subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Victor Sudakov <suda...@sibptus.tomsk.ru>
Subject svnserve with SASL and two Kerberos realms
Date Sun, 13 Mar 2016 11:34:48 GMT
Dear Colleagues:

I have two Kerberos realms: SIBPTUS.RU and SIBPTUS.TOMSK.RU with
mutual trust.

svnserve is configured to use Kerberos:

[general]
anon-access = none
auth-access = write
realm = SIBPTUS.RU
#realm = SIBPTUS.TOMSK.RU
#realm = GSS_C_NO_NAME
#realm = GSS_C_NO_CREDENTIAL
[sasl]
use-sasl = true

If I uncomment the 'realm = SIBPTUS.TOMSK.RU' line, svnserve does not
authenticate users from the SIBPTUS.RU realm, and vice versa:

svn: E170013: Unable to connect to a repository at URL 'XXXXXXXXXXXXXXXXXXXXXX
svn: E170001: Authentication error from server: SASL(-5): bad protocol / cancel: security
flags do not match required

Can I configure svnserve/SASL to authenticate clients from both
realms? It would be great if svnserve considers john@SIBPTUS.RU and
john@SIBPTUS.TOMSK.RU different users (from the point of view of
logging etc).

I have tried GSS_C_NO_NAME and GSS_C_NO_CREDENTIAL as realm names,
without any success. 

I am using this setup (two realms) very successfully with sshd (via
the ~/.k5login mechanism) and with the squid kerberos helper which
does not care about the realm and just passes user@REALM to squid
itself. Only svnserve seems to be a problem.

Thanks in advance for any input.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru

Mime
View raw message