'[Issue 4406] New - Unable to connect to repository - http auth kerberos'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       subversion-issues
Subject:    [Issue 4406] New - Unable to connect to repository - http auth kerberos
From:       ludwigc () tigris ! org
Date:       2013-08-06 14:13:07
Message-ID: iz4406 () subversion ! tigris ! org
[Download RAW message or body]

http://subversion.tigris.org/issues/show_bug.cgi?id=4406
                 Issue #|4406
                 Summary|Unable to connect to repository - http auth kerberos
               Component|subversion
                 Version|1.8.x
                Platform|All
                     URL|
              OS/Version|Windows 7
                  Status|NEW
       Status whiteboard|
                Keywords|
              Resolution|
              Issue type|DEFECT
                Priority|P2
            Subcomponent|libsvn_ra_serf
             Assigned to|issues@subversion
             Reported by|ludwigc






------- Additional comments from ludwigc@tigris.org Tue Aug  6 07:13:06 -0700 2013 -------
Since updating SVN from v1.7 to v1.8.1 I cannot access the repository any more.
Auth by webbrowser and old clients (1.7) is still working.
No errors logged in apache error log, even when LogLevel is set to debug!


--- SERVER ---
svnserve, version 1.6.17 (r1128011)
   compiled Jun 26 2013, 20:44:36

Copyright (C) 2000-2009 CollabNet.
Subversion is open source software, see http://subversion.apache.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).

The following repository back-end (FS) modules are available:

* fs_base : Module for working with a Berkeley DB repository.
* fs_fs : Module for working with a plain file (FSFS) repository.

Cyrus SASL authentication is available.

--- CLIENT ---
svn, version 1.8.1 (r1503906)
   compiled Jul 22 2013, 19:58:17 on x86-microsoft-windows

Copyright (C) 2013 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
  - with Cyrus SASL authentication
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
  - handles 'http' scheme
  - handles 'https' scheme


--- COMMAND & ERROR ---  
>svn update Updating '.':
svn: E120190: Unable to connect to a repository at URL
'http://svn.myCompany.de/MyProject/trunk'
svn: E120190: Error running context: An error occurred during authentication


--- APACHE ACCESS LOG (NO ERRORS LOGGED, DEBUG MODE) ---
[Tue Aug 06 15:11:39 2013] [debug] src/mod_auth_kerb.c(1628): [client
192.168.0.39] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Aug 06 15:11:39 2013] [debug] mod_deflate.c(615): [client 192.168.0.39]
Zlib: Compressed 496 to 333 : URL /MyProject/trunk
[Tue Aug 06 15:11:39 2013] [debug] src/mod_auth_kerb.c(1628): [client
192.168.0.39] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Aug 06 15:11:39 2013] [debug] src/mod_auth_kerb.c(1240): [client
192.168.0.39] Acquiring creds for HTTP/stromboli12
[Tue Aug 06 15:11:39 2013] [debug] src/mod_auth_kerb.c(1385): [client
192.168.0.39] Verifying client data using KRB5 GSS-API
[Tue Aug 06 15:11:39 2013] [debug] src/mod_auth_kerb.c(1401): [client
192.168.0.39] Client didn't delegate us their credential
[Tue Aug 06 15:11:39 2013] [debug] src/mod_auth_kerb.c(1420): [client
192.168.0.39] GSS-API token of length 181 bytes will be sent back
[Tue Aug 06 15:11:39 2013] [debug] mod_authnz_ldap.c(643): [client 192.168.0.39]
ldap authorize: Creating LDAP req structure
[Tue Aug 06 15:11:39 2013] [debug] mod_authnz_ldap.c(773): [client 192.168.0.39]
[10394] auth_ldap authorise: require group: testing for group membership in
"CN=Alle,OU=Security Groups,OU=MyBusiness,DC=myCompany,DC=de"
[Tue Aug 06 15:11:39 2013] [debug] mod_authnz_ldap.c(779): [client 192.168.0.39]
[10394] auth_ldap authorise: require group: testing for member:
CN=MyName,OU=Users,OU=MyBusiness,DC=myCompany,DC=de (CN=Alle,OU=Security
Groups,OU=MyBusiness,DC=myCompany,DC=de)
[Tue Aug 06 15:11:39 2013] [debug] mod_authnz_ldap.c(788): [client 192.168.0.39]
[10394] auth_ldap authorise: require group: authorisation successful (attribute
member) [Comparison true (adding to cache)][Compare True]
[Tue Aug 06 15:11:39 2013] [debug] mod_deflate.c(615): [client 192.168.0.39]
Zlib: Compressed 200 to 137 : URL /MyProject/trunk

----------------------

#
# Subversion Apache vHost
#
<VirtualHost *:80>
	ServerName svn.myCompany.de

	<Location />
		DAV svn
		SVNParentPath /var/svn

		AuthType Kerberos
		AuthName "Subversion - Use your system login"
		KrbAuthRealms MYCOMPANY.DE
		Krb5KeyTab /etc/krb5.keytab

		##
		# to check ldap-groups when using kerberos-auth
		##
		KrbServiceName HTTP/svn

		# If set to off this directive allow authentication controls to be pass on to
other modules
		KrbAuthoritative Off

		AuthBasicProvider ldap

		AuthLDAPURL
"ldap://ldap.myCompany.de/OU=Users,OU=MyBusiness,DC=myCompany,DC=de?userPrincipalName"
		AuthLDAPBindDN "cn=LDAP,ou=SBSUsers,ou=Users,OU=MyBusiness,dc=myCompany,dc=de"
		AuthLDAPBindPassword LdapPassWord

		Satisfy All
			
	</Location>
	
	
</VirtualHost>

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=463&dsMessageId=3062135

To unsubscribe from this discussion, e-mail: [issues-unsubscribe@subversion.tigris.org].
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic