#35300 closed defect (fixed)
subversion ignores Negotiate?
| Reported by: | 56h29g002@… | Owned by: | danielluke (Daniel J. Luke) |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | 2.1.1 |
| Keywords: | GSSAPI Kerberos svn | Cc: | blair (Blair Zajac) |
| Port: | subversion |
Description
I'm trying to connect to a subversion repository hosted in Apache with Kerberos authentication (negotiate and password.) Macports' svn seems to refuse to use GSSAPI negotiation to authenticate. If I run the built-in svn instead (/usr/bin/svn), it connects fine using GSSAPI. Did I build svn wrong? I couldn't find a variant for either subversion or neon to enable GSSAPI or Kerberos.
Change History (15)
comment:1 Changed 12 years ago by 56h29g002@…
comment:2 Changed 12 years ago by ryandesign (Ryan Carsten Schmidt)
| Cc: | blair@… added |
|---|---|
| Owner: | changed from macports-tickets@… to dluke@… |
comment:3 Changed 12 years ago by danielluke (Daniel J. Luke)
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
subversion uses cyrus-sasl for authentication, the MacPorts port doesn't build kerberos support by default. If you re-build cyrus-sasl2 with +kerberos things should work for you.
comment:4 Changed 12 years ago by 56h29g002@…
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
Thanks for looking into this! However, what I have active is cyrus-sasl2 @2.1.25_1+kerberos+universal.
comment:5 Changed 12 years ago by danielluke (Daniel J. Luke)
I don't have a kerberos setup to test with, so you're probably going to have to figure out what is wrong (and either provide a patch or gather enough information so I can put one together for you to test).
One thing that might make a difference is the build order of things. It's possible that subversion built against cyrus-sasl2 (-kerberos) won't do kerberos things even if you later install cyrus-sasl2+kerberos.
Is it possible that you did:
port install subversion port -f uninstall cyrus-sasl2 port install cyrus-sasl2+kerberos
comment:6 Changed 12 years ago by 56h29g002@…
I never directly installed cyrus-sasl, something else brought it. I don't have a -kerberos version of it installed. Subversion was updated (rebuilt) yesterday.
comment:7 Changed 12 years ago by 56h29g002@…
So, if I'm gathering information, where do I look? Are there any particular logs that I should examine? Any experiments I should do?
comment:8 Changed 12 years ago by danielluke (Daniel J. Luke)
It would probably be worthwhile to re-test your setup with the latest subversion and cyrus-sasl2 ports
comment:9 Changed 12 years ago by danielluke (Daniel J. Luke)
| Owner: | changed from dluke@… to dluke@… |
|---|---|
| Status: | reopened → new |
comment:10 Changed 12 years ago by danielluke (Daniel J. Luke)
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
I believe this was fixed with a later release of cyrus-sasl2
comment:11 follow-up: 12 Changed 12 years ago by fbacchella (Fabrice Bacchella)
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
I uninstalled everything, re-installed svn with :
sudo port install subversion +kerberos
And the connection failed :
$ svn co http://svnserver/svn/sysop svn: E170001: Unable to connect to a repository at URL 'http://svnserver/svn/sysop' svn: E170001: OPTIONS of 'http://svnserver/svn/sysop': authorization failed: Could not authenticate to server: ignored Negotiate challenge (http://svnserver)
As my ports was empty, everything is up to date :
apr @1.4.6_1 (active) apr-util @1.4.1_0 (active) curl-ca-bundle @7.28.0_0 (active) cyrus-sasl2 @2.1.25_2+kerberos (active) db46 @4.6.21_7 (active) expat @2.1.0_0 (active) gettext @0.18.1.1_2 (active) kerberos5 @1.7.2_0 (active) libedit @20120601-3.0_0 (active) libiconv @1.14_0 (active) ncurses @5.9_1 (active) neon @0.29.6_1 (active) openssl @1.0.1c_0 (active) serf1 @1.1.1_0 (active) sqlite3 @3.7.14.1_0 (active) subversion @1.7.7_0 (active) zlib @1.2.7_0 (active)
port is up to date too :
$ port version Version: 2.1.2
It was working fine a few days ago, just before an upgrade. When I tcpdump the http exchange, I see the Authentication: negotiate from the server but svn ignore it.
comment:12 Changed 12 years ago by danielluke (Daniel J. Luke)
Replying to fbacchella@…:
And the connection failed :
$ svn co http://svnserver/svn/sysop svn: E170001: Unable to connect to a repository at URL 'http://svnserver/svn/sysop' svn: E170001: OPTIONS of 'http://svnserver/svn/sysop': authorization failed: Could not authenticate to server: ignored Negotiate challenge (http://svnserver)
Do you have a public repo that reproduces this issue? (So that others can at least test?)
It was working fine a few days ago, just before an upgrade. When I tcpdump the http exchange, I see the Authentication: negotiate from the server but svn ignore it.
Just before an upgrade of what?
comment:13 follow-up: 15 Changed 12 years ago by fbacchella (Fabrice Bacchella)
After much investigation, it's not a problem with macports.
One should add :
[global] http-auth-types = Negotiate
in there ~/.subversion/servers.
I think upstream changed the default settings in the last version, because it failed after an upgrade of macport's subversion from 1.7.6_2 to 1.7.7_0.
Sorry for the false ticket re-open.
comment:14 Changed 12 years ago by danielluke (Daniel J. Luke)
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
comment:15 Changed 12 years ago by danielluke (Daniel J. Luke)
Replying to fbacchella@…:
Sorry for the false ticket re-open.
Thanks for posting the fix, though. Hopefully if anyone else has the problem they'll see it when they search.
Some more context: I am running Mac OS 10.7.4, Macports 2.1.1, subversion @1.7.5_0+universal, neon @0.29.6_1+universal