Cannot negotiate authentication mechanism
From: François Lemaire <flemaire_at_activsoft.fr>
Date: Tue, 19 Aug 2008 17:18:33 +0200
I have been using subversion successfully for several years now, with svnserve, and now I would like to use my windows domain to authenticate users. I have first set up an Apache module above my existing installation; I have been able to make kerberos authentication on Apache work using a web browser, but it doesn't work in svn clients (either command line or tortoisesvn). Then, I have seen that with version 1.5, I could use SASL with svnserve and authenticate against my windows domain. Thus, I have installed another subversion server with version 1.5, and set up svnserve to use kerberos, but all svn clients tell me "Cannot negotiate authentication mechanism".
My svn clients correctly load saslgssapi.dll and all its friends from MIT Kerberos. I have tried to watch network packets between the client and the server, and I don't see what is supposed to be there according to the SVN protocol: I see 2 empty frames both ways, than an edit-pipeline frame from my server, an edit-pipeline from my client with the repository I'm trying to browse, then an empty frame from my server, followed by a frame containing GSSAPI and my domain name, then some empty frames both ways, and the communication ends. No greeting, no auth-request.
I have tried to access using a remote client and the svn client installed on the server, same result.
Server: Debian lenny, everything installed with apt-get. Subversion: 1.5.1 r32289 compiled 07/24/2008 Kerberos : Heimlan Kerberos 1.3-1 SASL: Cyrus SASL 2.1.22.dfsg1-21
Client: Windows XP SP2, CollabNet Subversion 18.104.22.168289, MIT Kerberos 22.214.171.124.
I can send any configuration file or network trace needed.
This is an archived mail posted to the Subversion Users mailing list.