You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Christopher Mason <Ma...@mayo.edu> on 2005/07/15 03:53:07 UTC
Re: neon, SSPI, and mod_auth_kerb
Hello.
Sorry for the cross-post / reply to self, but I figured out how to
get subversion to do single sign on / kerberos auth on windows
against mod_auth_kerb on linux, and maybe this will prevent someone
else from having to spend an entire day on it.
--On Thursday, July 14, 2005 7:56 PM -0500 Christopher Mason
<Ma...@mayo.edu> wrote:
> [Thu Jul 14 16:37:27 2005] [error] [client 172.23.155.51]
> gss_accept_sec_context() failed: Miscellaneous failure (Request is
> a replay)
It turns out this is a replay cache issue in mod_auth_kerb 5.0rc4
(the version that's in Fedora Core 3) that's fixed in rc6. I'm not
sure what IE does differently from neon that doesn't tickle it, but
anyway...
I'm now able to do SSPI/Kerberos/SPNEGO auth from subversion (trunk)
on WinXP to apache / mod_auth_kerb 5.0rc6 on FC3, no password
prompting. Yeah! Hopefully neon 0.25 will make it into a windows
subversion release pretty soon, because, frankly, building subversion
on windows is not for the faint of heart.
If anyone is interested, I can post details on my setup.
> [Thu Jul 14 16:37:52 2005] [error] [client 172.23.155.51]
> gss_accept_sec_context() failed: Miscellaneous failure (Wrong
> principal in request)
This issue (neon SSPI doesn't expand host names in SPNs) still
exists. The work around is to use the FQDN, but I think the fix is a
pretty short patch. I'll see if I can code this up tomorrow.
-c
--
[ Christopher Mason MPRC Bioinformatics http://proteomics ]
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: [neon] Re: neon, SSPI, and mod_auth_kerb
Posted by Joe Orton <jo...@manyfish.co.uk>.
On Thu, Jul 14, 2005 at 10:53:07PM -0500, Christopher Mason wrote:
> >[Thu Jul 14 16:37:52 2005] [error] [client 172.23.155.51]
> >gss_accept_sec_context() failed: Miscellaneous failure (Wrong
> >principal in request)
>
> This issue (neon SSPI doesn't expand host names in SPNs) still
> exists. The work around is to use the FQDN, but I think the fix is a
> pretty short patch. I'll see if I can code this up tomorrow.
There is some discussion of this issue in the neon list archive; the
issue is AIUI that mod_auth_kerb *does* canonicalize the hostname but
neon does not. neon doesn't canonicalize the server hostname in general
because doing so would break name-based vhosting; I guess it could do so
solely for use in the Kerberos principal, but that seems a bit dubious.
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: neon, SSPI, and mod_auth_kerb
Posted by Samay <ge...@hotmail.com>.
> Sorry for the cross-post / reply to self, but I figured out how to get
> subversion to do single sign on / kerberos auth on windows against
> mod_auth_kerb on linux, and maybe this will prevent someone else from
> having to spend an entire day on it.
>
> --On Thursday, July 14, 2005 7:56 PM -0500 Christopher Mason
> <Ma...@mayo.edu> wrote:
>
>> [Thu Jul 14 16:37:27 2005] [error] [client 172.23.155.51]
>> gss_accept_sec_context() failed: Miscellaneous failure (Request is
>> a replay)
>
> It turns out this is a replay cache issue in mod_auth_kerb 5.0rc4 (the
> version that's in Fedora Core 3) that's fixed in rc6. I'm not sure what
> IE does differently from neon that doesn't tickle it, but anyway...
>
G'day,
Above specific error ("request is a replay") re-surfaces with Apache
2.0.54-r12, mod_auth_kerb 5.0_rc6 & mit-krb5 1.4.1. I tested it on a Gentoo
server against Microsoft Win2k Active Directory. Downgrading to mit-krb5
1.3.6-r3 seems to fix the issue.
Not sure if its Gentoo specific.
regards,
S.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org