5-4
> > - add multilib fixes for neon-config (#192734)
> >
> > * Wed May 17 2006 Joe Orton <jorton_at_redhat.com> 0.25.5-3
> > - rebuild
> >
> > * Mon Feb 27 2006 Joe Orton <jorton_at_redhat.com> 0.25.5-2
> > - don't trim exported libraries (#182997)
> >
> > * Fri Feb 10 2006 Jesse Keating <jkeating_at_redhat.com> - 0.25.5-1.2
> > - bump again for double-long bug on ppc(64)
> >
> > * Tue Feb 07 2006 Jesse Keating <jkeating_at_redhat.com> - 0.25.5-1.1
> > - rebuilt for new gcc4.1 snapshot and glibc changes
> >
> > * Tue Jan 31 2006 Joe Orton <jorton_at_redhat.com> 0.25.5-1
> > - update to 0.25.5
> >
> > * Fri Dec 09 2005 Jesse Keating <jkeating_at_redhat.com>
> > - rebuilt
> >
> > * Wed Dec 7 2005 Joe Orton <jorton_at_redhat.com> 0.24.7-10
> > - strip unnecessary exports from .la file/neon-config
> >
> > * Tue Nov 8 2005 Tomas Mraz <tmraz_at_redhat.com> 0.24.7-9
> > - rebuilt with new openssl
> >
> > * Fri Sep 23 2005 Joe Orton <jorton_at_redhat.com> 0.24.7-8
> > - restore static libs for rpm
> >
> > * Mon Sep 19 2005 Joe Orton <jorton_at_redhat.com> 0.24.7-7
> > - drop static libs, doc/html from devel docdir
> >
> > * Wed Mar 2 2005 Joe Orton <jorton_at_redhat.com> 0.24.7-6
> > - rebuild
> >
> > * Thu Feb 10 2005 Joe Orton <jorton_at_redhat.com> 0.24.7-5
> > - don't define min() in ne_utils.h (Caolan McNamara, #147228)
> >
> > * Tue Oct 12 2004 Joe Orton <jorton_at_redhat.com> 0.24.7-4
> > - update to GSSAPI code from trunk
> >
> > * Fri Jul 23 2004 Joe Orton <jorton_at_redhat.com> 0.24.7-3
> > - rebuild
> >
> > * Tue Jul 20 2004 Joe Orton <jorton_at_redhat.com> 0.24.7-2.1
> > - rebuild
> >
> > * Tue Jul 6 2004 Joe Orton <jorton_at_redhat.com> 0.24.7-2
> > - devel requires neon of same release, expat-devel (#127330)
> >
> > * Mon Jul 5 2004 Joe Orton <jorton_at_redhat.com> 0.24.7-1
> > - update to 0.24.7
> >
> > * Tue Jun 15 2004 Elliot Lee <sopwith_at_redhat.com>
> > - rebuilt
> >
> > * Wed May 19 2004 Joe Orton <jorton_at_redhat.com> 0.24.6-1
> > - update to 0.24.6
> >
> > * Wed Apr 14 2004 Joe Orton <jorton_at_redhat.com> 0.24.5-2
> > - rebuild
> >
> > * Wed Apr 14 2004 Joe Orton <jorton_at_redhat.com> 0.24.5-1
> > - update to 0.24.5 for CVE CAN-2004-0179 fix
> >
> > * Thu Mar 25 2004 Joe Orton <jorton_at_redhat.com> 0.24.4-4
> > - implement the Negotate auth scheme, and only over SSL
> >
> > * Tue Mar 02 2004 Elliot Lee <sopwith_at_redhat.com>
> > - rebuilt
> >
> > * Wed Feb 25 2004 Joe Orton <jorton_at_redhat.com> 0.24.4-3
> > - use BuildRequires not BuildPrereq, drop autoconf, libtool;
> > -devel requires {openssl,zlib}-devel (#116744)
> >
> > * Fri Feb 13 2004 Elliot Lee <sopwith_at_redhat.com> 0.24.4-2
> > - rebuilt
> >
> > * Mon Feb 9 2004 Joe Orton <jorton_at_redhat.com> 0.24.4-1
> > - update to 0.24.4
> >
> > * Thu Oct 9 2003 Joe Orton <jorton_at_redhat.com> 0.24.3-1
> > - update to 0.24.3
> >
> > * Wed Sep 24 2003 Joe Orton <jorton_at_redhat.com> 0.24.2-1
> > - update to 0.24.2
> >
> > * Tue Jul 22 2003 Nalin Dahyabhai <nalin_at_redhat.com> 0.23.9-7
> > - rebuild
> >
> > * Tue Jun 24 2003 Joe Orton <jorton_at_redhat.com> 0.23.9-6
> > - never print libdir in --libs output
> >
> > * Wed Jun 04 2003 Elliot Lee <sopwith_at_redhat.com>
> > - rebuilt
> >
> > * Tue Jun 3 2003 Joe Orton <jorton_at_redhat.com> 0.23.9-4
> > - don't regenerate docs; limit conflict with subversion
> >
> > * Wed May 28 2003 Jeff Johnson <jbj_at_redhat.com> 0.23.9-3
> > - build.
