| View previous topic :: View next topic |
| Author |
Message |
the_mgt
Apprentice
Joined: 05 Aug 2005
Posts: 259
Location: Germany, near Hannover
|
 Posted: Sat Jun 11, 2011 7:54 pm Post subject: [Part. Solved+Apache]Subversion with SASL+GSSAPI/Kerberos? |
 |
|
Hi!
I must admit that I am kind of a n00b when it comes to kerberizing stuff, but it does work pretty good at least for libvirtd here and I read a note that it should work with subversion, too, see http://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt.
The server which is going to be the svnserver is also running Samba4_alpha13 configured as ADS with bind9+gssapi as nameserver. This does work pretty fine, several XP, Win7 and MacOSX machines added to the Domain, Citadel (mailserver and more) and a dokuwiki using the LDAP for authentication. Also, as I said, libvirt uses sasl+gssapi without any problem.[1]
Now I thought "If it works for libvirt, just copy and paste the config and you are good", but no, I fail completely. Since the internet only offers howtos for SASL+PLAIN to connect to a LDAP/AD server and that involves typing in passwords (As far as I understood this would also send passwords unprotected through the LAN), I'd rather use kerberos tickets.
The error I get is "svn: Konnte die Liste der SASL-Mechanismen nicht erhalten", roughly translates to "svn: Couldn't retrieve the list of SASL-mechanisms". Although, if I add digest-md5 to the list (see below) I will be asked for a password. So, it rather does not understand the GSSAPI mech announced by the server, instead of "not retrieving the list". I will have to look into the ebuild, maybe we are missing a configure option aka USE flag here.
So, my questions:
1. Is using GSSAPI really possible?
2. If it is, what is the proper way to do it?
3. Especially, what are the caveats for authz?
Here are my configurations, maybe you can spot the error:
(My domain/realm is MYDOMAIN.VPN)
/var/svn/test/conf/svnserve.conf:
| Code: | [general]
anon-access = none
auth-access = write
authz-db = authz
realm = MYDOMAIN.VPN
[sasl]
use-sasl = true
|
/var/svn/test/conf/authz:
| Code: | [aliases]
User = /CN=User Name/CN=Users/DC=Mydomain/DC=vpn
[groups]
[/]
&User = rw
|
/etc/sasl2/svn.conf: (Taken from libvirt.conf)
| Code: | mech_list: gssapi
keytab: /var/svn/conf/krb5_svn.tab #this is probably not needed
|
/etc/conf.d/svnserve: (The KRB5_KTNAME is needed for libvirt and named, too. And I do have verified it exists in that place.)
| Code: | SVNSERVE_OPTS="--root=/var/svn"
KRB5_KTNAME=/var/svn/conf/krb5_svn.tab
|
My Subversion installation looks like this:
| Code: | [I] dev-vcs/subversion
Installed versions: 1.6.16(18:39:59 11.06.2011)(apache2 bash-completion berkdb nls sasl webdav-neon -ctypes-python -debug -doc -dso -elibc_FreeBSD -emacs -extras -gnome-keyring -java -kde -perl -python -ruby -test -vim-syntax -webdav-serf) |
For clarification, I created the Service Principle under WinXP with adminpak (ADS management tools) installed, like so:
| Code: |
1. Created a domain user associated with svn using Domain User tools, password doesnt expire, user does not need to change password
2. setspn -A svn/svnserve.mydomain.vpn svnmgt
Registering ServicePrincipalNames for CN=svnmgt,CN=Users,DC=mydomain,DC=vpn
svn/svnserve.mydomain.vpn
Updated object
3. ktpass -out .\krb5_svn.tab -princ svn/svnserve.mydomain.vpn@MYDOMAIN.VPN -mapUser MYDOMAIN\svnmgt -mapOp set -pass same_pass_as_abovementioned
Targeting domain controller: ads.mydomain.vpn
Using legacy password setting method
Successfully mapped svn/svnserve.mydomain.vpn to svnmgt.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to .\krb5_svn.tab:
Keytab version: 0x502
keysize 87 svn/svnserve.mydomain.vpn@MYDOMAIN.VPN ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype 0x17 (RC4-HMAC) keylength 16 (0xidontknowifitissafetoputthisvaluehereonfgo)
|
[1] I didn't set up the Kerberos server or the LDAP myself, Samba4 took care of that, it is all integrated. I only had to learn how to tell services what to use.
