Apache+Kerberos+SVN works with IE repo browser, but not Chrome or TSVN ???
78 views
Skip to first unread message
ken edward
Dec 18, 2015, 11:32:37 AM12/18/15
to us...@subversion.apache.org
Hello,
I installed
Subversion 1.8.14
Apache 2.4.17
mod_auth_kerb-5.4
133.16.84.222 - sandym [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1HTTP/1.1" 200 188
133.16.84.222 - sandym [16/Dec/2015:15:13:21 -0500] "PROPFIND/cm_repo1/!svn/rvr/2245 HTTP/1.1" 207 326
133.16.84.222 - sandym [16/Dec/2015:15:13:21 -0500] "PROPFIND/cm_repo1/!svn/rvr/2245 HTTP/1.1" 207 1281
133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS/cm_repo1/visitor_PRODUCTION HTTP/1.1" 401 381
133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS/cm_repo1/cdb_PRODUCTION HTTP/1.1" 401 381
133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1/cdbHTTP/1.1" 401 381
133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1/shibssoHTTP/1.1" 401 381
133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1/cdb_TESTHTTP/1.1" 401 381
133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1/testprojHTTP/1.1" 401 38
Please help...
I am able to use IE 11 to browse by apache+SVN+kerberos repo. Kerberos works fine. No login required. However when I try to use Chrome or TSVN to browse the repo, I can only get the content of the root repo (https://myserver.com/cm_repo1). If I try to drill down into the projects of the repo (https://myserver.com/cm_repo1/testproj), it returns authorization denied. See apache log below.
I installed
Subversion 1.8.14
Apache 2.4.17
mod_auth_kerb-5.4
<Location /cm_repo1>
DAV svn
SVNPath /data/cm_repo1
AuthzSVNAccessFile /usr/local/scm/apache2.4.17kerb/conf/accessControl.conf
AuthName "Kerberos Auth"
AuthType Kerberos
KrbMethodNegotiate On
KrbVerifyKDC On
KrbMethodK5Passwd On
KrbAuthRealms CAMPUS.COM
Krb5KeyTab /usr/local/scm/apache2.4.17kerb/conf/jirasso4.keytab
KrbServiceName HTTP/itest.ca...@CAMPUS.COM
KrbLocalUserMapping On
133.16.84.222 - sandym [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1HTTP/1.1" 200 188
133.16.84.222 - sandym [16/Dec/2015:15:13:21 -0500] "PROPFIND/cm_repo1/!svn/rvr/2245 HTTP/1.1" 207 326
133.16.84.222 - sandym [16/Dec/2015:15:13:21 -0500] "PROPFIND/cm_repo1/!svn/rvr/2245 HTTP/1.1" 207 1281
133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS/cm_repo1/visitor_PRODUCTION HTTP/1.1" 401 381
133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS/cm_repo1/cdb_PRODUCTION HTTP/1.1" 401 381
133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1/cdbHTTP/1.1" 401 381
133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1/shibssoHTTP/1.1" 401 381
133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1/cdb_TESTHTTP/1.1" 401 381
133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS /cm_repo1/testprojHTTP/1.1" 401 38
Philip Martin
Dec 18, 2015, 12:15:08 PM12/18/15
to ken edward, us...@subversion.apache.org
ken edward <kedwa...@gmail.com> writes:
> I installed
> Subversion 1.8.14
> Apache 2.4.17
> mod_auth_kerb-5.4
> I installed
> Subversion 1.8.14
> Apache 2.4.17
> mod_auth_kerb-5.4
> 133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS
> /cm_repo1/testprojHTTP/1.1"
> 401 38
1.8.14 has a bug that affects 3rd party authn modules such as
> /cm_repo1/testprojHTTP/1.1"
> 401 38
mod_auth_kerb and mod_auth_ldap. This bug causes Apache to return 401
responses without a WWW-Authenticate header and this means clients do
not attempt to authenticate. 1.8.15 as a fix for this bug.
--
Philip Martin
WANdisco
ken edward
Dec 18, 2015, 2:27:43 PM12/18/15
to Philip Martin, us...@subversion.apache.org
Thank you Philip,
Per your info, I applied subversion 1.8.15 and rebuilt my apache subversion server. I am still seeing the same issue. MSIE browser can navigate repository via kerberos, but Chrome and TSVN will only return credentials for the root of the repo. TSVN does not return credentials for URLS within the repo, as shown below in a comparison between TSVN and MSIE clients.