> >
> > * Sat May 24 2003 Florian La Roche <Florian.LaRoche_at_redhat.de>
> > - add ldconfig to post/postun
> >
> > * Tue May 20 2003 Jeff Johnson <jbj_at_redhat.com> 0.23.9-2
> > - force expat, include neon-config, for subversion build.
> > - do "make check" (but ignore failure for now)
> >
> > * Mon May 19 2003 Jeff Johnson <jbj_at_redhat.com> 0.23.9-1
> > - upgrade to 0.23.9.
> > - avoid xmlto breakage generating man pages for now.
> >
> > * Mon Nov 11 2002 Jeff Johnson <jbj_at_redhat.com> 0.23.5-2
> > - avoid subversion-devel until libxml2 vs. expat is resolved.
> >
> > * Sat Nov 9 2002 Jeff Johnson <jbj_at_redhat.com> 0.23.5-1
> > - Create.
> > ==========================================================
> >
> >
> >> -----Original Message-----
> >> From: Shirish Jain [mailto:lists_at_getafix.net]
> >> Sent: July 23, 2008 2:26 PM
> >> To: Steve Zeng
> >> Subject: Re: linux subversion client with Kerberos
> >>
> >> Steve,
> >>
> >> could you please download the source RPM & extract the 'spec' file
> >> the 'neon.i386 0:0.25.5-5.1' build u r using. It is likely to have
> >>
> > been
> >
> >> built with "GSSAPI disabled". Confirm if this is the case.
> >>
> >> ..SJ
> >>
> >> Steve Zeng wrote:
> >>
> >>> Shirish,
> >>>
> >>> Thanks for the steps. I got errors when I run "svn ls" or "svn
> >>> checkout". It seems to me svn client does not know how to handle
> >>> Kerberos communication. Below are the details:
> >>>
> >>>
> >>>> a) linux svn install for client
> >>>>
> >>> Yum install subversion (on centos 5.1 i386 32bit)
> >>>
> >>> Installed: subversion.i386 0:1.4.2-2.el5
> >>>
> >>> Dependency Installed: neon.i386 0:0.25.5-5.1
> >>>
> >>>
> >>>> b) kinit userPrincipalName_at_DOMAIN.FQDN (Domain.fqdn must be all
> >>>>
> > caps),
> >
> >>>> it will ask ur password, please enter ur AD password. User
> >>>>
> > principal
> >
> >>>> name is typically ur user ID that u use to log on to the domain.
> >>>>
> >>>> c) if errors for time skew, sync ur linux client's clock.
