Package: libapache2-svn Version: 1.6.12dfsg-5 Severity: normal We use svn DAV with kerberos authentication which worked fine. However recently we created a /secure folder with restricted access. Any attempt to access the folder using kerberos authentication causes svn to fail with the error: svn: Not authorized to open root of edit operation
Looking in the Apache logs, this is caused by the REPORT command returning 500. Using basic authorization the commands complete successfully. The Authz file contains: """ [groups] admins = dgp [/] * = r @admins = rw [/secure] * = @admins = rw """ Apache config DAV section: <Location /svn> DAV svn SVNPath /srv/svn/root SVNPathAuthz On AuthzSVNAccessFile /srv/svn/etc/svnpasswd Satisfy Any AuthType Kerberos AuthName "Subversion (or use kerberos)" Krb5Keytab "/etc/apache2/apache2.keytab" KrbLocalUserMapping on KrbDelegateBasic on Require valid-user <LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept> </Location> Apache log for "svn up" using kerberos (libapache2-mod-auth-kerb): 127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "OPTIONS /svn/secure HTTP/1.1" 401 5964 127.0.1.1 - dgp [08/Mar/2011:17:39:09 +0000] "OPTIONS /svn/secure HTTP/1.1" 200 1236 127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/secure HTTP/1.1" 401 708 127.0.1.1 - dgp [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 916 127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/secure HTTP/1.1" 401 708 127.0.1.1 - dgp [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 916 127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/!svn/vcc/default HTTP/1.1" 207 580 127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/!svn/bln/6 HTTP/1.1" 207 580 127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "REPORT /svn/!svn/vcc/default HTTP/1.1" 500 532 Corresponding entries when falling back to basic auth: 127.0.1.1 - - [08/Mar/2011:18:22:27 +0000] "OPTIONS /svn/secure HTTP/1.1" 401 820 127.0.1.1 - dgp [08/Mar/2011:18:22:30 +0000] "OPTIONS /svn/secure HTTP/1.1" 200 996 127.0.1.1 - dgp [08/Mar/2011:18:22:30 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 676 127.0.1.1 - dgp [08/Mar/2011:18:22:30 +0000] "PROPFIND /svn/!svn/vcc/default HTTP/1.1" 207 580 127.0.1.1 - dgp [08/Mar/2011:18:22:30 +0000] "PROPFIND /svn/!svn/bln/6 HTTP/1.1" 207 580 127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 676 127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/!svn/vcc/default HTTP/1.1" 207 580 127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/!svn/bln/6 HTTP/1.1" 207 580 127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 676 127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/!svn/vcc/default HTTP/1.1" 207 580 127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/!svn/bc/6/secure HTTP/1.1" 207 676 127.0.1.1 - - [08/Mar/2011:18:22:32 +0000] "OPTIONS /svn/secure HTTP/1.1" 401 6028 127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "OPTIONS /svn/secure HTTP/1.1" 200 996 127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 676 127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 676 127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/!svn/vcc/default HTTP/1.1" 207 580 127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/!svn/bln/6 HTTP/1.1" 207 580 127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 676 127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/!svn/vcc/default HTTP/1.1" 207 580 127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/!svn/bln/6 HTTP/1.1" 207 580 127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "REPORT /svn/!svn/vcc/default HTTP/1.1" 200 1042 REPORT fails to ask for authentication if none has been provided and instead throws an error. Removing anon access ("Satify All" and removing the "LimitExcept" clause) allows kerberos auth to work correctly. libapache2-mod-auth-kerb 5.4-1 -- System Information: Debian Release: 6.0 APT prefers squeeze-updates APT policy: (500, 'squeeze-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libapache2-svn depends on: ii apache2.2-common 2.2.16-6 Apache HTTP Server common files ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii libsvn1 1.6.12dfsg-5 Shared libraries used by Subversio libapache2-svn recommends no packages. Versions of packages libapache2-svn suggests: ii db4.8-util 4.8.30-2 Berkeley v4.8 Database Utilities -- no debconf information -- Daniel Piddock, Systems Administrator, CoreFiling Limited http://www.corefiling.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org