svn with kerberos-gssapi auth doesn't work

Bug #1303167 reported by Daniel GALAMBOS on 2014-04-05
86
This bug affects 16 people
Affects Status Importance Assigned to Milestone
serf (Ubuntu)
High
Unassigned
subversion (Ubuntu)
High
Unassigned

Bug Description

Recently installed Trusty server beta2. I have heimdal-clients installed.
kinit dancsa@<REALM>
svn co https://svn.<domain>/svn/
svn up (in already checkouted repository)

expected result: svn would get service ticket, and use that to authenticate
result: no service ticket got (verified by klist), svn ask for password.

dancsa@yukari:~$ lsb_release -rd
Description: Ubuntu Trusty Tahr (development branch)
Release: 14.04

if i download the debian jessie's subversion package, extract it with dpkg -x, and run ldd against svn, it lists libkrb5support.so.0 libgssapi_krb5.so.2 and libkrb5.so.3 where ubuntu's version doesn't list these.

also if i see right both distro uses the same upstream version, so i diff-ed the debian directories of thetwo source package, i did not see anything that would give the answer.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in subversion (Ubuntu):
status: New → Confirmed
JancioSz (janciosz) wrote :

The answer is libserf, on Ubuntu not compiled with GSSAPI support, in contrast to Jessie version. Still the same upstream version but missing compilation flag.
Could this be fixed for trusty? There is no excuse, IMHO, that svn sasl2, which in turn could do krb5 authentication, as we need this in http/https protocols provided to svn by serf library.

Ramon Ziai (rziai) wrote :

I can confirm this problem and also that libserf is the cause. I just compiled it with GSSAPI support and after installation, svn client authenticates fine against server using GSSAPI.

Changed in serf (Ubuntu):
status: New → Confirmed
Ramon Ziai (rziai) wrote :

Here's a tiny patch that adds the flag for GSSAPI support in the debian/rules file. The unit tests failed on my machine but that seems to be unrelated. One would probably have to add the build dependency on libkrb5-dev somewhere, but I don't know where that shold happen.

The attachment "patch that adds build flag for GSSAPI support" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Daniel GALAMBOS (dancsa) wrote :

Using Ramon Ziai 's patch (and adding libkrb5-dev to debian/control Builds-Depends) makes it work. Utopic unicorn has similar change already, so Utopic is not affected

Will this fix backported to trusty as previous subversion versons worked like this (altought not by libserf but libneon)

Changed in subversion (Ubuntu):
importance: Undecided → High
Changed in serf (Ubuntu):
importance: Undecided → High
Jeremy Braun (squidevil) wrote :

I can confirm that this is still a problem in trusty, and rebuilding with the patch from rziai did fix it.

Peter Wienemann (wienemann) wrote :

Is there a reason why the patch for trusty by Ramon (#4) is held back for more than a year although this issue is considered to be of high importance?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers