Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Part. Solved+Apache]Subversion with SASL+GSSAPI/Kerberos?
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message

Joined: 05 Aug 2005
Posts: 259
Location: Germany, near Hannover

PostPosted: Sat Jun 11, 2011 7:54 pm    Post subject: [Part. Solved+Apache]Subversion with SASL+GSSAPI/Kerberos? Reply with quote


I must admit that I am kind of a n00b when it comes to kerberizing stuff, but it does work pretty good at least for libvirtd here and I read a note that it should work with subversion, too, see

The server which is going to be the svnserver is also running Samba4_alpha13 configured as ADS with bind9+gssapi as nameserver. This does work pretty fine, several XP, Win7 and MacOSX machines added to the Domain, Citadel (mailserver and more) and a dokuwiki using the LDAP for authentication. Also, as I said, libvirt uses sasl+gssapi without any problem.[1]

Now I thought "If it works for libvirt, just copy and paste the config and you are good", but no, I fail completely. Since the internet only offers howtos for SASL+PLAIN to connect to a LDAP/AD server and that involves typing in passwords (As far as I understood this would also send passwords unprotected through the LAN), I'd rather use kerberos tickets.

The error I get is "svn: Konnte die Liste der SASL-Mechanismen nicht erhalten", roughly translates to "svn: Couldn't retrieve the list of SASL-mechanisms". Although, if I add digest-md5 to the list (see below) I will be asked for a password. So, it rather does not understand the GSSAPI mech announced by the server, instead of "not retrieving the list". I will have to look into the ebuild, maybe we are missing a configure option aka USE flag here.

So, my questions:
1. Is using GSSAPI really possible?
2. If it is, what is the proper way to do it?
3. Especially, what are the caveats for authz?

Here are my configurations, maybe you can spot the error:
(My domain/realm is MYDOMAIN.VPN)

anon-access = none
auth-access = write
authz-db = authz

use-sasl = true

User = /CN=User Name/CN=Users/DC=Mydomain/DC=vpn


&User = rw

/etc/sasl2/svn.conf: (Taken from libvirt.conf)
mech_list: gssapi
keytab: /var/svn/conf/ #this is probably not needed

/etc/conf.d/svnserve: (The KRB5_KTNAME is needed for libvirt and named, too. And I do have verified it exists in that place.)

My Subversion installation looks like this:
[I] dev-vcs/subversion
         Installed versions:  1.6.16(18:39:59 11.06.2011)(apache2 bash-completion berkdb nls sasl webdav-neon -ctypes-python -debug -doc -dso -elibc_FreeBSD -emacs -extras -gnome-keyring -java -kde -perl -python -ruby -test -vim-syntax -webdav-serf)

For clarification, I created the Service Principle under WinXP with adminpak (ADS management tools) installed, like so:

1. Created a domain user associated with svn using Domain User tools, password doesnt expire, user does not need to change password

2. setspn -A svn/svnserve.mydomain.vpn svnmgt
Registering ServicePrincipalNames for CN=svnmgt,CN=Users,DC=mydomain,DC=vpn     
Updated object

3. ktpass -out .\ -princ svn/svnserve.mydomain.vpn@MYDOMAIN.VPN -mapUser MYDOMAIN\svnmgt -mapOp set -pass same_pass_as_abovementioned
Targeting domain controller: ads.mydomain.vpn
Using legacy password setting method
Successfully mapped svn/svnserve.mydomain.vpn to svnmgt.
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to .\
Keytab version: 0x502
keysize 87 svn/svnserve.mydomain.vpn@MYDOMAIN.VPN ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype 0x17 (RC4-HMAC) keylength 16 (0xidontknowifitissafetoputthisvaluehereonfgo)

[1] I didn't set up the Kerberos server or the LDAP myself, Samba4 took care of that, it is all integrated. I only had to learn how to tell services what to use.
[2] smbclient -k doesnt work either, because kerberos support wasn't compiled into 3.4.12 since there is no useflag
Citadel Groupware | Avahi Howto

Last edited by the_mgt on Mon Jun 13, 2011 9:15 am; edited 1 time in total
Back to top
View user's profile Send private message

Joined: 05 Aug 2005
Posts: 259
Location: Germany, near Hannover

PostPosted: Mon Jun 13, 2011 9:14 am    Post subject: Reply with quote

From what I gathered, it seems as if it might have been possible to use plain svnserve+sasl+gssapi two years ago. While the same text I linked to in the previous post is still in the source tarball, a little grepping and searching of bugtrackers revealed, that the files needed to do so are no longer in the source.

So, the next best thing you can achieve is using apache+mod_auth_kerb+FF/IE. This will give you SSO using tickets at least for the browsing in Apache. Maybe even if you use webdav under windows. Unfortunately, it does not work with kerberos tickets under linux, svn will still ask you for your credentials, which you will have to send in cleartext over the net, unless you add SSL to the mix, I think. Since I wanted passwordless SSO, this isnt helping me. While this all sucks, I still learned something. I also learned, that if you use ssh+svn, you will need to turn of sasl auth for plain svn protocol, or you will need to give sasl auth after you logged in with ssh... The svnbook is pretty silent about the whole ssh setup, so I ran into some walls. Got it all working now, but still find it sad that it didn't work like I planned.

Setting apache+mod_auth_kerb up is quite easy, but not what I wanted, but for completeness, I will give some hints here:
1. You will need to install Subversion with apache useflag.
2. You need to isntall mod_auth_kerb but that fails to build with app-crypt/heimdal, so you will need to apply the patch attached to the bug.
3. This time, you need a service principle for appache, in the style of "http/$servername.fqdn@MYDOMAIN.VPN $username_mapped_to_service", look in the first post for the MS AD way or find out how to do it with plain mit-krb/heimdal. Save the keytab file under /etc/apache2/
4. Of course, your apache needs to be started with the according modules. Make sure you have

5. Configure /etc/apache2/modules.d/11_mod_auth_kerb.conf to match your realm settings, otherwise apache might not start up:
Krb5Keytab /etc/apache2/

6. Now, in your /etc/apache2/modules.d/47_mod_dav_svn.conf, configure it like this:
<Location /svn>
        DAV svn
        SVNParentPath /var/svn
        SVNListParentPath On
        SVNAutoVersioning On
        AuthName "Please enter your Active Domain Credentials"
        AuthType Kerberos
        KrbAuthRealms MYDOMAIN.VPN
        Krb5KeyTab /etc/apache2/
        KrbServiceName http

        Require valid-user

<Location /svn/test/>
        AuthzSVNAccessFile /var/svn/test/conf/authz

7. You can now configure your authz (the one you specified in the last location) to match your domain users, for example:
Administrator@MYDOMAIN.VPN = rw

8. If you want it to work in FF, you need the addon from the bottom of or some other source.
Citadel Groupware | Avahi Howto
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum