[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Cannot negotiate authentication mechanism

From: Alec Kloss <Alec.Kloss_at_oracle.com>
Date: Tue, 19 Aug 2008 10:45:00 -0500

On 2008-08-19 17:18, François Lemaire wrote:
> Hello all,
> I have been using subversion successfully for several years now, with svnserve, and now I would like to use my windows domain to authenticate users. I have first set up an Apache module above my existing installation; I have been able to make kerberos authentication on Apache work using a web browser, but it doesn't work in svn clients (either command line or tortoisesvn). Then, I have seen that with version 1.5, I could use SASL with svnserve and authenticate against my windows domain. Thus, I have installed another subversion server with version 1.5, and set up svnserve to use kerberos, but all svn clients tell me "Cannot negotiate authentication mechanism".
> My svn clients correctly load saslgssapi.dll and all its friends from MIT Kerberos. I have tried to watch network packets between the client and the server, and I don't see what is supposed to be there according to the SVN protocol: I see 2 empty frames both ways, than an edit-pipeline frame from my server, an edit-pipeline from my client with the repository I'm trying to browse, then an empty frame from my server, followed by a frame containing GSSAPI and my domain name, then some empty frames both ways, and the communication ends. No greeting, no auth-request.
> I have tried to access using a remote client and the svn client installed on the server, same result.
> Versions:
> Server: Debian lenny, everything installed with apt-get. Subversion: 1.5.1 r32289 compiled 07/24/2008 Kerberos : Heimlan Kerberos 1.3-1 SASL: Cyrus SASL 2.1.22.dfsg1-21
> Client: Windows XP SP2, CollabNet Subversion, MIT Kerberos
> I can send any configuration file or network trace needed.
> Thanks,
> François Lemaire

First, re-double-check your SASL/GSSAPI configuration. You need the
svn/hostname.domainname principal stashed in a keytab somewhere. You also need
to let sasl know where to find the keytab by editing
<SASLCONFDIR>/sasl2/svn.conf to contain:

mech_list: GSSAPI
keytab: /path/to/keytab

If all that's correct, I'd bet you have max-encryption set too high
in svnserve.conf. To use GSSAPI, you should set max-encryption=56
(or less). My understanding is that this has nothing to do with
the security of the session (well, except for max-encryption = 0 or
max-encryption =1) because GSSAPI uses the keytypes to determine
the encryption algorithm (I found a RFC somewhere that said that,
and hacked up heimdal on the server side to chatter loudly about
the encryption used in GSSAPI).

Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956

  • application/pgp-signature attachment: stored
Received on 2008-08-19 19:45:56 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.