Re: Apache+Kerberos+SVN works with IE repo browser, but not Chrome or TSVN ???

From: ken edward <kedward777_at_gmail.com>
Date: Fri, 18 Dec 2015 14:27:24 -0500

Thank you Philip,

Per your info, I applied subversion 1.8.15 and rebuilt my apache subversion
server. I am still seeing the same issue. MSIE browser can navigate
repository via kerberos, but Chrome and TSVN will only return credentials
for the root of the repo. TSVN does not return credentials for URLS within
the repo, as shown below in a comparison between TSVN and MSIE clients.

TSVN (authentication denied):

[Fri Dec 18 14:14:59.433207 2015] [ssl:info] [pid 44383] [client
133.4.86.222:55652] AH01964: Connection to child 6 established (server
itest04.vexor.com:7100)
[Fri Dec 18 14:14:59.433586 2015] [ssl:debug] [pid 44383]
ssl_engine_kernel.c(1931): [client 133.4.86.222:55652] AH02043: SSL virtual
host for servername itest04.vexor.com found
[Fri Dec 18 14:14:59.480634 2015] [ssl:debug] [pid 44383]
ssl_engine_kernel.c(1855): [client 133.4.86.222:55652] AH02041: Protocol:
TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Fri Dec 18 14:14:59.481564 2015] [ssl:debug] [pid 44383]
ssl_engine_kernel.c(238): [client 133.4.86.222:55652] AH02034: Initial
(No.1) HTTPS request received for child 6 (server itest04.vexor.com:7100)
[Fri Dec 18 14:14:59.481687 2015] [authz_svn:debug] [pid 44383]
subversion/mod_authz_svn/mod_authz_svn.c(439): [client 133.4.86.222:55652]
Path to authz file is
/usr/local/scm/apache2.4.17kerb/conf/accessControl.conf
[Fri Dec 18 14:14:59.482223 2015] [authz_core:debug] [pid 44383]
mod_authz_core.c(806): [client 133.4.86.222:55652] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet)
[Fri Dec 18 14:14:59.482242 2015] [authz_core:debug] [pid 44383]
mod_authz_core.c(806): [client 133.4.86.222:55652] AH01626: authorization
result of <RequireAny>: denied (no authenticated user yet)
[Fri Dec 18 14:14:59.482958 2015] [ssl:info] [pid 44383] (70014)End of file
found: [client 133.4.86.222:55652] AH01991: SSL input filter read failed.
[Fri Dec 18 14:14:59.483000 2015] [ssl:debug] [pid 44383]
ssl_engine_io.c(1003): [client 133.4.86.222:55652] AH02001: Connection
closed to child 6 with standard shutdown (server itest04.vexor.com:7100)

MSIE (authenticates good)

