Geek asks and answers

Does anyone have Windows SVNServe for AD / Kerberos authentication through SASL / GSSAPI?

Scenario: A Windows server in an AD domain hosting a Subversion repository using only SVNSERVE (no Apache), not VisualSVN.

Purpose. Authenticate users to the Subversion repository through SASL via GSSAPI to a Windows domain through Kerberos.

Frequent publications on several sites indicate that users are often dead ends in this configuration using "Failed to get the list of SASL mechanisms." I have not seen a single instance where this really works. Does anybody work?

I ask this question in connection with the 2011 publication on the Gentoo forum, in which someone in this scenario reviewed the corresponding source files and came to the conclusion that, once such a configuration probably worked, the files needed for this no longer are in source.

A discussion of the GEntoo forum, where a poster claims that svnserve + gssapi + sasl worked at the same time, but no longer works .

Now I do not claim that the statement is accurate, but I know that I am stuck in exactly the same place, and I have not yet seen any messages that require a β€œvictory” over such a setting. If you have, please provide details!

Thank you very much in advance.

+5
source share
3 answers

"" , , Subversion Windows , , - SASL , - , "" , , -, - .

, Apache mod_auth_sspi, , , . , -, "" .

+3

AD SASL + LDAP, SASL + GSSAPI, : svnserve Cygwin Windows.

1) svnserve SASL + LDAP/AD Linux ( , svnserve Windows, ). , LDAP/AD, saslauthd testsaslauthd.

Ubuntu :

1a)/etc/sasl2/svn.conf

pwcheck_method: saslauthd
mech_list: PLAIN

subversion/svnserve saslauthd .

1b)/etc/saslauthd.conf

ldap_servers: ldap://yourADserver.dept.org
ldap_search_base: DC=dept,DC=org
ldap_bind_dn: cn=bindaccount,dc=dept,dc=org
ldap_bind_pw: passwordOfbindaccount

ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind
ldap_filter: sAMAccountName=%u
ldap_password_attr: userPassword
ldap_timeout: 10
ldap_cache_ttl: 5
ldap_cache_mem: 32768

1c) testsaslauthd

testsaslauthd -u myusername -p mypassword

1d) saslauthd svnserve. svn .

2) , Windows Cyrus saslauthd , , . Cygwin, svnserve, testsaslauthd saslauthd.

. svn.conf .

+3

( 30 , , ), svnserve + SASL + GSSAPI ! :

  • AD - Samba 4.1.0 Debian 7.2 ( ).
  • Subversion subversion 1.8.5 Solaris Express (SunOS 5.11 snv_151a i86pc i386 i86pc). x64 (Sun) SASL.
  • - Windows 7 x64 TortoiseSVN 1.8.2 ( x64) Heimdal 1.5.1 ( x64 ).
  • , Kerberos, , DNS , ..

Windows :

  • "svnserve" ( ) Subversion.
  • "ktpass -princ svn/server.domain.local@DOMAIN.LOCAL -mapuser DOMAIN.LOCAL\svnserve -crypto RC4-HMAC-NT -pass password -ptype KRB5_NT_PRINCIPAL -out svnserve.keytab". DES , Windows 7 . ( ) , .

Subversion:

  • /etc/krb5/krb5.conf

    [libdefaults]
    default_realm = DOMAIN.LOCAL

[realms]
    DOMAIN.LOCAL = {
        kdc = pdc.domain.local
        admin_server = pdc.domain.local
    }

[domain_realm]
    .domain.local = DOMAIN.LOCAL
    domain.local = DOMAIN.LOCAL

# Other defaults left as-is.

  • repo/conf/svnserve.conf:

    [general]
anon-access = none
authz-db = authz
realm = DOMAIN.LOCAL

[sasl]
use-sasl = true
min-encryption = 0
max-encryption = 256

  • repo/conf/authz: ​​

    [aliases]

[groups]

[/]
* =
# Still investigating whether access to the server can be controlled through an AD group.
# Below is for user@DOMAIN.LOCAL, the realm appears to get lost.
user = rw

  • /etc/sasl/svn.conf:

    mech_list: GSSAPI

  • svnserve.keytab /etc/krb 5/krb5.keytab(keytab sasl ).

  • svnserve.

:

  • TortoiseSVN Heimdal.
  • C:\ProgramData\Kerberos\krb5.conf /etc/krb 5/krb5.conf Subversion. , .
  • , !

, svnserve /etc/krb 5/krb5.keytab, . svnserve , . mslsa_cc.dll , , .

svnserve Windows. MIT Kerberos Windows, , . , .

. - mslsa_cc.dll( https://github.com/krb5/krb5/commit/7acb524f5aa00274771dbbfac19d2dd779aad409, nOutStringLen 2 , ANSIToUnicode). mslsa_cc.dll:

  • 0xB46: FF 15 04 69 00 D1 EE 0F 1F 40.
  • 0xB5E: 77 EB.
+2

More articles:


All Articles