Current status of Kerberos support for TortoiseSVN ?
391 views
Skip to first unread message
Keiran Sweet
Mar 21, 2013, 9:24:29 AM3/21/13
to d...@tortoisesvn.tigris.org
Hi Everyone,
I've posted previously about having issues with getting krb5 + HTTPS functionality working reliably in the past [1] where all tortoise clients work OK for a period of time, then they suddenly stop. It seems now that the SASL/neon functionality was broken around the 1.6.16 mark [2] and never really fixed.
I've come across a few posts lately that suggest moving to the serf libraries to get this working by adding the following lines to the tortoise configuration file's [global] section:
http-library = serf
However, when I do this on my platform (Windows XP and 7 , 32-Bit) it hangs indefinately, with the following errors in apache constantly repeated ( The server is a Apache + DAV + SVN + HTTPS + KRB5 platform : )
10.2.3.4 - - [19/Mar/2013:16:27:46 +0000] "OPTIONS /svn/reponame HTTP/1.1" 401 498
401 = Unauthorized. Using other clients with the same credentials works fine, so this is specifically a Tortoise SVN issue.
Would I be able to get an official status on krb5/sasl/neon/serf/GSSAPI + HTTPS support for Tortoise 1.7 ?
Specifically:
* Is this a supported configuration for Tortoise ?
* Is there any known bugs/issues with this configuration that prevent it from working ?
* Is there any way to debug neon/serf issues further from the client side ?
* Is there the possibility for us to fund (within reason) the fix of this issue if it isnt a priorty ?
I ask this as I'm really keen to move our users from a messy svn+ssh configuration to a clean KRB5/HTTPS environment as the management overhead is pretty ugly on the server side.
Thanks in advance,
K
[1] Tortoise authentications with HTTPS + Kerberos - https://groups.google.com/forum/#!msg/tortoisesvn/8EBPp_NSo_g/aIftZS7GewIJ
[2] KRB Support seems to be broken since 1.6.16 (One of a few threads) - http://svn.haxx.se/tsvnusers/archive-2011-07/0247.shtml
[3] User having similar issues to me - http://svn.haxx.se/tsvnusers/archive-2011-07/0247.shtml
[4] SSO and Tortoise thread - http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3041542
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=757&dsMessageId=3051615
To unsubscribe from this discussion, e-mail: [dev-uns...@tortoisesvn.tigris.org].
I've posted previously about having issues with getting krb5 + HTTPS functionality working reliably in the past [1] where all tortoise clients work OK for a period of time, then they suddenly stop. It seems now that the SASL/neon functionality was broken around the 1.6.16 mark [2] and never really fixed.
I've come across a few posts lately that suggest moving to the serf libraries to get this working by adding the following lines to the tortoise configuration file's [global] section:
http-library = serf
However, when I do this on my platform (Windows XP and 7 , 32-Bit) it hangs indefinately, with the following errors in apache constantly repeated ( The server is a Apache + DAV + SVN + HTTPS + KRB5 platform : )
10.2.3.4 - - [19/Mar/2013:16:27:46 +0000] "OPTIONS /svn/reponame HTTP/1.1" 401 498
401 = Unauthorized. Using other clients with the same credentials works fine, so this is specifically a Tortoise SVN issue.
Would I be able to get an official status on krb5/sasl/neon/serf/GSSAPI + HTTPS support for Tortoise 1.7 ?
Specifically:
* Is this a supported configuration for Tortoise ?
* Is there any known bugs/issues with this configuration that prevent it from working ?
* Is there any way to debug neon/serf issues further from the client side ?
* Is there the possibility for us to fund (within reason) the fix of this issue if it isnt a priorty ?
I ask this as I'm really keen to move our users from a messy svn+ssh configuration to a clean KRB5/HTTPS environment as the management overhead is pretty ugly on the server side.
Thanks in advance,
K
[1] Tortoise authentications with HTTPS + Kerberos - https://groups.google.com/forum/#!msg/tortoisesvn/8EBPp_NSo_g/aIftZS7GewIJ
[2] KRB Support seems to be broken since 1.6.16 (One of a few threads) - http://svn.haxx.se/tsvnusers/archive-2011-07/0247.shtml
[3] User having similar issues to me - http://svn.haxx.se/tsvnusers/archive-2011-07/0247.shtml
[4] SSO and Tortoise thread - http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3041542
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=757&dsMessageId=3051615
To unsubscribe from this discussion, e-mail: [dev-uns...@tortoisesvn.tigris.org].
Stefan Küng
Mar 21, 2013, 4:42:05 PM3/21/13
to d...@tortoisesvn.tigris.org, Keiran Sweet
On 21.03.2013 14:24, Keiran Sweet wrote:
> Hi Everyone,
> I've posted previously about having issues with getting krb5 + HTTPS functionality working reliably in the past [1] where all tortoise clients work OK for a period of time, then they suddenly stop. It seems now that the SASL/neon functionality was broken around the 1.6.16 mark [2] and never really fixed.
