Return-Path: X-Original-To: apmail-subversion-users-archive@minotaur.apache.org Delivered-To: apmail-subversion-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1FB6411E66 for ; Tue, 8 Jul 2014 19:25:35 +0000 (UTC) Received: (qmail 7863 invoked by uid 500); 8 Jul 2014 19:25:34 -0000 Delivered-To: apmail-subversion-users-archive@subversion.apache.org Received: (qmail 7832 invoked by uid 500); 8 Jul 2014 19:25:34 -0000 Mailing-List: contact users-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@subversion.apache.org Received: (qmail 7821 invoked by uid 99); 8 Jul 2014 19:25:34 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Jul 2014 19:25:34 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of lieven.govaerts@gmail.com designates 209.85.223.181 as permitted sender) Received: from [209.85.223.181] (HELO mail-ie0-f181.google.com) (209.85.223.181) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Jul 2014 19:25:30 +0000 Received: by mail-ie0-f181.google.com with SMTP id y20so5355083ier.12 for ; Tue, 08 Jul 2014 12:25:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=3DwKlCtNFQUmkfE5KAUkpBD2I8+SuqM4XMXUaPDKyMc=; b=J2SB8PiMlEUdwEZ+wnteh0Ty0uKht8HbueTqHOkyeOFq6Lf8zPEuCvB4o4kMCT25Hv zuMmrhyVoh2gGwZRCWKDzJnNkpBzXntBshvfQDhqzD7xQbsNYaaZIYiodZFucjX3lIa+ vsOE0fa52yPqUDJlAmaebFxKM8y7UVf4kuXdbxtlK8wRD5bgdGh1flD0t3BdDoutsinH KATX7vSOdQZsNqUnOZDQ3rqe2WTsdx+FbMEMfAW8Mim45BLLx5AfX+QdTHp4EyUadHmu 5IQWrjZNyBnAouZAMaio2L7eZcNO9n+ini6hhH0Fg4nHxcoUtdCkZMWod8MV9IP6pctu FzEw== X-Received: by 10.50.61.140 with SMTP id p12mr6328227igr.41.1404847505899; Tue, 08 Jul 2014 12:25:05 -0700 (PDT) MIME-Version: 1.0 Sender: lieven.govaerts@gmail.com Received: by 10.50.197.130 with HTTP; Tue, 8 Jul 2014 12:24:45 -0700 (PDT) In-Reply-To: References: From: Lieven Govaerts Date: Tue, 8 Jul 2014 21:24:45 +0200 X-Google-Sender-Auth: K6MIRchMruXoecqj1mSPzZzPYEo Message-ID: Subject: Re: SVN 1.8 Kerberos Client problems To: Nicolai Scheer Cc: "users@subversion.apache.org" Content-Type: text/plain; charset=UTF-8 X-Virus-Checked: Checked by ClamAV on apache.org Hi Nico, On Tue, Jul 8, 2014 at 3:57 PM, Nicolai Scheer wrote: > Hi, > > I did an update to svn 1.8.9 on our server yesterday and am now > running into problems whilst updating the corresponding windows > client. > > Server details: > > CentOS 6.5 x64 > SVN 1.8.9, compiled on my own > Apache 2.2.15 > Authentication using mod_auth_kerb to windows domain > > Client: > Windows Server 2008 > TSVN 1.7.13 > > Everything ran fine so far. I then upgraded to TSVN 1.8.7 which ships > with svn 1.8.9 binaries. > Now, on every repository involving action I get kerberos errors in my > apache log: > > [Tue Jul 08 15:08:10 2014] [error] [client 192.168.1.152] > gss_accept_sec_context() failed: No credentials were supplied, or the > credentials were unavailable or inaccessible (, Unknown error) > > Strange thing is, TSVN works fine from a user perspective (no error > displayed whatsoever...). I then tried to use the svn command line > binaries, same result, evrythings works, but apache error log is DOSed > with these error entries. That's because you have this directive in your apache config: KrbMethodK5Passwd on With this configuration, mod_auth_kerb will offer both Negotiate and Basic authentication. Your logs show that Negotiate authentication fails, but in this case svn will automatically fall back to Basic authentication, which succeeds. > I tried to either "prefer" or deny BulkUpdates on the server, nothing changes. This option has nothing to do with authentication, it specifies how - after authentication succeeded - svn+serf will communicate with mod_dav_svn. > Since subversion 1.8 comes with serf, it might have do to with the way > serf handles kerberos. Not unlikely. > From the linux cmd (on the svn server itself), I can use kerberos > (kinit + svn command afterwards) just fine, without any errors popping > up in the apache log. > Which GSSAPI implementation are you using on the server? MIT? Heimdal? Which versions? > Our browsers (IE, Chrome, FF) worked fine all the time using kerberos, > before and after upgrading svn on the server. > > TSVN 1.7.13 works as well, so do the svn binaries shipped this version. > > I'm quite stuck, because I do not know where to start. To my mind > kerberos is set up correctly because all clients work, except svn 1.8 > Serf on Windows uses Microsoft's SSPI API to handle Negotiate authentication. We know this works well with Windows based servers (e.g. VisualSVN) that also use SSPI on the server side. Serf on Linux/Mac uses GSSAPI and one of its implementations. This works well with other *nix servers. It's likely that the combination client on Windows with server+mod_auth_kerb on Linux hasn't seen as much testing as the cross platform combinations, and that certain scenario's are not supported well. Debugging this stuff will not be easy. Most likely you'll find some more information in the Kerberos implementation logging, which is configured in your krb5.conf file. On my system the log file is /var/log/krb5.log. Try to increase the log level to get more detailed error information. The best alternative is to find out what's going over the wire. Disable your SSL configuration and set KrbMethodK5Passwd to off (on a test server) and use Wireshark to trace all traffic between your Windows client and svn server. Wireshark on Windows can decode the SPNego tokens in the Authorization headers (at least for NTLM but I suppose for Kerberos also). This allows you to see if all info is correct (domain, username etc). If you want you can send me the wireshark trace privately and I'll have a look. > I thought I could solve the problem by falling back to BulkUpdate, but > it does not seem to help. > > Any suggestions are appreciated! > > Greetings > > Nico > hth, Lieven > PS: > > svn apache config : > > SVNInMemoryCacheSize 131072 > SVNCacheTextDeltas On > SVNCacheFullTexts On > SVNCompressionLevel 6 > SVNCacheRevProps On > > SSLRequireSSL > DAV svn > > SVNListParentPath On > SVNParentPath /var/local/svn/repos > > # Kerberos authentification > AuthType Kerberos > AuthName "Realm" > KrbServiceName HTTP > KrbLocalUserMapping on > KrbAuthRealms REALM.INTERN > KrbMethodNegotiate on > KrbMethodK5Passwd on > Krb5KeyTab /etc/httpd/kerberos/keytab > KrbVerifyKDC on > > require valid-user > > AuthzSVNAccessFile /var/local/svn/auth/svn_authz > SVNPathAuthz short_circuit >