[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Cannot negotiate authentication mechanism

From: Alec Kloss <alec.kloss_at_oracle.com>
Date: Thu, 21 Aug 2008 08:54:02 -0500

On 2008-08-20 17:38, François Lemaire wrote:
> Hello again Alec,
>
> I have changed min-encryption and max-encryption, it doesn't seem to change
> anything. I don't get anything in my ticket cache, but if I try using kinit
> and kgetcred, it works. I have used strace to trace what happens with
> svnserve, and I see this:
>
> open("/usr/lib/sasl2/svn.conf", O_RDONLY) = 3
> fstat(3, {st_mode=S_IFREG|0777, st_size=42, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f23e6816000
> read(3, "mech_list: GSSAPI\nkeytab: /etc/sv"..., 4096) = 42
> read(3, ""..., 4096) = 0
> close(3) = 0
> munmap(0x7f23e6816000, 4096) = 0
> getuid() = 0
> geteuid() = 0
> getgid() = 0
> getegid() = 0
> open("/usr/lib/sasl2", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
>
> and then later:
>
> access("/etc/svn.keytab", R_OK) = 0
> open("/etc/gss/mech", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0644, st_size=69, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7fbf3c602000
> read(4, "krb5_mech 1.2.840.113554.1."..., 1024) = 69
> read(4, ""..., 1024) = 0
> close(4) = 0
> munmap(0x7fbf3c602000, 4096) = 0
> getuid() = 0
> geteuid() = 0
> getgid() = 0
> getegid() = 0
> open("/etc/krb5.conf", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0644, st_size=1058, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7fbf3c602000
> read(4, "[libdefaults]\n\tdefault_realm = AC"..., 1024) = 1024
> read(4, " = true\n\tkrb4_get_tickets = false"..., 1024) = 34
>
> Anymore ideas?

Hrm... to my eye everything looks pretty good. This is a long
shot, but ts there any chance you have two different versions of
Kerberos around, causing either the GSSAPI libraries to not load
correctly in the client or the server or causing the server to not
like /etc/svn.keytab?

Unfortunately, I've found when GSSAPI apps start to misbehave like
this I have to start adding diagnostics into source code... :(
Maybe someone with more GSSAPI/Kerberos foo knows easier ways to
debug things. 

-- 
Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956

  • application/pgp-signature attachment: stored
Received on 2008-08-21 15:54:50 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.