> >>>>
> >>>> d) if errors due KDC, edit ur /etc/krb5.conf
> >>>>
> >>>> e) if no errors, do command, klist, it should show a krb5 ticket
> >>>>
> > from
> >
> >> ur
> >>
> >>>> Active Directory DC
> >>>>
> >>> -bash-3.1$ klist
> >>>
> >>> Ticket cache: FILE:/tmp/krb5cc_1054_Ls3mwz
> >>>
> >>> Default principal: stevez@ EXAMPLE.COM
> >>>
> >>> Valid starting Expires Service principal
> >>>
> >>> 07/23/08 16:42:17 07/24/08 02:42:16 krbtgt/ EXAMPLE.COM @
> >>>
> > EXAMPLE.COM
> >
> >>> renew until 07/24/08 02:42:17
> >>>
> >>>
> >>>> f) svn ls https://URL/path/to/repo
> >>>>
> >>> svn ls https://officeg3.example.com/svn/repos/
> >>>
> >>> svn: PROPFIND request failed on '/svn/repos'
> >>>
> >>> svn: PROPFIND of '/svn/repos': 401 Authorization Required
> >>> (https://officeg3.example.com)
> >>>
> >>>
> >>>> g) u will need to renew ur ticket using "kinit -R", u can execute
> >>>>
> > this
> >
> >>>> via crontab.
> >>>>
> >>>> Above is also required if you wish to achieve single sign on with
> >>>>
> > say
> >
> >>>> Firefox etc on Linux.
> >>>>
> >>>> should work fine. If issues, provide details.
> >>>>
> >>>> cheers
> >>>>
> >>>> Shirish
> >>>>
> >>>> Steve Zeng wrote:
> >>>>
> >>>>> Hello forks,
> >>>>>
> >>>>> Basically I am looking for a linux subversion client which can
> >>>>>
> > do
> >
> >>>>> Kerberos authentication with Windows Active Directory. I've
> >>>>>
> > search
> >
> >> the
> >>
> >>>>> mail list archive and could not find one. Any help would be
> >>>>>
> > highly
> >
> >>>>> appreciated.
> >>>>>
> >>>>> My SVN server is configured as Apache/Kerberos authentication.
> >>>>>
> >>>>> Currently I've successfully got Windows SVN client working.
> >>>>>
> >>>>> <Location /svn>
> >>>>>
> >>>>> DAV svn
> >>>>>
> >>>>> SVNParentPath /var/www/svn/
> >>>>>
> >>>>> AuthzSVNAccessFile /var/www/svn/repos/conf/authz
> >>>>>
> >>>>> SSLRequireSSL
> >>>>>
> >>>>> AuthType Kerberos
> >>>>>
> >>>>> AuthName "Kerberos Login"
> >>>>>
> >>>>> KrbMethodNegotiate On
> >>>>>
> >>>>> KrbMethodK5Passwd Off
> >>>>>
> >>>>> KrbAuthRealms EXAMPLE.COM
> >>>>>
> >>>>> require valid-user
> >>>>>
> >>>>> </Location>
> >>>>>
> >>>>> Below is version of my SVN server and windows client.
> >>>>>
> >>>>> 1) subversion server
> >>>>>
> >>>>> centos 5.1 i386
> >>>>>
> >>>>> subversion-1.4.2
> >>>>>
> >>>>> httpd-2.2.3-11
> >>>>>
> >>>>> mod_auth_kerb-5.1
> >>>>>
> >>>>> 2) Windows Client (working)
> >>>>>
> >>>>> Windows XP SP3
> >>>>>
> >>>>> TortoiseSVN 1.4.0, Build 7501 - 32 Bit , 2006/09/15 21:34:55
> >>>>>
> >>>>> Subversion 1.4.0,
> >>>>>
> >>>>> apr 0.9.12
> >>>>>
> >>>>> apr-iconv 0.9.7
> >>>>>
> >>>>> apr-utils 0.9.12
> >>>>>
> >>>>> berkeley db 4.4.20
> >>>>>
> >>>>> neon 0.25.5
> >>>>>
> >>>>> OpenSSL 0.9.8b 04 May 2006
> >>>>>
> >>>>> Best Regards,
> >>>>>
> >>>>> ---------------------
> >>>>>
> >>>>> Steve Zeng
> >>>>>
> >
> >
|
This is an archived mail posted to the Subversion Users mailing list.
This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.