Problem with SVN + Sasl2 + Auxprop + Sasldb

[Nick Williams]

I'm new to administrating SVN, but I have read about half (the most relevant 
sections) of "Version Control with Subversion" from svnbook.red-bean.com. I 
spent about 3-4 hours Googling this problem, but I found nothing that was able 
to help me move forward with my new SVN server.

Here's my setup:

OpenSUSE Linux 10.3
SVN 1.6.15 (r1038135)
Sasl version 2.1.22 by "Cyrus SASL"

Here's my configuration (I'm logged in as root for all of this):

$ ls -l /svn/repos/conf/
total 12
-rw-r--r-- 1 root root 1080 2011-02-03 11:08 authz
-rw-r--r-- 1 root root  309 2011-02-03 11:08 passwd
-rw-r--r-- 1 root root 2259 2011-02-03 22:36 svnserve.conf

$ more /svn/repos/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
authz-db = authz
realm = NWTechServe

[sasl]
use-sasl = true
min-encryption = 256
max-encryption = 512

$ ls -l /etc/sasl2/
total 16
-rw-r- 1 root root 12288 2011-02-05 11:04 nwts-db
-rw-r--r-- 1 root root47 2011-02-05 11:03 slapd.conf
-rw-r--r-- 1 root root   102 2011-02-05 11:03 svn.conf

$ more /etc/sasl2/slapd.conf (already set up by Sasl)
mech_list: gssapi digest-md5 cram-md5 external

$ more /etc/sasl2/svn.conf 
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/sasl2/nwts-db
mech_list: DIGEST-MD5

$ saslpasswd2 -c -f /etc/sasl2/nwts-db -u NWTechServe nicholas
[entered password]

$ sasldblistusers2 -f /etc/sasl2/nwts-db 
nicholas@NWTechServe: userPassword

$ /etc/init.d/saslauthd start
[started]

$ testsaslauthd -u nicholas -p [password]
0: NO "authentication failed"

$ testsaslauthd -u nicholas -p [password] -r NWTechServe
0: NO "authentication failed"

$ testsaslauthd -u nicholas -p [password]  -s svn
0: NO "authentication failed"

$ testsaslauthd -u nicholas -p [password] -r NWTechServe  -s svn
0: NO "authentication failed"

$ testsaslauthd -u nicholas -p [password]  -f /etc/sasl2/nwts-db
connect() : Connection refused
0: 

$ testsaslauthd -u nicholas -p [password] -r NWTechServe  -f /etc/sasl2/nwts-db
connect() : Connection refused
0: 

$testsaslauthd -u nicholas -p [password] -s svn  -f /etc/sasl2/nwts-db
connect() : Connection refused
0: 

$testsaslauthd -u nicholas -p [password] -r NWTechServe -s svn  -f 
/etc/sasl2/nwts-db
connect() : Connection refused
0: 

I've also tried running svnserve (as root) and trying to connect but "svn: 
Could not obtain the list of SASL mechanisms". However, I don't think that 
result is even valid yet, as I can't even successfully test my Sasl 
configuration.

I'm hoping I'm making an obvious error that someone on this list will see.

Any ideas?

Thanks!

Nick

Re: Problem with SVN + Sasl2 + Auxprop + Sasldb

[Nick Williams]

I sent this email Saturday in hopes of getting some help from someone with more 
knowledge and experience than I have. However, I never heard anything back from 
anyone. Because I'm new to the list, can somebody confirm that my messages are, 
indeed, getting to the list? And does anyone have any ideas?

Thanks!

Nick

On Feb 5, 2011, at 11:34 AM, Nick Williams wrote:

> I'm new to administrating SVN, but I have read about half (the most relevant 
> sections) of "Version Control with Subversion" from svnbook.red-bean.com. I 
> spent about 3-4 hours Googling this problem, but I found nothing that was 
> able to help me move forward with my new SVN server.
> 
> Here's my setup:
> 
> OpenSUSE Linux 10.3
> SVN 1.6.15 (r1038135)
> Sasl version 2.1.22 by "Cyrus SASL"
> 
> Here's my configuration (I'm logged in as root for all of this):
> 
> $ ls -l /svn/repos/conf/
> total 12
> -rw-r--r-- 1 root root 1080 2011-02-03 11:08 authz
> -rw-r--r-- 1 root root  309 2011-02-03 11:08 passwd
> -rw-r--r-- 1 root root 2259 2011-02-03 22:36 svnserve.conf
> 
> $ more /svn/repos/conf/svnserve.conf
> [general]
> anon-access = none
> auth-access = write
> authz-db = authz
> realm = NWTechServe
> 
> [sasl]
> use-sasl = true
> min-encryption = 256
> max-encryption = 512
> 
> $ ls -l /etc/sasl2/
> total 16
> -rw-r- 1 root root 12288 2011-02-05 11:04 nwts-db
> -rw-r--r-- 1 root root47 2011-02-05 11:03 slapd.conf
> -rw-r--r-- 1 root root   102 2011-02-05 11:03 svn.conf
> 
> $ more /etc/sasl2/slapd.conf (already set up by Sasl)
> mech_list: gssapi digest-md5 cram-md5 external
> 
> $ more /etc/sasl2/svn.conf 
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> sasldb_path: /etc/sasl2/nwts-db
> mech_list: DIGEST-MD5
> 
> $ saslpasswd2 -c -f /etc/sasl2/nwts-db -u NWTechServe nicholas
> [entered password]
> 
> $ sasldblistusers2 -f /etc/sasl2/nwts-db 
> nicholas@NWTechServe: userPassword
> 
> $ /etc/init.d/saslauthd start
> [started]
> 
> $ testsaslauthd -u nicholas -p [password]
> 0: NO "authentication failed"
> 
> $ testsaslauthd -u nicholas -p [password] -r NWTechServe
> 0: NO "authentication failed"
> 
> $ testsaslauthd -u nicholas -p [password]  -s svn
> 0: NO "authentication failed"
> 
> $ testsaslauthd -u nicholas -p [password] -r NWTechServe  -s svn
> 0: NO "authentication failed"
> 
> $ testsaslauthd -u nicholas -p [password]  -f /etc/sasl2/nwts-db
> connect() : Connection refused
> 0: 
> 
> $ testsaslauthd -u nicholas -p [password] -r NWTechServe  -f 
> /etc/sasl2/nwts-db
> connect() : Connection refused
> 0: 
> 
> $testsaslauthd -u nicholas -p [password] -s svn  -f /etc/sasl2/nwts-db
> connect() : Connection refused
> 0: 
> 
> $testsaslauthd -u nicholas -p [password] -r NWTechServe -s svn  -f 
> /etc/sasl2/nwts-db
> connect() : Connection refused
> 0: 
> 
> I've also tried running svnserve (as root) and trying to connect but "svn: 
> Could not obtain the list of SASL mechanisms". However, I don't think that 
> result is even valid yet, as I can't even successfully test my Sasl 
> configuration.
> 
> I'm hoping I'm making an obvious error that someone on this list will see.
> 
> Any ideas?
> 
> Thanks!
> 
> Nick

ERESTARTSYS (To be restarted) and "svn: Could not obtain the list of SASL mechanisms"

[Nick Williams]

openSUSE 11.4

# svnserve --version
svnserve, version 1.6.15 (r1038135)

Copyright (C) 2000-2009 CollabNet.
Subversion is open source software, see http://subversion.apache.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).

The following repository back-end (FS) modules are available:

* fs_base : Module for working with a Berkeley DB repository.
* fs_fs : Module for working with a plain file (FSFS) repository.

Cyrus SASL authentication is available.

# svn list svn://localhost/myrepos
svn: Could not obtain the list of SASL mechanisms

# svn checkout svn://localhost/myrepos
svn: Could not obtain the list of SASL mechanisms

Trace of svnserve (full trace at end of email) at point where list command 
issued:

# strace svnserve -d --foreground -r /srv/svn/repos
...
accept4(3, {sa_family=AF_INET, sin_port=htons(34877), 
sin_addr=inet_addr("127.0.0.1")}, [16], SOCK_CLOEXEC) = 5
waitpid(-1, 0xbfc095ec, WNOHANG|WSTOPPED) = -1 ECHILD (No child processes)
setsockopt(5, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, 
child_tidptr=0xb6fd1938) = 20996
close(5)= 0
accept4(3, 0xbfc0958c, [128], SOCK_CLOEXEC) = ? ERESTARTSYS (To be restarted)
--- SIGCHLD (Child exited) @ 0 (0) ---
sigreturn() = ? (mask now [])
waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG|WSTOPPED) = 20996
waitpid(-1, 0xbfc095ec, WNOHANG|WSTOPPED) = -1 ECHILD (No child processes)