>
> I've come across a few posts lately that suggest moving to the serf libraries to get this working by adding the following lines to the tortoise configuration file's [global] section:
>
> http-library = serf
>
> However, when I do this on my platform (Windows XP and 7 , 32-Bit) it hangs indefinately, with the following errors in apache constantly repeated ( The server is a Apache + DAV + SVN + HTTPS + KRB5 platform : )
>
> 10.2.3.4 - - [19/Mar/2013:16:27:46 +0000] "OPTIONS /svn/reponame HTTP/1.1" 401 498
>
> 401 = Unauthorized. Using other clients with the same credentials works fine, so this is specifically a Tortoise SVN issue.
Other clients: also other Windows clients that use the official svn library?
> Hi Everyone,
> I've posted previously about having issues with getting krb5 + HTTPS functionality working reliably in the past [1] where all tortoise clients work OK for a period of time, then they suddenly stop. It seems now that the SASL/neon functionality was broken around the 1.6.16 mark [2] and never really fixed.
>
> I've come across a few posts lately that suggest moving to the serf libraries to get this working by adding the following lines to the tortoise configuration file's [global] section:
>
> http-library = serf
>
> However, when I do this on my platform (Windows XP and 7 , 32-Bit) it hangs indefinately, with the following errors in apache constantly repeated ( The server is a Apache + DAV + SVN + HTTPS + KRB5 platform : )
>
> 10.2.3.4 - - [19/Mar/2013:16:27:46 +0000] "OPTIONS /svn/reponame HTTP/1.1" 401 498
>
> 401 = Unauthorized. Using other clients with the same credentials works fine, so this is specifically a Tortoise SVN issue.
> Would I be able to get an official status on krb5/sasl/neon/serf/GSSAPI + HTTPS support for Tortoise 1.7 ?
>
> Specifically:
> * Is this a supported configuration for Tortoise ?
> * Is there any known bugs/issues with this configuration that prevent it from working ?
> * Is there any way to debug neon/serf issues further from the client side ?
> * Is there the possibility for us to fund (within reason) the fix of this issue if it isnt a priorty ?
>
> I ask this as I'm really keen to move our users from a messy svn+ssh configuration to a clean KRB5/HTTPS environment as the management overhead is pretty ugly on the server side.
you can try a nightly build).
* Serf is now at version 1.2.0, maybe your issues are fixed now? You can
try a nightly build if you like.
* you didn't mention the TSVN version you're using for your tests
* if you have issues with GSSAPI and authentication, always first try
the official svn command line client. If the issue is there too, you
have to report your problems to the svn users list. Because if the issue
is there too, it's in the svn library and therefore needs to be fixed there.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=757&dsMessageId=3051657
Keiran Sweet
Mar 22, 2013, 5:57:12 AM3/22/13
to d...@tortoisesvn.tigris.org
Hi Stefan,
Thanks for this, I'll give it all a test and report my findings.
Cheers,
K
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=757&dsMessageId=3051689
Thanks for this, I'll give it all a test and report my findings.
Cheers,
K
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=757&dsMessageId=3051689
Keiran Sweet
Mar 25, 2013, 6:30:03 AM3/25/13
to d...@tortoisesvn.tigris.org
Hi There,
I've done the following tests:
Clients that work with krb5 + HTTPS:
RHEL5:
$ svn --version
svn, version 1.6.11 (r934486)
compiled May 31 2011, 06:01:42
Copyright (C) 2000-2009 CollabNet.
Subversion is open source software, see http://subversion.tigris.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).
The following repository access (RA) modules are available:
* ra_neon : Module for accessing a repository via WebDAV protocol using Neon.
- handles 'http' scheme
- handles 'https' scheme
* ra_svn : Module for accessing a repository using the svn network protocol.
- with Cyrus SASL authentication
- handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
- handles 'file' scheme
$
RHEL6
$ svn --version
svn, version 1.6.11 (r934486)
compiled Apr 12 2012, 11:09:11
Copyright (C) 2000-2009 CollabNet.
Subversion is open source software, see http://subversion.tigris.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).
The following repository access (RA) modules are available:
* ra_neon : Module for accessing a repository via WebDAV protocol using Neon.
- handles 'http' scheme
- handles 'https' scheme
* ra_svn : Module for accessing a repository using the svn network protocol.
- with Cyrus SASL authentication
- handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
- handles 'file' scheme
$
Windows 32-Bit:
SlikSVN:
C:\Program Files\SlikSvn\bin>svn --version
svn, version 1.7.8-SlikSvn-1.7.8-WIN32 (SlikSvn/1.7.8) WIN32
compiled Jan 11 2013, 16:20:51
Copyright (C) 2012 The Apache Software Foundation.
This software consists of contributions made by many people; see the NOTICE
file for more information.
Subversion is open source software, see http://subversion.apache.org/
The following repository access (RA) modules are available:
* ra_neon : Module for accessing a repository via WebDAV protocol using Neon.
- handles 'http' scheme
- handles 'https' scheme
* ra_svn : Module for accessing a repository using the svn network protocol.
