#47 intermittent auth failures with mod_svn+Apache2

Version 5.*
open
nobody
5
2014-08-12
2009-06-06
jdpf
No

hi.

You may have already resolved this problem, with your recent mod_auth_kerb 5.4 release:

"* implemented already_succeeded function to avoid hammering the KDC with same auth requests in single connection"

I have not yet tested the new version on my system. However, on Debian Lenny, with Apache2.2 and mod_auth_kerb 5.3, subversion will randomly fail due to Kerberos asking for re-authentication tokens. Subversion+Apache2+mod_auth_kerb will emit the following types of errors:

==> /var/log/apache2/projects/error.log <==
[Fri Jun 05 14:45:52 2009] [error] [client 10.0.1.1] failed to verify krb5 credentials: Request is a replay
[Fri Jun 05 14:45:52 2009] [error] [client 10.0.1.1] The locks could not be queried for verification against a possible "If:" header. [500, #0]
[Fri Jun 05 14:45:52 2009] [error] [client 10.0.1.1] Path is not accessible. [403, #405]

Subversion clients intermittently emitted errors like:

svn: Not authorized to open root of edit operation
svn: Server sent unexpected return value (401 Authorization Required) in response to MERGE request for '/svn/repo_name'
svn: Server sent unexpected return value (500 Internal Server Error) in response to MKCOL request for '/svn/repo_name/!svn/filename'

As I discovered with Google, this issue is very well documented at: https://weblion.psu.edu/trac/weblion/ticket/36
(though I did not do that documentation.)

As articulated by the author of the above ticket, changing the Apache2 configuration directive for mod_auth_kerb from

KrbVerifyKDC on
to
KrbVerifyKDC off

resolves the problem for subversion, but puts the system at risk.

Versions of implicated software:

user@host:~$ dpkg-query -l | grep apache2
ii apache2 2.2.9-10+lenny2 Apache HTTP Server metapackage
ii apache2-doc 2.2.9-10+lenny2 Apache HTTP Server documentation
ii apache2-mpm-prefork 2.2.9-10+lenny2 Apache HTTP Server - traditional non-threaded model
ii apache2-utils 2.2.9-10+lenny2 utility programs for webservers
ii apache2.2-common 2.2.9-10+lenny2 Apache HTTP Server common files
ii libapache2-mod-auth-kerb 5.3-5 apache2 module for Kerberos authentication
ii libapache2-mod-auth-pam 1.1.1-6.1 module for Apache2 which authenticate using PAM
ii libapache2-mod-auth-sys-group 1.1.1-6.1 Module for Apache2 which checks user against system group
ii libapache2-mod-gnutls 0.5.1-1 Apache2 module for SSL and TLS encryption using GnuTLS
ii libapache2-mod-perl2 2.0.4-5 Integration of perl with the Apache2 web server
ii libapache2-mod-php5 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripting language (Apache 2 module
ii libapache2-mod-python 3.3.1-7 Python-embedding module for Apache 2
ii libapache2-mod-ruby 1.2.6-2 Embedding Ruby in the Apache2 web server
ii libapache2-svn 1.5.1dfsg1-2 Subversion server modules for Apache
user@host:~$ dpkg-query -l | grep kerb
ii libapache2-mod-auth-kerb 5.3-5 apache2 module for Kerberos authentication
user@host:~$ dpkg-query -l | grep krb
ii krb5-admin-server 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos master server (kadmind)
ii krb5-clients 1.6.dfsg.4~beta1-5lenny1 Secure replacements for ftp, telnet and rsh using MIT Kerberos
ii krb5-config 1.22 Configuration files for Kerberos Version 5
ii krb5-doc 1.6.dfsg.4~beta1-5lenny1 Documentation for MIT Kerberos
ii krb5-kdc 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos key server (KDC)
ii krb5-kdc-ldap 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos key server (KDC) LDAP plugin
ii krb5-user 1.6.dfsg.4~beta1-5lenny1 Basic programs to authenticate using MIT Kerberos
ii libkrb53 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii libpam-krb5 3.11-4 PAM module for MIT Kerberos
ii ssh-krb5 1:5.1p1-5 secure shell client and server (transitional package)

Relevant Apache Configuration Directives:

<Location /svn/>
# Enable Subversion
DAV svn

# Directory containing all repository for this path
SVNParentPath /var/www/projects

# List repositories colleciton
SVNListParentPath On

# Enable WebDAV automatic versioning
SVNAutoversioning On

# Repository Display Name
SVNReposName "Subversion Tree"

# The name of the protected area or "realm"
AuthName "DOMAIN.COM"

# Using Kerberos to authenticate.
# See /usr/share/doc/libapache2-mod-auth-kerb/README.gz
# for information on how to configure this.

AuthType Kerberos

KrbMethodNegotiate on
KrbMethodK5Passwd on
# KrbMethodK4Passwd off
KrbAuthoritative on
KrbAuthRealms DOMAIN.COM
KrbVerifyKDC on
KrbServiceName HTTP/projects.domain.com@DOMAIN.COM
Krb5Keytab /etc/apache2/krb5.HTTP.keytab
KrbSaveCredentials off
KrbDelegateBasic off

# Require a valid user
Require valid-user

# Try to match Mime Info based on path
ModMimeUsePathInfo on
</Location>

Thanks!

have a day.yad
jdpf

Discussion