# strace svnserve -d --foreground -r /srv/svn/repos
...
accept4(3, {sa_family=AF_INET, sin_port=htons(34879), 
sin_addr=inet_addr("127.0.0.1")}, [16], SOCK_CLOEXEC) = 5
waitpid(-1, 0xbfc095ec, WNOHANG|WSTOPPED) = -1 ECHILD (No child processes)
setsockopt(5, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, 
child_tidptr=0xb6fd1938) = 20998
close(5)= 0
accept4(3, 0xbfc0958c, [128], SOCK_CLOEXEC) = ? ERESTARTSYS (To be restarted)
--- SIGCHLD (Child exited) @ 0 (0) ---
sigreturn() = ? (mask now [])
waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG|WSTOPPED) = 20998
waitpid(-1, 0xbfc095ec, WNOHANG|WSTOPPED) = -1 ECHILD (No child processes)

Any idea what's going on here?

# cat /etc/sasl2/svnserve.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/sasl2/sasldbs/myrepos.db
mech_list: DIGEST-MD5

# ls -l /etc/sasl2/
total 12
drwxr-xr-x 2 root root 4096 Mar 21 22:54 sasldbs
-rw--- 1 root root   49 Feb 22 16:02 smtpd.conf
-rw-r--r-- 1 root svn   115 Mar 21 22:57 svnserve.conf

# ls -l /etc/sasl2/sasldbs/
total 12
-rw-r- 1 root svn 12288 Mar 21 22:54 myrepos.db

# cat /srv/svn/repos/myrepos/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
realm = myrepos
[sasl]
use-sasl = true
min-encryption = 256
max-encryption = 512

# strace svnserve -d --foreground -r /srv/svn/repos
execve("/usr/bin/svnserve", ["svnserve", "-d", "--foreground", "-r", 
"/srv/svn/repos"], [/* 58 vars */]) = 0
brk(0)  = 0xb77fa000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0xb77c4000
access("/etc/ld.so.preload", R_OK)  = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)  = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=102553, ...}) = 0
mmap2(NULL, 102553, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb77aa000
close(3)= 0
open("/usr/lib/libsvn_repos-1.so.0", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20[\0\0004\0\0\0"..., 
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=178672, ...}) = 0
mmap2(NULL, 181320, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0xb777d000
fadvise64(3, 0, 181320, POSIX_FADV_WILLNEED) = 0
mmap2(0xb77a8000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2a) = 0xb77a8000
close(3)= 0
open("/usr/lib/libsvn_fs-1.so.0", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200'\0\0004\0\0\0"..., 
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=30364, ...}) = 0
mmap2(NULL, 33024, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0xb7774000
fadvise64(3, 0, 33024, POSIX_FADV_WILLNEED) = 0
mmap2(0xb777b000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6) = 0xb777b000
close(3)= 0
open("/usr/lib/libsvn_fs_fs-1.so.0", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260b\0\0004\0\0\0"..., 
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=170952, ...}) = 0
mmap2(NULL, 173600, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0xb7749000
fadvise64(3, 0, 173600, POSIX_FADV_WILLNEED) = 0
mmap2(0xb7772000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x28) = 0xb7772000
close(3)= 0

Re: ERESTARTSYS (To be restarted) and "svn: Could not obtain the list of SASL mechanisms"

[Nick Williams]

On a hunch, I figured out the issue, but it leads me to this question: What are 
the SVN's limits on encryption?

If /svr/svn/repos/myrepos/conf/svnserve.conf, I had this:

min-encryption = 256
max-encryption = 512

This (oddly) was causing the "Could not obtain list of SASL mechanisms" error. 
When I changed the configuration to this:

min-encryption = 128
max-encryption = 512

It worked! The error went away and I was able to execute commands.

Now, I promise I read the documentation (as evidenced by the fact that 
everything else worked perfectly once I fixed this). And I searched and scoured 
The SVN Book and Google, and found nothing about limits on either of these 
fields. Is this a server error, or a client error? Is this the server not 
supporting encryption that strong, or the client, or a bug? Are there 
unpublished limits on the values of those fields? SHOULD the server support 
256, 512 and/or 1024-bit encryption, or not?