[Fri Dec 18 14:20:46.254122 2015] [auth_kerb:debug] [pid 44368]
src/mod_auth_kerb.c(1250): [client 133.5.86.222:55666] Acquiring creds for
HTTP/itest04.vexor.com_at_CAMPUS.VEXOR.COM, referer:
https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.257059 2015] [auth_kerb:debug] [pid 44368]
src/mod_auth_kerb.c(1395): [client 133.5.86.222:55666] Verifying client
data using KRB5 GSS-API , referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.258142 2015] [auth_kerb:debug] [pid 44368]
src/mod_auth_kerb.c(1411): [client 133.5.86.222:55666] Client didn't
delegate us their credential, referer:
https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.258163 2015] [auth_kerb:debug] [pid 44368]
src/mod_auth_kerb.c(1430): [client 133.5.86.222:55666] GSS-API token of
length 167 bytes will be sent back, referer:
https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.258675 2015] [auth_kerb:debug] [pid 44368]
src/mod_auth_kerb.c(1544): [client 133.5.86.222:55666]
kerb_authenticate_a_name_to_local_name smandy_at_CAMPUS.VEXOR.COM -> smandy,
referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.258704 2015] [authz_svn:debug] [pid 44368]
subversion/mod_authz_svn/mod_authz_svn.c(439): [client 133.5.86.222:55666]
Path to authz file is
/usr/local/scm/apache2.4.17kerb/conf/accessControl.conf, referer:
https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.259500 2015] [authz_svn:info] [pid 44368] [client
133.5.86.222:55666] Access granted: 'smandy' GET cm_repo1:/testproj,
referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.260458 2015] [authz_core:debug] [pid 44368]
mod_authz_core.c(806): [client 133.5.86.222:55666] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet), referer:
https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.260480 2015] [authz_core:debug] [pid 44368]
mod_authz_core.c(806): [client 133.5.86.222:55666] AH01626: authorization
result of <RequireAny>: denied (no authenticated user yet), referer:
https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.260490 2015] [auth_kerb:debug] [pid 44368]
src/mod_auth_kerb.c(1638): [client 133.5.86.222:55666]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos,
referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.260497 2015] [auth_kerb:debug] [pid 44368]
src/mod_auth_kerb.c(1576): [client 133.5.86.222:55666] matched previous
auth request, referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.261386 2015] [auth_kerb:debug] [pid 44368]
src/mod_auth_kerb.c(1544): [client 133.5.86.222:55666]
kerb_authenticate_a_name_to_local_name smandy_at_CAMPUS.VEXOR.COM -> smandy,
referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.261414 2015] [authz_svn:debug] [pid 44368]
subversion/mod_authz_svn/mod_authz_svn.c(439): [client 133.5.86.222:55666]
Path to authz file is
/usr/local/scm/apache2.4.17kerb/conf/accessControl.conf, referer:
https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.261438 2015] [authz_svn:info] [pid 44368] [client
133.5.86.222:55666] Access granted: 'smandy' GET cm_repo1:/testproj/myfile,
referer: https://itest04.vexor.com:7100/cm_repo1/

MY BUILD

Fri Dec 18 13:57:33.757795 2015] [ssl:info] [pid 44292] AH01876:
mod_ssl/2.4.17 compiled against Server: Apache/2.4.17, Library:
OpenSSL/1.0.2a
[Fri Dec 18 13:57:33.759275 2015] [mpm_prefork:notice] [pid 44292] AH00163:
Apache/2.4.17 (Unix) mod_auth_kerb/5.4 OpenSSL/1.0.2a SVN/1.8.15 configured
-- resuming normal operations
[Fri Dec 18 13:57:33.759296 2015] [mpm_prefork:info] [pid 44292] AH00164:
Server built: Dec 17 2015 14:22:22

On Fri, Dec 18, 2015 at 12:15 PM, Philip Martin <philip.martin_at_wandisco.com>
wrote:

> ken edward <kedward777_at_gmail.com> writes:
>
> > I installed
> > Subversion 1.8.14
> > Apache 2.4.17
> > mod_auth_kerb-5.4
>
> > 133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS
> > /cm_repo1/testprojHTTP/1.1"
> > 401 38
>
> 1.8.14 has a bug that affects 3rd party authn modules such as
> mod_auth_kerb and mod_auth_ldap. This bug causes Apache to return 401
> responses without a WWW-Authenticate header and this means clients do
> not attempt to authenticate. 1.8.15 as a fix for this bug.
>
> --
> Philip Martin
> WANdisco
>
Received on 2015-12-18 20:27:44 CET

This message: [ Message body ]
Next message: Philip Martin: "Re: Apache+Kerberos+SVN works with IE repo browser, but not Chrome or TSVN ???"
Previous message: Philip Martin: "Re: Apache+Kerberos+SVN works with IE repo browser, but not Chrome or TSVN ???"
In reply to: Philip Martin: "Re: Apache+Kerberos+SVN works with IE repo browser, but not Chrome or TSVN ???"
Next in thread: Philip Martin: "Re: Apache+Kerberos+SVN works with IE repo browser, but not Chrome or TSVN ???"
Reply: Philip Martin: "Re: Apache+Kerberos+SVN works with IE repo browser, but not Chrome or TSVN ???"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]