[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SVN authz crashes

From: Matthew Richardson <M.Richardson_at_ed.ac.uk>
Date: Wed, 14 Jan 2009 16:27:28 +0000

Karl M. Davis wrote:
> Sorry for the double-posting there-- didn't think my first message had gone through. Anywho, I got some help from #apache channel and managed to get backtraces for these segfaults. It actually looks like it's an issue with modauthkerb. I posted on the modauthkerb-help list here:
> http://sourceforge.net/mailarchive/forum.php?thread_name=30504439.2581231894457538.JavaMail.root%40piers&forum_name=modauthkerb-help
>
> One thing I find interesting is that from the backtraces, it seems modauthkerb is being called over and over for each file of a given checkout: it always fails at a different point in the checkout operation and I see a lot of init_creds and destroy_creds calls in those backtraces. If this is an intermittent problem with modauthkerb or libkerb it might be mitigated quite a bit if they were only called once per checkout/update operation...
>
>

If you're seeing one kerberos request per file, then you're using
kerberos on apache as a 'client' - i.e its taking a username and
password, trying to get a ticket, and if it succeeds it authorises that
file action. This is a perfectly acceptable way of using mod_auth_kerb,
but goes against the whole principle of how to use kerberos.

A better option is to use kerberos tickets, and GSSAPI through
mod_auth_kerb - however this relies on a few extra things, like having a
keytab for your subversion server, and some limitation on using svn from
Windows (no MIT krb support in the pre-compield windows svn binaries, so
no option to use a ticket unless you logged into an Active Directory
Domain).

In terms of apache config, you'll need to set something like:

<Location /svn/repository>
DAV svn
SVNPath "//storage/svn/repos/repository"

AuthType Kerberos
KrbMethodK5Passwd off
KrbMethodNegotiate on
Krb5Keytab /etc/httpd/conf/svn.example.com.keytab
KrbServiceName HTTP/svn.example.com_at_EXAMPLE.REALM.COM
KrbAuthRealms EXAMPLE.REALM.COM

AuthName "Login"
AuthzSVNAccessFile /storage/svn/auth/repository
require valid-user
</Location>

Note that Krb5ServiceName MUST have HTTP in capitals in your keytab!
This one got me the last time I set this up...

(you'll also need to load mod_auth_kerb, create a keytab etc - but
there's plenty of docs on this process elsewhere online...)

Matthew 

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
Received on 2009-01-14 17:28:50 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.