# [Part. Solved+Apache]Subversion with SASL+GSSAPI/Kerberos?

## the_mgt

Hi!

I must admit that I am kind of a n00b when it comes to kerberizing stuff, but it does work pretty good at least for libvirtd here and I read a note that it should work with subversion, too, see http://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt. 

The server which is going to be the svnserver is also running Samba4_alpha13 configured as ADS with bind9+gssapi as nameserver. This does work pretty fine, several XP, Win7 and MacOSX machines added to the Domain, Citadel (mailserver and more) and a dokuwiki using the LDAP for authentication. Also, as I said, libvirt uses sasl+gssapi without any problem.[1]

Now I thought "If it works for libvirt, just copy and paste the config and you are good", but no, I fail completely. Since the internet only offers howtos for SASL+PLAIN to connect to a LDAP/AD server and that involves typing in passwords (As far as I understood this would also send passwords unprotected through the LAN), I'd rather use kerberos tickets.

The error I get is "svn: Konnte die Liste der SASL-Mechanismen nicht erhalten", roughly translates to "svn: Couldn't retrieve the list of SASL-mechanisms". Although, if I add digest-md5 to the list (see below) I will be asked for a password. So, it rather does not understand the GSSAPI mech announced by the server, instead of "not retrieving the list". I will have to look into the ebuild, maybe we are missing a configure option aka USE flag here.

So, my questions:

1. Is using GSSAPI really possible?

2. If it is, what is the proper way to do it?

3. Especially, what are the caveats for authz?

Here are my configurations, maybe you can spot the error:

(My domain/realm is MYDOMAIN.VPN)

/var/svn/test/conf/svnserve.conf:

```
[general]

anon-access = none

auth-access = write

authz-db = authz

realm = MYDOMAIN.VPN

[sasl]

use-sasl = true

```

/var/svn/test/conf/authz:

```
[aliases]

User = /CN=User Name/CN=Users/DC=Mydomain/DC=vpn

[groups]

[/]

&User = rw

```

/etc/sasl2/svn.conf: (Taken from libvirt.conf)

```
mech_list: gssapi

keytab: /var/svn/conf/krb5_svn.tab #this is probably not needed

```

/etc/conf.d/svnserve: (The KRB5_KTNAME is needed for libvirt and named, too. And I do have verified it exists in that place.)

```
SVNSERVE_OPTS="--root=/var/svn"

KRB5_KTNAME=/var/svn/conf/krb5_svn.tab

```

My Subversion installation looks like this:

```
[I] dev-vcs/subversion

         Installed versions:  1.6.16(18:39:59 11.06.2011)(apache2 bash-completion berkdb nls sasl webdav-neon -ctypes-python -debug -doc -dso -elibc_FreeBSD -emacs -extras -gnome-keyring -java -kde -perl -python -ruby -test -vim-syntax -webdav-serf)
```

For clarification, I created the Service Principle under WinXP with adminpak (ADS management tools) installed, like so:

```

1. Created a domain user associated with svn using Domain User tools, password doesnt expire, user does not need to change password

2. setspn -A svn/svnserve.mydomain.vpn svnmgt

Registering ServicePrincipalNames for CN=svnmgt,CN=Users,DC=mydomain,DC=vpn     

        svn/svnserve.mydomain.vpn

Updated object

3. ktpass -out .\krb5_svn.tab -princ svn/svnserve.mydomain.vpn@MYDOMAIN.VPN -mapUser MYDOMAIN\svnmgt -mapOp set -pass same_pass_as_abovementioned

Targeting domain controller: ads.mydomain.vpn

Using legacy password setting method

Successfully mapped svn/svnserve.mydomain.vpn to svnmgt.

WARNING: pType and account type do not match. This might cause  problems.

Key created.

Output keytab to .\krb5_svn.tab:

Keytab version: 0x502

keysize 87 svn/svnserve.mydomain.vpn@MYDOMAIN.VPN ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype 0x17 (RC4-HMAC) keylength 16 (0xidontknowifitissafetoputthisvaluehereonfgo)

```

[1] I didn't set up the Kerberos server or the LDAP myself, Samba4 took care of that, it is all integrated. I only had to learn how to tell services what to use.

[2] smbclient -k doesnt work either, because kerberos support wasn't compiled into 3.4.12 since there is no useflag

----------

## the_mgt

From what I gathered, it seems as if it might have been possible to use plain svnserve+sasl+gssapi two years ago. While the same text I linked to in the previous post is still in the source tarball, a little grepping and searching of bugtrackers revealed, that the files needed to do so are no longer in the source.

So, the next best thing you can achieve is using apache+mod_auth_kerb+FF/IE. This will give you SSO using tickets at least for the browsing in Apache. Maybe even if you use webdav under windows. Unfortunately, it does not work with kerberos tickets under linux, svn will still ask you for your credentials, which you will have to send in cleartext over the net, unless you add SSL to the mix, I think. Since I wanted passwordless SSO, this isnt helping me. While this all sucks, I still learned something. I also learned, that if you use ssh+svn, you will need to turn of sasl auth for plain svn protocol, or you will need to give sasl auth after you logged in with ssh... The svnbook is pretty silent about the whole ssh setup, so I ran into some walls. Got it all working now, but still find it sad that it didn't work like I planned.

Setting apache+mod_auth_kerb up is quite easy, but not what I wanted, but for completeness, I will give some hints here:

1. You will need to install Subversion with apache useflag.

2. You need to isntall mod_auth_kerb but that fails to build with app-crypt/heimdal, so you will need to apply the patch attached to the bug.

3. This time, you need a service principle for appache, in the style of "http/$servername.fqdn@MYDOMAIN.VPN $username_mapped_to_service", look in the first post for the MS AD way or find out how to do it with plain mit-krb/heimdal. Save the keytab file under /etc/apache2/krb5_apache.tab.

4. Of course, your apache needs to be started with the according modules. Make sure you have

```
APACHE2_OPTS="... -D DAV -D SVN -D SVN_AUTHZ -D AUTH_KERB"
```

5. Configure /etc/apache2/modules.d/11_mod_auth_kerb.conf to match your realm settings, otherwise apache might not start up:

```
Krb5Keytab /etc/apache2/krb5_apache.tab

KrbAuthRealms MYDOMAIN.VPN

```

6. Now, in your /etc/apache2/modules.d/47_mod_dav_svn.conf, configure it like this:

```
<Location /svn>

        DAV svn

        SVNParentPath /var/svn

        SVNListParentPath On

        SVNAutoVersioning On

       

        AuthName "Please enter your Active Domain Credentials"

        AuthType Kerberos

        KrbAuthRealms MYDOMAIN.VPN

        Krb5KeyTab /etc/apache2/krb5_apache.tab

        KrbServiceName http

        Require valid-user

</Location>

<Location /svn/test/>

        AuthzSVNAccessFile /var/svn/test/conf/authz

</Location>
```

7. You can now configure your authz (the one you specified in the last location) to match your domain users, for example:

```
Administrator@MYDOMAIN.VPN = rw
```

8. If you want it to work in FF, you need the addon from the bottom of http://modauthkerb.sourceforge.net/configure.html or some other source.

----------

