svnserve with SASL and two Kerberos realms

From: Victor Sudakov <sudakov_at_sibptus.tomsk.ru>
Date: Sun, 13 Mar 2016 17:34:48 +0600

Dear Colleagues:

I have two Kerberos realms: SIBPTUS.RU and SIBPTUS.TOMSK.RU with
mutual trust.

svnserve is configured to use Kerberos:

[general]
anon-access = none
auth-access = write
realm = SIBPTUS.RU
#realm = SIBPTUS.TOMSK.RU
#realm = GSS_C_NO_NAME
#realm = GSS_C_NO_CREDENTIAL
[sasl]
use-sasl = true

If I uncomment the 'realm = SIBPTUS.TOMSK.RU' line, svnserve does not
authenticate users from the SIBPTUS.RU realm, and vice versa:

svn: E170013: Unable to connect to a repository at URL 'XXXXXXXXXXXXXXXXXXXXXX
svn: E170001: Authentication error from server: SASL(-5): bad protocol / cancel: security flags do not match required

Can I configure svnserve/SASL to authenticate clients from both
realms? It would be great if svnserve considers john_at_SIBPTUS.RU and
john_at_SIBPTUS.TOMSK.RU different users (from the point of view of
logging etc).

I have tried GSS_C_NO_NAME and GSS_C_NO_CREDENTIAL as realm names,
without any success.

I am using this setup (two realms) very successfully with sshd (via
the ~/.k5login mechanism) and with the squid kerberos helper which
does not care about the realm and just passes user_at_REALM to squid
itself. Only svnserve seems to be a problem.

Thanks in advance for any input.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov_at_sibptus.tomsk.ru

Received on 2016-03-13 12:35:03 CET

This message: [ Message body ]
Next message: Victor Sudakov: "Re: svnserve with SASL and two Kerberos realms"
Previous message: Victor Sudakov: "Re: Cannot load partial dump"
Next in thread: Victor Sudakov: "Re: svnserve with SASL and two Kerberos realms"
Reply: Victor Sudakov: "Re: svnserve with SASL and two Kerberos realms"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]