TSVN (authentication denied):
[Fri Dec 18 14:14:59.433207 2015] [ssl:info] [pid 44383] [client 133.4.86.222:55652] AH01964: Connection to child 6 established (server itest04.vexor.com:7100)
[Fri Dec 18 14:14:59.433586 2015] [ssl:debug] [pid 44383] ssl_engine_kernel.c(1931): [client 133.4.86.222:55652] AH02043: SSL virtual host for servername itest04.vexor.com found
[Fri Dec 18 14:14:59.480634 2015] [ssl:debug] [pid 44383] ssl_engine_kernel.c(1855): [client 133.4.86.222:55652] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Fri Dec 18 14:14:59.481564 2015] [ssl:debug] [pid 44383] ssl_engine_kernel.c(238): [client 133.4.86.222:55652] AH02034: Initial (No.1) HTTPS request received for child 6 (server itest04.vexor.com:7100)
[Fri Dec 18 14:14:59.481687 2015] [authz_svn:debug] [pid 44383] subversion/mod_authz_svn/mod_authz_svn.c(439): [client 133.4.86.222:55652] Path to authz file is /usr/local/scm/apache2.4.17kerb/conf/accessControl.conf
[Fri Dec 18 14:14:59.482223 2015] [authz_core:debug] [pid 44383] mod_authz_core.c(806): [client 133.4.86.222:55652] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Dec 18 14:14:59.482242 2015] [authz_core:debug] [pid 44383] mod_authz_core.c(806): [client 133.4.86.222:55652] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Dec 18 14:14:59.482958 2015] [ssl:info] [pid 44383] (70014)End of file found: [client 133.4.86.222:55652] AH01991: SSL input filter read failed.
[Fri Dec 18 14:14:59.483000 2015] [ssl:debug] [pid 44383] ssl_engine_io.c(1003): [client 133.4.86.222:55652] AH02001: Connection closed to child 6 with standard shutdown (server itest04.vexor.com:7100)
MSIE (authenticates good)
[Fri Dec 18 14:20:46.254122 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1250): [client 133.5.86.222:55666] Acquiring creds for HTTP/itest04....@CAMPUS.VEXOR.COM, referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.257059 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1395): [client 133.5.86.222:55666] Verifying client data using KRB5 GSS-API , referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.258142 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1411): [client 133.5.86.222:55666] Client didn't delegate us their credential, referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.258163 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1430): [client 133.5.86.222:55666] GSS-API token of length 167 bytes will be sent back, referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.258675 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1544): [client 133.5.86.222:55666] kerb_authenticate_a_name_to_local_name sma...@CAMPUS.VEXOR.COM -> smandy, referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.258704 2015] [authz_svn:debug] [pid 44368] subversion/mod_authz_svn/mod_authz_svn.c(439): [client 133.5.86.222:55666] Path to authz file is /usr/local/scm/apache2.4.17kerb/conf/accessControl.conf, referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.259500 2015] [authz_svn:info] [pid 44368] [client 133.5.86.222:55666] Access granted: 'smandy' GET cm_repo1:/testproj, referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.260458 2015] [authz_core:debug] [pid 44368] mod_authz_core.c(806): [client 133.5.86.222:55666] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.260480 2015] [authz_core:debug] [pid 44368] mod_authz_core.c(806): [client 133.5.86.222:55666] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.260490 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1638): [client 133.5.86.222:55666] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.260497 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1576): [client 133.5.86.222:55666] matched previous auth request, referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.261386 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1544): [client 133.5.86.222:55666] kerb_authenticate_a_name_to_local_name sma...@CAMPUS.VEXOR.COM -> smandy, referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.261414 2015] [authz_svn:debug] [pid 44368] subversion/mod_authz_svn/mod_authz_svn.c(439): [client 133.5.86.222:55666] Path to authz file is /usr/local/scm/apache2.4.17kerb/conf/accessControl.conf, referer: https://itest04.vexor.com:7100/cm_repo1/
[Fri Dec 18 14:20:46.261438 2015] [authz_svn:info] [pid 44368] [client 133.5.86.222:55666] Access granted: 'smandy' GET cm_repo1:/testproj/myfile, referer: https://itest04.vexor.com:7100/cm_repo1/
MY BUILD
Fri Dec 18 13:57:33.757795 2015] [ssl:info] [pid 44292] AH01876: mod_ssl/2.4.17 compiled against Server: Apache/2.4.17, Library: OpenSSL/1.0.2a
[Fri Dec 18 13:57:33.759275 2015] [mpm_prefork:notice] [pid 44292] AH00163: Apache/2.4.17 (Unix) mod_auth_kerb/5.4 OpenSSL/1.0.2a SVN/1.8.15 configured -- resuming normal operations
[Fri Dec 18 13:57:33.759296 2015] [mpm_prefork:info] [pid 44292] AH00164: Server built: Dec 17 2015 14:22:22
Philip Martin
Dec 18, 2015, 3:58:49 PM12/18/15
to ken edward, us...@subversion.apache.org
ken edward <kedwa...@gmail.com> writes:
> Thank you Philip,
>
> Per your info, I applied subversion 1.8.15 and rebuilt my apache subversion
The fix did not get into 1.8.15, it only made it into 1.9.3 :-(
> Thank you Philip,
>
> Per your info, I applied subversion 1.8.15 and rebuilt my apache subversion
You either patch 1.8.15 yourself or use 1.9.3. If you want to patch
1.8.15 the relevant revision is:
http://svn.apache.org/viewvc?view=revision&revision=r1708699
--
Philip Martin
WANdisco
Reply all
Reply to author
Forward
0 new messages