You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Victor Sudakov <su...@sibptus.tomsk.ru> on 2011/12/06 18:22:47 UTC
GSSAPI auth stopped working after upgrade
Colleagues,
I have upgraded the svn client from subversion-1.6.17 to
subversion-1.7.2 on FreeBSD 7.4 and GSSAPI authentication stopped
working. svn does not even try to get a Kerberos ticket and tries to
use DIGEST-MD5 at once. The server is still subversion-1.6.16_1 (no
changes there).
What has happened and how can I get back my GSSAPI? Please help. Need
I now to enable something on the client side?
If I disable the digest-md5 mech on the server, like
(mech_list: gssapi anonymous), I get:
$ svn co svn://big/configs
svn: E210007: Unable to connect to a repository at URL 'svn://big/configs'
svn: E210007: Cannot negotiate authentication mechanism
# ldd `which svn` | egrep 'gss|sas'
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x281fc000)
libgssapi.so.9 => /usr/lib/libgssapi.so.9 (0x284de000)
This is what happens on the net:
010.014.134.005.03690-010.014.134.125.54580: ( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops depth log-revprops partial-replay ) ) )
010.014.134.125.54580-010.014.134.005.03690: ( 2 ( edit-pipeline svndiff1 absent-entries depth mergeinfo log-revprops ) 17:svn://big/configs 9:SVN/1.7.2 ( ) )
010.014.134.005.03690-010.014.134.125.54580: ( success ( ( GSSAPI DIGEST-MD5 ) 16:SIBPTUS.TOMSK.RU ) )
010.014.134.125.54580-010.014.134.005.03690: ( DIGEST-MD5 ( ) )
010.014.134.005.03690-010.014.134.125.54580: ( step ( 256:bm9uY2U9InRKNHprMDdWV04yeE53UGlja25SU3BvV0ZaODlJSk1IeGlVb3ExOUhVM3M9IixyZWFs
bT0iU0lCUFRVUy5UT01TSy5SVSIscW9wPSJhdXRoLGF1dGgtaW50LGF1dGgtY29uZiIsY2lwaGVy
PSJyYzQtNDAscmM0LTU2LHJjNCxkZXMsM2RlcyIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOCxh
bGdvcml0aG09bWQ1LXNlc3M=
) )
010.014.134.125.54580-010.014.134.005.03690: 357:dXNlcm5hbWU9InN1ZGFrb3YiLHJlYWxtPSJTSUJQVFVTLlRPTVNLLlJVIixub25jZT0idEo0emsw
N1ZXTjJ4TndQaWNrblJTcG9XRlo4OUlKTUh4aVVvcTE5SFUzcz0iLGNub25jZT0iTkxTUlRJQ1Z1
NTByVVMwemNDOVZjdVl6ZUlaM3dYOTIwQi9EMEcwV25tVT0iLG5jPTAwMDAwMDAxLHFvcD1hdXRo
LWNvbmYsY2lwaGVyPXJjNCxtYXhidWY9NDA5NixkaWdlc3QtdXJpPSJzdm4vYmlnIixyZXNwb25z
ZT0zZDI3MDgzNjUxZThmY2U2MjVjYmNkMGQ1MGZkNTYxYQ==
010.014.134.005.03690-010.014.134.125.54580: ( failure ( 48:SASL(-13): user not found: no secret in database ) )
010.014.134.125.54580-010.014.134.005.03690: ( DIGEST-MD5 ( ) )
010.014.134.005.03690-010.014.134.125.54580: ( step ( 256:bm9uY2U9IkhsL29VdHFwZ0tESS9FMFVRajl4K212aUQwRjlhWnhZL1c4d1lTS2g2V0k9IixyZWFs
bT0iU0lCUFRVUy5UT01TSy5SVSIscW9wPSJhdXRoLGF1dGgtaW50LGF1dGgtY29uZiIsY2lwaGVy
PSJyYzQtNDAscmM0LTU2LHJjNCxkZXMsM2RlcyIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOCxh
bGdvcml0aG09bWQ1LXNlc3M=
) )
Thank you very much in advance.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: GSSAPI auth stopped working after upgrade
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
Daniel Shahaf wrote:
> > > > >
> > > > > I have upgraded the svn client from subversion-1.6.17 to
> > > > > subversion-1.7.2 on FreeBSD 7.4 and GSSAPI authentication stopped
> > > > > working. svn does not even try to get a Kerberos ticket and tries to
> > > >
> > > > At least, how do I enable authentication debug in the svn client?
