neon svn linux + mod_auth_kerb

Alon Bar-Lev alon.barlev at
Mon Apr 28 15:43:27 EDT 2008


 I am trying to get neon to work with mod_auth_kerb.

 The configuration works when the client is Windows (TortoiseSVN, neon
 -0.26) accessing the server.

 But when a client on Linux tries to access the server
 (versions: subversion-1.4.6 neon-0.28.2 mit-krb5-1.6.3
 mod_auth_kerb-5.3 apache-2.2.8)

 I get mutual authentication error.
 Removing the GSS_C_MUTUAL_FLAG flag from gss_init_sec_context makes it works.

 So I am not sure it is neon issue, as it passes the information to gssapi.

 The SPN of the server is HTTP/ at DOMAIN
 The KDC is Windows 2003 Domain Controller.

 My keytab has:
 host/name at DOMAIN
 host/ at DOMAIN
 HTTP/name at DOMAIN

 I am accessing the server using full DNS name using
 I can see that the server returns negotiate header to the client, but
 the gss_init_sec_context() fails.

 I read a lot of issues people here had, but nobody discussed a mutual
 authentication error.

 Does anyone have this configuration working?
 How can I debug the gssapi further? to see *WHY* the mutual
authentication fails?
 How can I know which SPN is returned from the sever?

 Alon Bar-Lev.

More information about the krbdev mailing list