Any comments would be appreciated, but at least I got it working. I'd sure like 
encryption stronger than 128-bit, though...

Nick

On Mar 21, 2011, at 11:20 PM, Nick Williams wrote:

> openSUSE 11.4
> 
> # svnserve --version
> svnserve, version 1.6.15 (r1038135)
> 
> Copyright (C) 2000-2009 CollabNet.
> Subversion is open source software, see http://subversion.apache.org/
> This product includes software developed by CollabNet 
> (http://www.Collab.Net/).
> 
> The following repository back-end (FS) modules are available:
> 
> * fs_base : Module for working with a Berkeley DB repository.
> * fs_fs : Module for working with a plain file (FSFS) repository.
> 
> Cyrus SASL authentication is available.
> 
> # svn list svn://localhost/myrepos
> svn: Could not obtain the list of SASL mechanisms
> 
> # svn checkout svn://localhost/myrepos
> svn: Could not obtain the list of SASL mechanisms
> 
> Trace of svnserve (full trace at end of email) at point where list command 
> issued:
> 
> # strace svnserve -d --foreground -r /srv/svn/repos
> ...
> accept4(3, {sa_family=AF_INET, sin_port=htons(34877), 
> sin_addr=inet_addr("127.0.0.1")}, [16], SOCK_CLOEXEC) = 5
> waitpid(-1, 0xbfc095ec, WNOHANG|WSTOPPED) = -1 ECHILD (No child processes)
> setsockopt(5, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, 
> child_tidptr=0xb6fd1938) = 20996
> close(5)= 0
> accept4(3, 0xbfc0958c, [128], SOCK_CLOEXEC) = ? ERESTARTSYS (To be restarted)
> --- SIGCHLD (Child exited) @ 0 (0) ---
> sigreturn() = ? (mask now [])
> waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG|WSTOPPED) = 20996
> waitpid(-1, 0xbfc095ec, WNOHANG|WSTOPPED) = -1 ECHILD (No child processes)
> 
> # strace svnserve -d --foreground -r /srv/svn/repos
> ...
> accept4(3, {sa_family=AF_INET, sin_port=htons(34879), 
> sin_addr=inet_addr("127.0.0.1")}, [16], SOCK_CLOEXEC) = 5
> waitpid(-1, 0xbfc095ec, WNOHANG|WSTOPPED) = -1 ECHILD (No child processes)
> setsockopt(5, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, 
> child_tidptr=0xb6fd1938) = 20998
> close(5)= 0
> accept4(3, 0xbfc0958c, [128], SOCK_CLOEXEC) = ? ERESTARTSYS (To be restarted)
> --- SIGCHLD (Child exited) @ 0 (0) ---
> sigreturn() = ? (mask now [])
> waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG|WSTOPPED) = 20998
> waitpid(-1, 0xbfc095ec, WNOHANG|WSTOPPED) = -1 ECHILD (No child processes)
> 
> Any idea what's going on here?
> 
> # cat /etc/sasl2/svnserve.conf
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> sasldb_path: /etc/sasl2/sasldbs/myrepos.db
> mech_list: DIGEST-MD5
> 
> # ls -l /etc/sasl2/
> total 12
> drwxr-xr-x 2 root root 4096 Mar 21 22:54 sasldbs
> -rw--- 1 root root   49 Feb 22 16:02 smtpd.conf
> -rw-r--r-- 1 root svn   115 Mar 21 22:57 svnserve.conf
> 
> # ls -l /etc/sasl2/sasldbs/
> total 12
> -rw-r- 1 root svn 12288 Mar 21 22:54 myrepos.db
> 
> # cat /srv/svn/repos/myrepos/conf/svnserve.conf
> [general]
> anon-access = none
> auth-access = write
> realm = myrepos
> [sasl]
> use-sasl = true
> min-encryption = 256
> max-encryption = 512
> 
> # strace svnserve -d --foreground -r /srv/svn/repos
> execve("/usr/bin/svnserve", ["svnserve", "-d", "--foreground", "-r", 
> "/srv/svn/repos"], [/* 58 vars */]) = 0
> brk(0)  = 0xb77fa000
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
> 0xb77c4000
> access("/etc/ld.so.preload",