[2] smbclient -k doesnt work either, because kerberos support wasn't compiled into 3.4.12 since there is no useflag
_________________
Citadel Groupware | Avahi Howto
Last edited by the_mgt on Mon Jun 13, 2011 9:15 am; edited 1 time in total |
|
| Back to top |
|
 |
the_mgt
Apprentice
Joined: 05 Aug 2005
Posts: 259
Location: Germany, near Hannover
|
| Posted: Mon Jun 13, 2011 9:14 am Post subject: |
|
|
From what I gathered, it seems as if it might have been possible to use plain svnserve+sasl+gssapi two years ago. While the same text I linked to in the previous post is still in the source tarball, a little grepping and searching of bugtrackers revealed, that the files needed to do so are no longer in the source.
So, the next best thing you can achieve is using apache+mod_auth_kerb+FF/IE. This will give you SSO using tickets at least for the browsing in Apache. Maybe even if you use webdav under windows. Unfortunately, it does not work with kerberos tickets under linux, svn will still ask you for your credentials, which you will have to send in cleartext over the net, unless you add SSL to the mix, I think. Since I wanted passwordless SSO, this isnt helping me. While this all sucks, I still learned something. I also learned, that if you use ssh+svn, you will need to turn of sasl auth for plain svn protocol, or you will need to give sasl auth after you logged in with ssh... The svnbook is pretty silent about the whole ssh setup, so I ran into some walls. Got it all working now, but still find it sad that it didn't work like I planned.
Setting apache+mod_auth_kerb up is quite easy, but not what I wanted, but for completeness, I will give some hints here:
1. You will need to install Subversion with apache useflag.
2. You need to isntall mod_auth_kerb but that fails to build with app-crypt/heimdal, so you will need to apply the patch attached to the bug.
3. This time, you need a service principle for appache, in the style of "http/$servername.fqdn@MYDOMAIN.VPN $username_mapped_to_service", look in the first post for the MS AD way or find out how to do it with plain mit-krb/heimdal. Save the keytab file under /etc/apache2/krb5_apache.tab.
4. Of course, your apache needs to be started with the according modules. Make sure you have
| Code: | | APACHE2_OPTS="... -D DAV -D SVN -D SVN_AUTHZ -D AUTH_KERB" |
5. Configure /etc/apache2/modules.d/11_mod_auth_kerb.conf to match your realm settings, otherwise apache might not start up:
| Code: | Krb5Keytab /etc/apache2/krb5_apache.tab
KrbAuthRealms MYDOMAIN.VPN
|
6. Now, in your /etc/apache2/modules.d/47_mod_dav_svn.conf, configure it like this:
| Code: | <Location /svn>
DAV svn
SVNParentPath /var/svn
SVNListParentPath On
SVNAutoVersioning On
AuthName "Please enter your Active Domain Credentials"
AuthType Kerberos
KrbAuthRealms MYDOMAIN.VPN
Krb5KeyTab /etc/apache2/krb5_apache.tab
KrbServiceName http
Require valid-user
</Location>
<Location /svn/test/>
AuthzSVNAccessFile /var/svn/test/conf/authz
</Location> |
7. You can now configure your authz (the one you specified in the last location) to match your domain users, for example:
| Code: | | Administrator@MYDOMAIN.VPN = rw |
8. If you want it to work in FF, you need the addon from the bottom of http://modauthkerb.sourceforge.net/configure.html or some other source.
_________________
Citadel Groupware | Avahi Howto |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
