[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Cannot negotiate authentication mechanism

From: Alec Kloss <Alec.Kloss_at_oracle.com>
Date: Wed, 20 Aug 2008 06:39:47 -0500

On 2008-08-20 13:03, François Lemaire wrote:
> Hello Alec,
>
> thanks for answering me. I have checked, double checked and triple checked my SASL/GSSAPI configuration, and it still doesn't work. Here is the content of my configuration files:
>
> /usr/lib/sasl2/svn.conf:
>
> mech_list: GSSAPI
> keytab: /etc/svn.keytab
>
> /etc/svn.keytab:
>
> svn/TUX.ACTIVSOFT.SKOLIA.COM_at_ACTIVSOFT.SKOLIA.COM
>
> /etc/krb5.conf:
>
> [libdefaults]
> default_realm = ACTIVSOFT.SKOLIA.COM
> ticket_lifetime=24000
> dns_lookup_realm=false
> dns_lookup_kdc=false
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> ACTIVSOFT.SKOLIA.COM = {
> kdc = 192.168.0.1:88
> }
>
> [domain_realm]
> .activsoft.skolia.com =ACTIVSOFT.SKOLIA.COM
> activsoft.skolia.com =ACTIVSOFT.SKOLIA.COM
> [appdefaults]
> pam={
> debug=false
> ticket_lifetime=36000
> renew_lifetime=36000
> forwardable=true
> krb4_convert=false
> }
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
> /usr/local/svn/test/conf/svnserve.conf:
>
> [general]
> anon-access =none
> auth-access = write
> realm = ACTIVSOFT.SKOLIA.COM
>
> [sasl]
> use-sasl = true
> min-encryption = 0
> max-encryption = 0
>
> All acces rights are OK to me, and Apache authentication works.
>
> Thanks,
>
> François Lemaire

Have you tried changing min-encryption and max-encryption? My
setup works with min-encryption = 56 and max-encryption = 256.
When you try to connect, do you get a svn/... ticket in your ticket
cache? I think I'd use your favorite process monitor to watch
svnserve to make sure it's reading /usr/lib/sasl2/svn.conf and then
reading the keytab. Sometimes it *seems* like different Kerberos
implementations do slightly different things in creating keytabs so
you should try to use a tool that matches whatever svnserve is
linked against to create the keytab. 

-- 
Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956

  • application/pgp-signature attachment: stored
Received on 2008-08-20 13:40:28 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.