> > >
> > > By adding SVN_DBG() statements to subversion/libsvn_ra_svn/cyrus_auth.c
> > > and recompiling?
> >
> > Could you please be more specific? SVN_DBG() what exactly?
>
> I don't know what exactly; I was simply telling you where in the source
> tree lives the client-side authentication logic for clients linked
> against the SASL library. (svn_ra_svn__do_cyrus_auth() is the entry
> point.)
That was rather easy to figure out with find/grep. I think we need
someone with more expertise in sasl just to understand what is exactly
happening. It does not even try to request a service ticket from the
kdc.
>
> SVN_DBG() is a debug macro that basically wraps printf().
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: GSSAPI auth stopped working after upgrade
Posted by Daniel Shahaf <da...@elego.de>.
Victor Sudakov wrote on Wed, Dec 07, 2011 at 15:07:54 +0700:
> Daniel Shahaf wrote:
> > > >
> > > > I have upgraded the svn client from subversion-1.6.17 to
> > > > subversion-1.7.2 on FreeBSD 7.4 and GSSAPI authentication stopped
> > > > working. svn does not even try to get a Kerberos ticket and tries to
> > >
> > > At least, how do I enable authentication debug in the svn client?
> >
> > By adding SVN_DBG() statements to subversion/libsvn_ra_svn/cyrus_auth.c
> > and recompiling?
>
> Could you please be more specific? SVN_DBG() what exactly?
I don't know what exactly; I was simply telling you where in the source
tree lives the client-side authentication logic for clients linked
against the SASL library. (svn_ra_svn__do_cyrus_auth() is the entry
point.)
SVN_DBG() is a debug macro that basically wraps printf().
Re: GSSAPI auth stopped working after upgrade
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
Daniel Shahaf wrote:
> > >
> > > I have upgraded the svn client from subversion-1.6.17 to
> > > subversion-1.7.2 on FreeBSD 7.4 and GSSAPI authentication stopped
> > > working. svn does not even try to get a Kerberos ticket and tries to
> >
> > At least, how do I enable authentication debug in the svn client?
>
> By adding SVN_DBG() statements to subversion/libsvn_ra_svn/cyrus_auth.c
> and recompiling?
Could you please be more specific? SVN_DBG() what exactly?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: GSSAPI auth stopped working after upgrade
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Victor Sudakov wrote on Wed, Dec 07, 2011 at 12:54:39 +0700:
> Victor Sudakov wrote:
> >
> > I have upgraded the svn client from subversion-1.6.17 to
> > subversion-1.7.2 on FreeBSD 7.4 and GSSAPI authentication stopped
> > working. svn does not even try to get a Kerberos ticket and tries to
>
> At least, how do I enable authentication debug in the svn client?
By adding SVN_DBG() statements to subversion/libsvn_ra_svn/cyrus_auth.c
and recompiling?
>
> --
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> sip:sudakov@sibptus.tomsk.ru
Re: GSSAPI auth stopped working after upgrade
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
Victor Sudakov wrote:
>
> I have upgraded the svn client from subversion-1.6.17 to
> subversion-1.7.2 on FreeBSD 7.4 and GSSAPI authentication stopped
> working. svn does not even try to get a Kerberos ticket and tries to
At least, how do I enable authentication debug in the svn client?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: GSSAPI auth stopped working after upgrade
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
Sorry, it was a false alarm!
