Patching neon on OS X 10.5 for GSSAPI authenticated SubVersion
Today I was attempting to configure Apache (2.2) to control access to my SubVersion repositories using mod_auth_kerb and I hit a snag when attempting to access repositories from Leopard clients.
I installed mod_auth_kerb and configured apache with the following directives in the /svn location:
AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbSaveCredentials On KrbAuthoritative on KrbAuthRealms EXAMPLE.COM KrbServiceName HTTP KrbVerifyKDC On Krb5KeyTab /etc/apache2/apache2.keytab
The /etc/apache2/apache2.keytab file contains the HTTP/servername@EXAMPLE.COM principle.
With the appropriate AuthZ configuration I was able to preform all operations as expected from Linux and OS X 10.4 (Tiger) clients. However on Leopard clients all operations resulted in:
svn: PROPFIND request failed on '/svn/reponame' svn: PROPFIND of '/svn/reponame': 207 Multi-Status (https://example.com)
In the web-server logs everything seemed fine:
[client xxx.xxx.xxx.xxx] Access granted: 'princ@EXAMPLE.COM' PROPFIND reponame:/
So I set the neon-debug-mask = 138 in the [Global] section of ~/.subversion/servers and attempted the update again. Right at the end:
Running post_send hooks ah_post_send (#1), code is 207 (want 401), WWW-Authenticate is Negotiate [output snipped] gssapi: Not a Negotiate response! Request ends, status 207 class 2xx, error line: 207 Multi-Status Running destroy hooks. Request ends. svn: PROPFIND request failed on '/svn/reponame' svn: PROPFIND of '/svn/reponame': 207 Multi-Status (https://example.com)
A bit more googling turned up a patch. So I downloaded the Apple sources form http://www.opensource.apple.com/darwinsource/tarballs/other/neon-8.tar.gz, decompressed them and applied a simple 1 line patch to src/ne_auth.c:
--- ne_auth.c.orig 2007-11-22 00:37:54.000000000 -0600 +++ ne_auth.c 2007-11-22 00:37:38.000000000 -0600 @@ -520,5 +520,5 @@ int ret; - if (strncmp(hdr, "Negotiate", ptr - hdr) != 0) { + if (strncmp(hdr, "Negotiate", ptr - duphdr) != 0) { NE_DEBUG(NE_DBG_HTTPAUTH, "gssapi: Not a Negotiate response!\n"); ne_free(duphdr);
After a quick compile and install (to a temporary root) I copied the new usr/lib/libneon.26.0.3.dylib file into /usr/lib [making a backup of the original of course] and now subversion works perfectly.
Bug is radr://5610623