[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GSSAPI + CVS
From: |
Derek R. Price |
Subject: |
Re: GSSAPI + CVS |
Date: |
Sun, 25 Feb 2001 09:23:09 -0500 |
Assar, do you have any comments? From your previous patch submission it sounds
like you have things working... Jakob?
Tracy, is it possible you could get a copy of Bear Giles/Debian's patch to me
to look at?
I'll try to get Kerberos set up here so I can actually test this myself. :)
Derek
--
Derek Price CVS Solutions Architect ( http://CVSHome.org )
mailto:dprice@openavenue.com OpenAvenue ( http://OpenAvenue.com )
--
It does me no injury for my neighbor to say there are twenty gods or no god.
It neither picks my pocket nor breaks my leg.
- Thomas Jefferson
Tracy Brown wrote:
> After digging around for a while I've got the configuration for GSSAPI
> setup. However, I believe that there is a bug in actually using Kerberos
> (krb5-1.2.1) to authenticate users. I'm getting the following errors using
> cvs 1-11:
>
> My Kerberos environment is issuing tickets and I can bounce around the
> network on kerberized applications. For CVS, my inetd.conf for the server is
> configured what seems to be accurately (pserver) and I've defined the
> cvs/my.cvsserver.com as a principle in the Kerberos database... note also
> that I've created a keytab for the cvs/my.cvsserver.com principle and it's
> stored in the default /etc/krb5.keytab spot.
>
> So I kinit and grab a TGT then issue my CVS command with the CVSROOT as
> ":gserver:my.cvsserver.com:/cvsroot" Here's the error I'm getting:
>
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
>
> And if I klist - I get:
> Valid starting Expires Service principal
> 02/22/01 07:37:59 02/22/01 17:37:59 krbtgt/ABILIZER.COM@ABILIZER.COM
> 02/22/01 07:38:07 02/22/01 17:37:59 cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 07:38:07 02/22/01 17:37:59 cvs/my.cvsserver.com@ABILIZER.COM
>
> And if I execute a few CVS commands in sequence, I get the following:
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs
>
> This last error is a little strange and cryptic. Interestingly enough, each
> time I issue a CVS command I am caching two Kerberos tickets - This scenario
> doesn't occur when using other kerberized applications like krlogin (only
> one ticket gets cached - even when it fails).
>
> klist:
> Valid starting Expires Service principal
> 02/22/01 12:21:02 02/22/01 22:21:02 krbtgt/ABILIZER.COM@ABILIZER.COM
> 02/22/01 12:21:05 02/22/01 22:21:02 cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:21:05 02/22/01 22:21:02 cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:28:07 02/22/01 22:21:02 cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:28:08 02/22/01 22:21:02 cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:28:10 02/22/01 22:21:02 cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:28:11 02/22/01 22:21:02 cvs/my.cvsserver.com@ABILIZER.COM
>
> After talking to Bear Giles - he patched cvs the 1.10.7 GSSAPI code for the
> Debian distribution back in December 1999 - he noted that the 1.10.7 needed
> tweaking... Has the code for GSSAPI authentication been patched with any
> fixes?
>
> And for what it's worth I'd be happy to test authentication using the GSSAPI
> using the krb5 libraries if cvs-development needs someone...
>
> Cheers, Tracy.
- Re: GSSAPI + CVS,
Derek R. Price <=