The cyrus-sasl2 port was compiled incorrectly (--with-gss_impl=mit
instead of --with-gss_impl=heimdal) due to a long-forgotten KRB5_HOME
defined in /etc/make.conf.
Everything works now. I love Unix, there are no unexplainable or
random glitches :)
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: GSSAPI auth stopped working after upgrade
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Victor Sudakov wrote on Wed, Dec 07, 2011 at 18:22:03 +0700:
> Philip Martin wrote:
> > >>>
> > >>> Have you tried with "mech_list: gssapi" so that the client has no choice?
> > >>
> > >> Yes, in fact I wrote about it in the original post. I repeat:
> > >>
> > >> If I disable the digest-md5 mech on the server, like
> > >> (mech_list: gssapi anonymous), I get:
> > >
> > > I'm not a SASL expert, what does anonymous do? Does that give the
> > > client a choice? Can you use "mech_list: gssapi"?
> >
> > One other thing is there is a note in
> > http://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt that
> > states that setting the client's max-encryption to more than 56 will
> > prevent GSSAPI working. I don't know whether that is still true or
> > out-of-date, or why this should suddenly be an issue when going from 1.6
> > to 1.7.
>
> min-encryption and max-encryption are server-side settings, and the
> issue is more probably in the client.
>
svn_ra_svn__default_secprops()
> Yes, I tried specifying min-encryption = 0; max-encryption = 56 on the
> server side (in conf/svnserve.conf) but it makes no difference. It's
> the client that does not even try to contact the KDC for a service
> ticket.
>
> --
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> sip:sudakov@sibptus.tomsk.ru
Re: GSSAPI auth stopped working after upgrade
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
Philip Martin wrote:
> >>>
> >>> Have you tried with "mech_list: gssapi" so that the client has no choice?
> >>
> >> Yes, in fact I wrote about it in the original post. I repeat:
> >>
> >> If I disable the digest-md5 mech on the server, like
> >> (mech_list: gssapi anonymous), I get:
> >
> > I'm not a SASL expert, what does anonymous do? Does that give the
> > client a choice? Can you use "mech_list: gssapi"?
>
> One other thing is there is a note in
> http://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt that
> states that setting the client's max-encryption to more than 56 will
> prevent GSSAPI working. I don't know whether that is still true or
> out-of-date, or why this should suddenly be an issue when going from 1.6
> to 1.7.
min-encryption and max-encryption are server-side settings, and the
issue is more probably in the client.
Yes, I tried specifying min-encryption = 0; max-encryption = 56 on the
server side (in conf/svnserve.conf) but it makes no difference. It's
the client that does not even try to contact the KDC for a service
ticket.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: GSSAPI auth stopped working after upgrade
Posted by Philip Martin <ph...@wandisco.com>.
Philip Martin <ph...@wandisco.com> writes:
> Victor Sudakov <su...@sibptus.tomsk.ru> writes:
>
>> Philip Martin wrote:
>>>
>>> Have you tried with "mech_list: gssapi" so that the client has no choice?
>>
>> Yes, in fact I wrote about it in the original post. I repeat:
>>
>> If I disable the digest-md5 mech on the server, like
>> (mech_list: gssapi anonymous), I get:
>
> I'm not a SASL expert, what does anonymous do? Does that give the
> client a choice? Can you use "mech_list: gssapi"?
One other thing is there is a note in
http://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt that
states that setting the client's max-encryption to more than 56 will
prevent GSSAPI working. I don't know whether that is still true or
out-of-date, or why this should suddenly be an issue when going from 1.6
to 1.7.
--
uberSVN: Apache Subversion Made Easy
http://www.uberSVN.com
Re: GSSAPI auth stopped working after upgrade
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
Philip Martin wrote:
> >>
> >> Have you tried with "mech_list: gssapi" so that the client has no choice?