- with Cyrus SASL authentication
- handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
- handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
- handles 'http' scheme
- handles 'https' scheme
C:\Program Files\SlikSvn\bin>
Clients that are not working:
* Tortoise SVN 1.7.11 (Also occurs when the http library is changed to serf)
* Tortoise SVN nightly build - TortoiseSVN-1.7.99.24016-dev-win32-svn-1.8.x-dev
(Also occurs when the http library is changed to serf)
Is there any other clients that I could use specifically as there isnt an official svn binary release that I could find ?
Thanks in advance.
K
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=757&dsMessageId=3051866
I've done the following tests:
Clients that work with krb5 + HTTPS:
RHEL5:
$ svn --version
svn, version 1.6.11 (r934486)
compiled May 31 2011, 06:01:42
Copyright (C) 2000-2009 CollabNet.
Subversion is open source software, see http://subversion.tigris.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).
The following repository access (RA) modules are available:
* ra_neon : Module for accessing a repository via WebDAV protocol using Neon.
- handles 'http' scheme
- handles 'https' scheme
* ra_svn : Module for accessing a repository using the svn network protocol.
- with Cyrus SASL authentication
- handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
- handles 'file' scheme
$
RHEL6
$ svn --version
svn, version 1.6.11 (r934486)
compiled Apr 12 2012, 11:09:11
Copyright (C) 2000-2009 CollabNet.
Subversion is open source software, see http://subversion.tigris.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).
The following repository access (RA) modules are available:
* ra_neon : Module for accessing a repository via WebDAV protocol using Neon.
- handles 'http' scheme
- handles 'https' scheme
* ra_svn : Module for accessing a repository using the svn network protocol.
- with Cyrus SASL authentication
- handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
- handles 'file' scheme
$
Windows 32-Bit:
SlikSVN:
C:\Program Files\SlikSvn\bin>svn --version
svn, version 1.7.8-SlikSvn-1.7.8-WIN32 (SlikSvn/1.7.8) WIN32
compiled Jan 11 2013, 16:20:51
Copyright (C) 2012 The Apache Software Foundation.
This software consists of contributions made by many people; see the NOTICE
file for more information.
Subversion is open source software, see http://subversion.apache.org/
The following repository access (RA) modules are available:
* ra_neon : Module for accessing a repository via WebDAV protocol using Neon.
- handles 'http' scheme
- handles 'https' scheme
* ra_svn : Module for accessing a repository using the svn network protocol.
- with Cyrus SASL authentication
- handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
- handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
- handles 'http' scheme
- handles 'https' scheme
C:\Program Files\SlikSvn\bin>
Clients that are not working:
* Tortoise SVN 1.7.11 (Also occurs when the http library is changed to serf)
* Tortoise SVN nightly build - TortoiseSVN-1.7.99.24016-dev-win32-svn-1.8.x-dev
(Also occurs when the http library is changed to serf)
Is there any other clients that I could use specifically as there isnt an official svn binary release that I could find ?
Thanks in advance.
K
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=757&dsMessageId=3051866
Stefan Küng
Mar 25, 2013, 5:01:03 PM3/25/13
to d...@tortoisesvn.tigris.org, Keiran Sweet
On 25.03.2013 11:30, Keiran Sweet wrote:
> Hi There,
> I've done the following tests:
>
> Clients that work with krb5 + HTTPS:
>
> RHEL5:
not really interesting for us
> Hi There,
> I've done the following tests:
>
> Clients that work with krb5 + HTTPS:
>
> RHEL5:
> RHEL6
neither is this.
> Windows 32-Bit:
>
> SlikSVN:
> C:\Program Files\SlikSvn\bin>svn --version
> svn, version 1.7.8-SlikSvn-1.7.8-WIN32 (SlikSvn/1.7.8) WIN32
> compiled Jan 11 2013, 16:20:51
>
> Copyright (C) 2012 The Apache Software Foundation.
> This software consists of contributions made by many people; see the NOTICE
> file for more information.
> Subversion is open source software, see http://subversion.apache.org/
>
> The following repository access (RA) modules are available:
>
> * ra_neon : Module for accessing a repository via WebDAV protocol using Neon.
> - handles 'http' scheme
> - handles 'https' scheme
> * ra_svn : Module for accessing a repository using the svn network protocol.
> - with Cyrus SASL authentication
> - handles 'svn' scheme
> * ra_local : Module for accessing a repository on local disk.
> - handles 'file' scheme
> * ra_serf : Module for accessing a repository via WebDAV protocol using serf.
> - handles 'http' scheme
> - handles 'https' scheme
Do you know what versions they use of serf/neon?
And what OpenSSL version?
> Clients that are not working:
> * Tortoise SVN 1.7.11 (Also occurs when the http library is changed to serf)
>
> * Tortoise SVN nightly build - TortoiseSVN-1.7.99.24016-dev-win32-svn-1.8.x-dev
> (Also occurs when the http library is changed to serf)
>
> Is there any other clients that I could use specifically as there isnt an official svn binary release that I could find ?
(you have to select it in the install dialog).
Then:
as I said before, you have to report this on the Subversion mailing
list, especially if you want to get this working with serf - which will
be the only lib available in svn 1.8!
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
Reply all
Reply to author
Forward
0 new messages