Patching neon on OS X 10.5 for GSSAPI authenticated SubVersion

Today I was attempting to configure Apache (2.2) to control access to my SubVersion repositories using mod_auth_kerb and I hit a snag when attempting to access repositories from Leopard clients.

I installed mod_auth_kerb and configured apache with the following directives in the /svn location:

AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbSaveCredentials On
KrbAuthoritative on
KrbAuthRealms EXAMPLE.COM
KrbServiceName HTTP
KrbVerifyKDC On
Krb5KeyTab /etc/apache2/apache2.keytab

The /etc/apache2/apache2.keytab file contains the HTTP/servername@EXAMPLE.COM principle.

With the appropriate AuthZ configuration I was able to preform all operations as expected from Linux and OS X 10.4 (Tiger) clients. However on Leopard clients all operations resulted in:

svn: PROPFIND request failed on '/svn/reponame'
svn: PROPFIND of '/svn/reponame': 207 Multi-Status (https://example.com)

In the web-server logs everything seemed fine:

[client xxx.xxx.xxx.xxx] Access granted: 'princ@EXAMPLE.COM' PROPFIND reponame:/

So I set the neon-debug-mask = 138 in the [Global] section of ~/.subversion/servers and attempted the update again. Right at the end:

Running post_send hooks
ah_post_send (#1), code is 207 (want 401), WWW-Authenticate is Negotiate [output snipped]
gssapi: Not a Negotiate response!
Request ends, status 207 class 2xx, error line:
207 Multi-Status
Running destroy hooks.
Request ends.
svn: PROPFIND request failed on '/svn/reponame'
svn: PROPFIND of '/svn/reponame': 207 Multi-Status (https://example.com)

A bit more googling turned up a patch. So I downloaded the Apple sources form http://www.opensource.apple.com/darwinsource/tarballs/other/neon-8.tar.gz, decompressed them and applied a simple 1 line patch to src/ne_auth.c:

--- ne_auth.c.orig	2007-11-22 00:37:54.000000000 -0600
+++ ne_auth.c	2007-11-22 00:37:38.000000000 -0600
@@ -520,5 +520,5 @@
     int ret;

-    if (strncmp(hdr, "Negotiate", ptr - hdr) != 0) {
+    if (strncmp(hdr, "Negotiate", ptr - duphdr) != 0) {
         NE_DEBUG(NE_DBG_HTTPAUTH, "gssapi: Not a Negotiate response!\n");
         ne_free(duphdr);

After a quick compile and install (to a temporary root) I copied the new usr/lib/libneon.26.0.3.dylib file into /usr/lib [making a backup of the original of course] and now subversion works perfectly.

Bug is radr://5610623

Comments and trackbacks are both currently closed

XML RSS 2.0 feed for these comments

This entry (permalink) was posted on Tuesday, November 20th, 2007 at 12:46 AM by jgraham and categorized in Applications.

Comments are closed.

«
»
Home