> >
> > Yes, in fact I wrote about it in the original post. I repeat:
> >
> > If I disable the digest-md5 mech on the server, like
> > (mech_list: gssapi anonymous), I get:
>
> I'm not a SASL expert, what does anonymous do? Does that give the
> client a choice?
Actually, it is not even advertised. What is advertised is:
( success ( ( GSSAPI DIGEST-MD5 ) 16:SIBPTUS.TOMSK.RU ) )
It is not being advertised because "anon-access = none" is configured
for this repo.
> Can you use "mech_list: gssapi"?
Made no difference.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: GSSAPI auth stopped working after upgrade
Posted by Philip Martin <ph...@wandisco.com>.
Victor Sudakov <su...@sibptus.tomsk.ru> writes:
> Philip Martin wrote:
>>
>> Have you tried with "mech_list: gssapi" so that the client has no choice?
>
> Yes, in fact I wrote about it in the original post. I repeat:
>
> If I disable the digest-md5 mech on the server, like
> (mech_list: gssapi anonymous), I get:
I'm not a SASL expert, what does anonymous do? Does that give the
client a choice? Can you use "mech_list: gssapi"?
--
uberSVN: Apache Subversion Made Easy
http://www.uberSVN.com
Re: GSSAPI auth stopped working after upgrade
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
Philip Martin wrote:
>
> > I have upgraded the svn client from subversion-1.6.17 to
> > subversion-1.7.2 on FreeBSD 7.4 and GSSAPI authentication stopped
> > working. svn does not even try to get a Kerberos ticket and tries to
> > use DIGEST-MD5 at once. The server is still subversion-1.6.16_1 (no
> > changes there).
> >
> > What has happened and how can I get back my GSSAPI? Please help. Need
> > I now to enable something on the client side?
> >
> > If I disable the digest-md5 mech on the server, like
> > (mech_list: gssapi anonymous), I get:
>
> Few Subversion developers have worked on the SASL code, there may be
> more SASL expertise on the users list.
>
> I seem to recall an issue about choosing the mechanism: the server
> expects the client to choose the most suitable, but the client expects
> the server to suggest the most suitable and so doesn't have any sort of
> selection hierarchy. Perhaps that is the problem?
>
> Have you tried with "mech_list: gssapi" so that the client has no choice?
Yes, in fact I wrote about it in the original post. I repeat:
If I disable the digest-md5 mech on the server, like
(mech_list: gssapi anonymous), I get:
$ svn co svn://big/configs
svn: E210007: Unable to connect to a repository at URL 'svn://big/configs'
svn: E210007: Cannot negotiate authentication mechanism
I even googled for the "Cannot negotiate authentication mechanism"
message but have only come up with some Windows specific problems like
TortoiseSVN being unable to find a dll.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: GSSAPI auth stopped working after upgrade
Posted by Philip Martin <ph...@wandisco.com>.
Victor Sudakov <su...@sibptus.tomsk.ru> writes:
> I have upgraded the svn client from subversion-1.6.17 to
> subversion-1.7.2 on FreeBSD 7.4 and GSSAPI authentication stopped
> working. svn does not even try to get a Kerberos ticket and tries to
> use DIGEST-MD5 at once. The server is still subversion-1.6.16_1 (no
> changes there).
>
> What has happened and how can I get back my GSSAPI? Please help. Need
> I now to enable something on the client side?
>
> If I disable the digest-md5 mech on the server, like
> (mech_list: gssapi anonymous), I get:
Few Subversion developers have worked on the SASL code, there may be
more SASL expertise on the users list.
I seem to recall an issue about choosing the mechanism: the server
expects the client to choose the most suitable, but the client expects
the server to suggest the most suitable and so doesn't have any sort of
selection hierarchy. Perhaps that is the problem?
Have you tried with "mech_list: gssapi" so that the client has no choice?
--
uberSVN: Apache Subversion Made Easy
http://www.uberSVN.com