neon svn linux + mod_auth_kerb

Alon Bar-Lev alon.barlev at
Tue Apr 29 09:13:25 EDT 2008


There was some weird time sync issue between the computer and the
domain controller.

Although the svn client and the apache server ran on the same server,
it looks like the server ticket was invalid due to time difference
between <I don't know> and the client.

Had only gssapi (mit-krb5) had some debug support... or proper return codes.


On 4/28/08, Alon Bar-Lev <alon.barlev at> wrote:
> Hello,
>  I am trying to get neon to work with mod_auth_kerb.
>  The configuration works when the client is Windows (TortoiseSVN, neon
>  -0.26) accessing the server.
>  But when a client on Linux tries to access the server
>  (versions: subversion-1.4.6 neon-0.28.2 mit-krb5-1.6.3
>  mod_auth_kerb-5.3 apache-2.2.8)
>  I get mutual authentication error.
>  Removing the GSS_C_MUTUAL_FLAG flag from neon makes it works.
>  The SPN of the server is HTTP/ at DOMAIN
>  The KDC is Windows 2003 Domain Controller.
>  My keytab has:
>  host/name at DOMAIN
>  host/ at DOMAIN
>  HTTP/name at DOMAIN
>  I am accessing the server using full DNS name using
>  I can see that the server returns negotiate header to the client, but
>  the gss_init_sec_context() fails.
>  I read a lot of issues people here had, but nobody discussed a mutual
>  authentication error.
>  Does anyone have this configuration working?
>  How can I debug the gssapi futher?
>  How can I know which SPN is returned from the sever?
>  Thanks,
> Alon Bar-Lev.

More information about the krbdev mailing list