You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Stephan Wienczny <Wi...@Uni-Paderborn.de> on 2007/03/06 01:21:56 UTC

Using Kerberos-Authentication with subversion 1.4.2

Hi,

I'm trying to use kerberos-authentication for my subversion repositories but 
the clients in version 1.4.2 fail to connect with HTTP-Error 207 
Multi-Status. Older 1.3.2 clients and browsers are able to connect to the 
server. 
The server uses subversion-1.4.2, apache-2.2.3 and 
lib-apache-mod-auth-kerb-5.3

My apache configuration for the svn location looks like this: 

  <Location /svn>
    DAV svn
    SVNParentPath /var/lib/svn

    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate on
    KrbMethodK5Passwd on
    KrbAuthoritative on
    KrbAuthRealms UNI-PADERBORN.DE
    KrbServiceName HTTP
    KrbVerifyKDC on
    Krb5Keytab /etc/keytab.svn
    AuthGroupFile /etc/apache2/htgroup
    require group staff
  </Location>

This smells like a bug either in my configuration or svn-1.4.2.

MfG Stephan Wienczny

Re: Using Kerberos-Authentication with subversion 1.4.2

Posted by Yves Martin <yv...@elca.ch>.

On Tue, 2007-03-06 at 02:21 +0100, Stephan Wienczny wrote:
> Hi,
> I'm trying to use kerberos-authentication for my subversion repositories but 
> the clients in version 1.4.2 fail to connect with HTTP-Error 207 
> Multi-Status.

> Older 1.3.2 clients and browsers are able to connect to the server. 
> The server uses subversion-1.4.2, apache-2.2.3 and 
> lib-apache-mod-auth-kerb-5.3

> This smells like a bug either in my configuration or svn-1.4.2.

  Hello,

I had the same error when building a Linux subversion client 1.4.3 with
neon 0.26.3. The fix is available on neon 0.26 branch.

Your server configuration is OK. The big trouble for Kerberos SPNEGO is
the neon 0.26 branch ! You should build with neon 0.25.5 to avoid
problems.

Here is the patch:

--- src/ne_auth.c       (revision 1148)
+++ src/ne_auth.c       (working copy)
@@ -533,7 +533,7 @@
     int ret;
     ne_buffer *errmsg;
 
-    if (strncmp(hdr, "Negotiate", ptr - hdr) != 0) {
+    if (strncmp(hdr, "Negotiate", ptr - duphdr) != 0) {
         NE_DEBUG(NE_DBG_HTTPAUTH, "gssapi: Not a Negotiate response!
\n");
         ne_free(duphdr);
         return NE_ERROR;

Regards
-- 
Yves Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org