I think this is the issue I have hit: http://subversion.tigris.org/issues/show_bug.cgi?id=3394
Does anyone know if there is any progress with this problem? Victor Sudakov wrote: > Dear Colleagues: > > I have two Kerberos realms: SIBPTUS.RU and SIBPTUS.TOMSK.RU with > mutual trust. > > svnserve is configured to use Kerberos: > > [general] > anon-access = none > auth-access = write > realm = SIBPTUS.RU > #realm = SIBPTUS.TOMSK.RU > #realm = GSS_C_NO_NAME > #realm = GSS_C_NO_CREDENTIAL > [sasl] > use-sasl = true > > If I uncomment the 'realm = SIBPTUS.TOMSK.RU' line, svnserve does not > authenticate users from the SIBPTUS.RU realm, and vice versa: > > svn: E170013: Unable to connect to a repository at URL 'XXXXXXXXXXXXXXXXXXXXXX > svn: E170001: Authentication error from server: SASL(-5): bad protocol / > cancel: security flags do not match required > > Can I configure svnserve/SASL to authenticate clients from both > realms? It would be great if svnserve considers j...@sibptus.ru and > j...@sibptus.tomsk.ru different users (from the point of view of > logging etc). > > I have tried GSS_C_NO_NAME and GSS_C_NO_CREDENTIAL as realm names, > without any success. > > I am using this setup (two realms) very successfully with sshd (via > the ~/.k5login mechanism) and with the squid kerberos helper which > does not care about the realm and just passes user@REALM to squid > itself. Only svnserve seems to be a problem. > > Thanks in advance for any input. > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:suda...@sibptus.tomsk.ru -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru
