Karl M. Davis wrote:
> Sorry for the double-posting there-- didn't think my first message had gone through. Anywho, I got some help from #apache channel and managed to get backtraces for these segfaults. It actually looks like it's an issue with modauthkerb. I posted on the modauthkerb-help list here:
> One thing I find interesting is that from the backtraces, it seems modauthkerb is being called over and over for each file of a given checkout: it always fails at a different point in the checkout operation and I see a lot of init_creds and destroy_creds calls in those backtraces. If this is an intermittent problem with modauthkerb or libkerb it might be mitigated quite a bit if they were only called once per checkout/update operation...
If you're seeing one kerberos request per file, then you're using
kerberos on apache as a 'client' - i.e its taking a username and
password, trying to get a ticket, and if it succeeds it authorises that
file action. This is a perfectly acceptable way of using mod_auth_kerb,
but goes against the whole principle of how to use kerberos.
A better option is to use kerberos tickets, and GSSAPI through
mod_auth_kerb - however this relies on a few extra things, like having a
keytab for your subversion server, and some limitation on using svn from
Windows (no MIT krb support in the pre-compield windows svn binaries, so
no option to use a ticket unless you logged into an Active Directory
In terms of apache config, you'll need to set something like:
Note that Krb5ServiceName MUST have HTTP in capitals in your keytab!
This one got me the last time I set this up...
(you'll also need to load mod_auth_kerb, create a keytab etc - but
there's plenty of docs on this process elsewhere online...)
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
Received on 2009-01-14 17:28:50 CET