You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Walter Nicholls <wa...@cornerstone.co.nz> on 2003/07/25 06:00:59 UTC

Apache 2 and Windows domain authentication - authorization failure (almost certainly a bug?)

I'm unable to get Subversion clients to authenticate properly against an
Apache server, using Windows Domain authentication. A web browser works
ok. Basic authentication works ok. Files other than subversioned ones
work ok.

Could this be a bug (perhaps in Neon?). I don't have enough familiarity
with the code bits and pieces to be sure where the problem is, but the
information in the Apache logs is pretty damning.

More detail follows 

====== Installation ======
I've pretty much followed
http://tortoisesvn.tigris.org/serverinstall.html to the letter. 
   Windows 2000 server (SP2), is a domain controller.
   Apache 2.0.47  (no SSL) with mod_auth_sspi
   Subversion 0.25.0r6433
   Repository in F:\SVN\  (cd F:\SVN; svnadmin create test etc)

====== Test #1  - local file: access - OK ======
Using svn client ON THE SERVER with file:///path/to/repos  works fine,
can checkout, commit (rememberring current drive letter issues)

====== Test #2 - remote access using http+basic auth - OK ======
Apache is configured as follows:
 <Location /svn>
   DAV svn
   SVNParentPath "f:/svn"
   AuthName "Subversion repositories"
   AuthType basic
   AuthUserFile "f:/svn/svn_passwd"
   Require valid-user
 </Location>

Using svn command-line client on a remote windows box, or TortoiseSVN,
can checkout, commit ok.

Looking at Apache access.log, access from a web browser looks like this
192.168.80.64 - walter [25/Jul/2003:17:46:24 +1200] "GET
/svn/test/trunk/ HTTP/1.1" 200 338

svn update --username walter --password WhatIPutInPasswdFile
192.168.80.64 - walter [25/Jul/2003:17:45:16 +1200] "PROPFIND
/svn/test/trunk HTTP/1.1" 207 606
192.168.80.64 - walter [25/Jul/2003:17:45:16 +1200] "REPORT
/svn/test/!svn/vcc/default HTTP/1.1" 200 323

OK so far...

====== Test #3 - remote access using http+NTLM auth - NOT OK ======
Apache configured:
 <Location /svn>
   DAV svn
   SVNParentPath "f:/svn"
   AuthName "Subversion repositories"
   AuthType SSPI
   SSPIAuth On
   SSPIAuthoritative On
#   SSPIDomain xyz - doesn't seem to make any difference
   Require valid-user
 </Location>

Now trying:
  C:\work\test\trunk>svn update
  svn: Authorization failed
  svn: PROPFIND request failed on '/svn/test/trunk'
  svn: PROPFIND of '/svn/test/trunk': authorization failed
(http://svn.csl)

None of these work either
  svn update --username walter
  svn update --username csl\walter
  svn update --username walter  --password MyRealDomainPassword
  svn update --username csl\\walter  --password MyRealDomainPassword
(and just about every other combination thereof. Note variation on
csl\walter vs csl\\walter)

Same sort of problems with TortoiseSVN - and it asks for password (left
over from test#2) and then retries asking for username+password, so it
isn't a cached-password issue.

Apache access log is the interesting one. 
An access using a web browser (Mozilla firebird as it happens):
192.168.80.64 - CSL\\Walter [25/Jul/2003:17:41:33 +1200] "GET
/svn/test/trunk/ HTTP/1.1" 200 338

But an access using svn update:
192.168.80.64 - - [25/Jul/2003:17:42:38 +1200] "PROPFIND /svn/test/trunk
HTTP/1.1" 401 512

Note two things: No sign of user name, and 401 error result

However if I use the same authentication method to protect a perl
script, I get this:
192.168.80.64 - csl\\walter [25/Jul/2003:17:46:50 +1200] "GET
/cgi-bin/whoami.pl HTTP/1.1" 200 275

(and the perl script in question prints 'you appear to be user "walter"
on domain "csl"' as expected)

====== Test #4 - require auth for commits only ======
Don't think this demonstrates anything not already quite clear, but for
completeness...

If I change
   Require valid-user
to 
   <LimitExcept GET PROPFIND OPTIONS REPORT>
     Require valid-user
   </LimitExcept>

Then, fairly predictably, svn update, svn checkout etc work; svn commit
fails with similar error:

C:\work\test\trunk>svn commit --message "blah blah"
svn: Authorization failed
svn: Commit failed (details follow):
svn: MKACTIVITY of
/svn/test/!svn/act/a6cf85f6-94c6-834a-84da-52f08b2b2e29: authorization
failed (http://svn.csl)

======= Summary ======
Since Web browser + SSPI authentication to whoami.pl works, and shows my
user name in the access log, but
 Web browser + SSPI authentaction to subversion Does not work, and does
not show my user name in the access log

I conclude it is Subversion's fault. Should this be posted to DEV then?
<g>

Any comments totally and utterly welcome. I'd love to solve this so I
can move on (turn on https, get a real project running etc). I can
provide more detail if the above isn't already totally OTT, although I'd
prefer specific requests for specific config items, or a 'try this'
rather than 'send me all of httpd.conf' kind of thing.

TIA for any help.


--------------------
Walter Nicholls (walter.nicholls@cornerstone.co.nz)
Technology Manager
Cornerstone Software Ltd (www.cornerstone.co.nz)
 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Apache 2 and Windows domain authentication - authorization failure (almost certainly a bug?)

Posted by Michael Wood <mw...@its.uct.ac.za>.

On Fri, Jul 25, 2003 at 06:00:59PM +1200, Walter Nicholls wrote:
[snip]
> ======= Summary ======
> Since Web browser + SSPI authentication to whoami.pl works, and shows my
> user name in the access log, but
>  Web browser + SSPI authentaction to subversion Does not work, and does
   ^^^^^^^^^^^

I assume you mean Subversion client.

> not show my user name in the access log
> 
> I conclude it is Subversion's fault. Should this be posted to DEV then?
> <g>

Probably.  Or maybe the neon list.

> Any comments totally and utterly welcome. I'd love to solve this so I
> can move on (turn on https, get a real project running etc). I can
[snip]

I'm guessing either neon or Subversion just doesn't support that
authentication method.

-- 
Michael Wood <mw...@its.uct.ac.za>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Apache 2 and Windows domain authentication - authorization failure (almost certainly a bug?)

Posted by Daniel Stenberg <da...@haxx.se>.

On Fri, 25 Jul 2003, Walter Nicholls wrote:

> ====== Test #3 - remote access using http+NTLM auth - NOT OK ======

AFAIK, neon doesn't support NTLM.

I'm planning to offer my help on making it reality in neon, if time permits
me, as I've recently made libcurl support it...

-- 
      Daniel Stenberg - http://daniel.haxx.se - +46-705-44 31 77
   ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org