subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Victor Sudakov <>
Subject svnserve with SASL and two Kerberos realms
Date Sun, 13 Mar 2016 11:34:48 GMT
Dear Colleagues:

I have two Kerberos realms: SIBPTUS.RU and SIBPTUS.TOMSK.RU with
mutual trust.

svnserve is configured to use Kerberos:

anon-access = none
auth-access = write
realm = SIBPTUS.RU
#realm = GSS_C_NO_NAME
use-sasl = true

If I uncomment the 'realm = SIBPTUS.TOMSK.RU' line, svnserve does not
authenticate users from the SIBPTUS.RU realm, and vice versa:

svn: E170013: Unable to connect to a repository at URL 'XXXXXXXXXXXXXXXXXXXXXX
svn: E170001: Authentication error from server: SASL(-5): bad protocol / cancel: security
flags do not match required

Can I configure svnserve/SASL to authenticate clients from both
realms? It would be great if svnserve considers john@SIBPTUS.RU and
john@SIBPTUS.TOMSK.RU different users (from the point of view of
logging etc).

I have tried GSS_C_NO_NAME and GSS_C_NO_CREDENTIAL as realm names,
without any success. 

I am using this setup (two realms) very successfully with sshd (via
the ~/.k5login mechanism) and with the squid kerberos helper which
does not care about the realm and just passes user@REALM to squid
itself. Only svnserve seems to be a problem.

Thanks in advance for any input.

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN

View raw message