You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Samay <ge...@hotmail.com> on 2006/04/20 12:41:07 UTC
Re: Negotiate Authentication Broken with Subversion 1.3.0
G'day,
IMO following is probably a bug/Limitation wrt Neon's SPNEGO feature. Recipe
to reproduce is provided below (some bits from Orig Poster)
If you need more details, feel free to ask. Any suggested work arounds?
regards
Shirish
>>
The SVN Server
--------
OS: Gentoo
URL: https://svn.my.realm/repos/
mit-krb5-1.4.3
apache2 2.0.55
subversion 1.3.1 (mod_dav_svn, svnAuthz)
mod-auth-kerb 5.0-rc7 + workaround for the 'request is replay' issue with
mit-krb5 1.4.3
AuthType Kerberos
KrbAuthRealms MY.REALM
KrbMethodNegotiate on
KrbMethodK5Passwd off
Krb5Keytab keytab_file
require valid-user
Linux Terminal Server 2
-----------------------
OS: Gentoo
mit-krb5 1.4.3
Subversion 1.3.1 + neon 0.25.5
Client 1
--------
OS: Windows XP SP2 (member of MY.REALM domain)
SVN 1.3.1 with Neon 0.25.5
Client 2
--------
The subversion client on server 2 in a terminal session
>>
Client 1 .. works fine.
Client 2 .. Firefox works, SVN doesnt for the same SVN repo URL. following
steps
1. Firefox --> about:config --> config string
"network.negotiate-auth.trusted-uris" set to https://.my.realm ... close
firefox
2. kinit myuser@MY.REALM
3. Firefox https://svn.my.realm/repos .... works fine.
4. kinit -R (renews the ticket)
5. someuser@server2 ~/repos $ svn up
svn: PROPFIND request failed on '/repos'
svn: PROPFIND of '/repos': authorization failed (https://svn.my.realm)
Certainly not a server side issue as firefox works just fine with correct
authenticated access. Expected behavior for SVN client is to use the
existing already issued krb ticket from MY.REALM for Authentication and
fulfill the request.
<<>>original posted message
http://svn.haxx.se/users/archive-2006-02/1010.shtml
From: Patrick Ryan <tigris_at_pryan.org>
Date: 2006-02-23 02:44:39 CET
Hello,
I've got two servers both hosting repositories. I'm using Apache2
mod_auth_kerb to authenticate to an Active Directory server. When I
turn off kerberos password authentication to force the use of Negotiate
authentication, both Subversion and Firefox fail to authenticate, but IE
works with Negotiate authentication against the server. Both Subversion
and Firefox fail without even prompting for credentials.
The client is choosing kerberos password authentication, but when I
force Negotiate authentication, neither Subversion nor Firefox work. I
expect Firefox to break, but not Neon 0.25.4 that's included with
Subversion 1.3.0. The error message appears to be the same in either
case (401 in the Apache logs):
[pryan@svn sandbox]$ svn ci
svn: Commit failed (details follow):
svn: MKACTIVITY of
'/svn/sandbox/!svn/act/16c1adf6-6b0d-0410-9322-c1268cc03508': authorization
failed (http://pledge.my.realm)
svn: Your commit message was left in a temporary file:
svn: '/home/pryan/pledge/sandbox/svn-commit.tmp'
[pryan@svn sandbox]$
Apache2 mod_auth_kerb working config:
AuthType Kerberos
KrbAuthRealms MY.REALM
Krb5Keytab keytab_file
Apache2 mod_auth_kerb broken config:
AuthType Kerberos
KrbAuthRealms MY.REALM
KrbMethodNegotiate on
KrbMethodK5Passwd off
Krb5Keytab keytab_file
Server 1
--------
OS: Debian sid
Debian subversion 1.2.3dfsg1-3
Debian apache2 2.0.55-4
Debian libapache-mod-auth-kerb 4.996-5.0-rc6-3
Server 2
--------
OS: Red Hat Enterprise Linux WS 3u5
RHEL Apache2 httpd-2.0.46-46.ent
Subversion 1.3.0
mod_auth_kerb 5.0rc6
Client 1
--------
OS: Windows XP SP2
TortoiseSVN 1.3.1 (subversion 1.3.0 with neon 0.25.4)
Client 2
--------
The subversion client from server 2.
Any ideas what's wrong with my setup?
Thanks,
Patrick
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org