[jira] [Commented] (SERF-177) svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos
[ https://issues.apache.org/jira/browse/SERF-177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15223245#comment-15223245 ] Lieven Govaerts commented on SERF-177: -- Since the spec extract provided by Michael says about the *actual_mech_type argument: "Specify NULL if not required." ... Since we are not actually using the actual_mech_type... And provided this does not break other (non-)compliant gssapi implementations... Applying a patch that replaces the usage of the dummy variable by NULL as the right course to follow for all platforms. > svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos > --- > > Key: SERF-177 > URL: https://issues.apache.org/jira/browse/SERF-177 > Project: serf > Issue Type: Bug >Affects Versions: serf-1.3.8 > Environment: Solaris 9/SPARC, 10/SPARC >Reporter: The Written Word, Inc. > Labels: kerberos > Fix For: serf-1.3.8 > > Attachments: PR177.patch > > > I have Apache httpd 2.2.27 + mod_auth_kerb-5.4 on a RHEL 6 host and > subversion 1.8.15 + serf-1.3.8 built on a Solaris 9/10 host. I would > like to use subversion on the Solaris hosts to authenticate against > the Kerberos server on the RHEL 6 host. I built serf to link against > GSSAPI on Solaris (so -DSERF_HAVE_GSSAPI was defined when building > serf and serf is linked against -ssl). Subversion appears to be > hanging: > $ svn info http://shu.il.thewrittenword.com > [hang] > On the server, access_log shows the following ad infinitum: > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > ... > I also built subversion 1.8.15 on a Solaris 11 host and it behaves > correctly. serf was built the same way on this platform. So, maybe > some hiccup with serf+GSSAPI on Solaris 9/10? > With verbose logging enabled in serf-1.3.8 (CONN_VERBOSE=1 > AUTH_VERBOSE=1 in serf_private.h), I see the following: > (Solaris 11/SPARC, working) > [2015-12-31T09:54:58.607054+00] outgoing.c: created connection 0xd9f38 > [2015-12-31T09:54:58.615186+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.615282+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.615330+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.615384+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.615430+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Initialized Kerberos context for this connection. > [2015-12-31T09:54:58.615486+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.645588+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.663860+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate response header. > [2015-12-31T09:54:58.663907+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: SPNEGO handshake completed. > [2015-12-31T09:54:58.664483+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Assume for now that the server supports persistent SPNEGO > authentication. > [2015-12-31T09:54:58.665046+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.665101+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.665148+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.665195+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Server requires per-request SPNEGO authn, switching to > stateless mode. > [2015-12-31T09:54:58.665239+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.665305+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.666779+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.685354+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate
[jira] [Commented] (SERF-177) svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos
[ https://issues.apache.org/jira/browse/SERF-177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15146606#comment-15146606 ] The Written Word, Inc. commented on SERF-177: - Sorry. Feel free to close as WONTFIX or something similar in Jira. We built serf-1.3.8 against MIT Kerberos to fix this issue on Solaris 9. For Solaris 10, we'll use the submitted patch locally without the expectation it will be upstreamed. > svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos > --- > > Key: SERF-177 > URL: https://issues.apache.org/jira/browse/SERF-177 > Project: serf > Issue Type: Bug >Affects Versions: serf-1.3.8 > Environment: Solaris 9/SPARC, 10/SPARC >Reporter: The Written Word, Inc. > Labels: kerberos > Fix For: serf-1.3.8 > > Attachments: PR177.patch > > > I have Apache httpd 2.2.27 + mod_auth_kerb-5.4 on a RHEL 6 host and > subversion 1.8.15 + serf-1.3.8 built on a Solaris 9/10 host. I would > like to use subversion on the Solaris hosts to authenticate against > the Kerberos server on the RHEL 6 host. I built serf to link against > GSSAPI on Solaris (so -DSERF_HAVE_GSSAPI was defined when building > serf and serf is linked against -ssl). Subversion appears to be > hanging: > $ svn info http://shu.il.thewrittenword.com > [hang] > On the server, access_log shows the following ad infinitum: > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > ... > I also built subversion 1.8.15 on a Solaris 11 host and it behaves > correctly. serf was built the same way on this platform. So, maybe > some hiccup with serf+GSSAPI on Solaris 9/10? > With verbose logging enabled in serf-1.3.8 (CONN_VERBOSE=1 > AUTH_VERBOSE=1 in serf_private.h), I see the following: > (Solaris 11/SPARC, working) > [2015-12-31T09:54:58.607054+00] outgoing.c: created connection 0xd9f38 > [2015-12-31T09:54:58.615186+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.615282+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.615330+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.615384+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.615430+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Initialized Kerberos context for this connection. > [2015-12-31T09:54:58.615486+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.645588+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.663860+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate response header. > [2015-12-31T09:54:58.663907+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: SPNEGO handshake completed. > [2015-12-31T09:54:58.664483+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Assume for now that the server supports persistent SPNEGO > authentication. > [2015-12-31T09:54:58.665046+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.665101+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.665148+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.665195+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Server requires per-request SPNEGO authn, switching to > stateless mode. > [2015-12-31T09:54:58.665239+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.665305+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.666779+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.685354+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate response header. > [2015-12-31T09:54:58.685401+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: SPNEGO
[jira] [Commented] (SERF-177) svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos
[ https://issues.apache.org/jira/browse/SERF-177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15146615#comment-15146615 ] Michael Osipov commented on SERF-177: - Wich MIT Kerberos version do you use? > svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos > --- > > Key: SERF-177 > URL: https://issues.apache.org/jira/browse/SERF-177 > Project: serf > Issue Type: Bug >Affects Versions: serf-1.3.8 > Environment: Solaris 9/SPARC, 10/SPARC >Reporter: The Written Word, Inc. > Labels: kerberos > Fix For: serf-1.3.8 > > Attachments: PR177.patch > > > I have Apache httpd 2.2.27 + mod_auth_kerb-5.4 on a RHEL 6 host and > subversion 1.8.15 + serf-1.3.8 built on a Solaris 9/10 host. I would > like to use subversion on the Solaris hosts to authenticate against > the Kerberos server on the RHEL 6 host. I built serf to link against > GSSAPI on Solaris (so -DSERF_HAVE_GSSAPI was defined when building > serf and serf is linked against -ssl). Subversion appears to be > hanging: > $ svn info http://shu.il.thewrittenword.com > [hang] > On the server, access_log shows the following ad infinitum: > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > ... > I also built subversion 1.8.15 on a Solaris 11 host and it behaves > correctly. serf was built the same way on this platform. So, maybe > some hiccup with serf+GSSAPI on Solaris 9/10? > With verbose logging enabled in serf-1.3.8 (CONN_VERBOSE=1 > AUTH_VERBOSE=1 in serf_private.h), I see the following: > (Solaris 11/SPARC, working) > [2015-12-31T09:54:58.607054+00] outgoing.c: created connection 0xd9f38 > [2015-12-31T09:54:58.615186+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.615282+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.615330+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.615384+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.615430+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Initialized Kerberos context for this connection. > [2015-12-31T09:54:58.615486+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.645588+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.663860+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate response header. > [2015-12-31T09:54:58.663907+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: SPNEGO handshake completed. > [2015-12-31T09:54:58.664483+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Assume for now that the server supports persistent SPNEGO > authentication. > [2015-12-31T09:54:58.665046+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.665101+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.665148+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.665195+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Server requires per-request SPNEGO authn, switching to > stateless mode. > [2015-12-31T09:54:58.665239+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.665305+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.666779+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.685354+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate response header. > [2015-12-31T09:54:58.685401+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: SPNEGO handshake completed. > [2015-12-31T09:54:58.685521+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Add initial Negotiate header to request. > [2015-12-31T09:54:58.685569+00] [l:10.191.57.128:36956
[jira] [Commented] (SERF-177) svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos
[ https://issues.apache.org/jira/browse/SERF-177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15146511#comment-15146511 ] Michael Osipov commented on SERF-177: - Nothing has been fixed here, why did you marked it as fixed with 1.3.8? The issue seems to be invalid. Did you actually compile a newer version of MIT Kerberos after my comment and it did work? > svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos > --- > > Key: SERF-177 > URL: https://issues.apache.org/jira/browse/SERF-177 > Project: serf > Issue Type: Bug >Affects Versions: serf-1.3.8 > Environment: Solaris 9/SPARC, 10/SPARC >Reporter: The Written Word, Inc. > Labels: kerberos > Fix For: serf-1.3.8 > > Attachments: PR177.patch > > > I have Apache httpd 2.2.27 + mod_auth_kerb-5.4 on a RHEL 6 host and > subversion 1.8.15 + serf-1.3.8 built on a Solaris 9/10 host. I would > like to use subversion on the Solaris hosts to authenticate against > the Kerberos server on the RHEL 6 host. I built serf to link against > GSSAPI on Solaris (so -DSERF_HAVE_GSSAPI was defined when building > serf and serf is linked against -ssl). Subversion appears to be > hanging: > $ svn info http://shu.il.thewrittenword.com > [hang] > On the server, access_log shows the following ad infinitum: > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > ... > I also built subversion 1.8.15 on a Solaris 11 host and it behaves > correctly. serf was built the same way on this platform. So, maybe > some hiccup with serf+GSSAPI on Solaris 9/10? > With verbose logging enabled in serf-1.3.8 (CONN_VERBOSE=1 > AUTH_VERBOSE=1 in serf_private.h), I see the following: > (Solaris 11/SPARC, working) > [2015-12-31T09:54:58.607054+00] outgoing.c: created connection 0xd9f38 > [2015-12-31T09:54:58.615186+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.615282+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.615330+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.615384+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.615430+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Initialized Kerberos context for this connection. > [2015-12-31T09:54:58.615486+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.645588+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.663860+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate response header. > [2015-12-31T09:54:58.663907+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: SPNEGO handshake completed. > [2015-12-31T09:54:58.664483+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Assume for now that the server supports persistent SPNEGO > authentication. > [2015-12-31T09:54:58.665046+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.665101+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.665148+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.665195+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Server requires per-request SPNEGO authn, switching to > stateless mode. > [2015-12-31T09:54:58.665239+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.665305+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.666779+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.685354+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate response header. > [2015-12-31T09:54:58.685401+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: SPNEGO handshake completed. > [2015-12-31T09:54:58.685521+00]
[jira] [Commented] (SERF-177) svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos
[ https://issues.apache.org/jira/browse/SERF-177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15146297#comment-15146297 ] The Written Word, Inc. commented on SERF-177: - We did build against updated MIT krb5. I'll close the issue. > svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos > --- > > Key: SERF-177 > URL: https://issues.apache.org/jira/browse/SERF-177 > Project: serf > Issue Type: Bug >Affects Versions: serf-1.3.8 > Environment: Solaris 9/SPARC, 10/SPARC >Reporter: The Written Word, Inc. > Labels: kerberos > Fix For: serf-1.3.8 > > Attachments: PR177.patch > > > I have Apache httpd 2.2.27 + mod_auth_kerb-5.4 on a RHEL 6 host and > subversion 1.8.15 + serf-1.3.8 built on a Solaris 9/10 host. I would > like to use subversion on the Solaris hosts to authenticate against > the Kerberos server on the RHEL 6 host. I built serf to link against > GSSAPI on Solaris (so -DSERF_HAVE_GSSAPI was defined when building > serf and serf is linked against -ssl). Subversion appears to be > hanging: > $ svn info http://shu.il.thewrittenword.com > [hang] > On the server, access_log shows the following ad infinitum: > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > ... > I also built subversion 1.8.15 on a Solaris 11 host and it behaves > correctly. serf was built the same way on this platform. So, maybe > some hiccup with serf+GSSAPI on Solaris 9/10? > With verbose logging enabled in serf-1.3.8 (CONN_VERBOSE=1 > AUTH_VERBOSE=1 in serf_private.h), I see the following: > (Solaris 11/SPARC, working) > [2015-12-31T09:54:58.607054+00] outgoing.c: created connection 0xd9f38 > [2015-12-31T09:54:58.615186+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.615282+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.615330+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.615384+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.615430+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Initialized Kerberos context for this connection. > [2015-12-31T09:54:58.615486+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.645588+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.663860+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate response header. > [2015-12-31T09:54:58.663907+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: SPNEGO handshake completed. > [2015-12-31T09:54:58.664483+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Assume for now that the server supports persistent SPNEGO > authentication. > [2015-12-31T09:54:58.665046+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.665101+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.665148+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.665195+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Server requires per-request SPNEGO authn, switching to > stateless mode. > [2015-12-31T09:54:58.665239+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.665305+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.666779+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.685354+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate response header. > [2015-12-31T09:54:58.685401+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: SPNEGO handshake completed. > [2015-12-31T09:54:58.685521+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Add initial Negotiate header to request. >
[jira] [Commented] (SERF-177) svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos
[ https://issues.apache.org/jira/browse/SERF-177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15081252#comment-15081252 ] The Written Word, Inc. commented on SERF-177: - Updated to final version of the patch to use >gss_mech for Solaris 9/SPARC. However, Solaris 9/SPARC by default only allows des-cbc-crc and des-cbc-md5 encryption types which means Kerberos is unlikely to be used on this platform but we'll match what neon is doing as far as gss_init_sec_context(). > svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos > --- > > Key: SERF-177 > URL: https://issues.apache.org/jira/browse/SERF-177 > Project: serf > Issue Type: Bug >Affects Versions: serf-1.3.8 > Environment: Solaris 9/SPARC, 10/SPARC >Reporter: The Written Word, Inc. > Labels: kerberos > Attachments: PR177.patch > > > I have Apache httpd 2.2.27 + mod_auth_kerb-5.4 on a RHEL 6 host and > subversion 1.8.15 + serf-1.3.8 built on a Solaris 9/10 host. I would > like to use subversion on the Solaris hosts to authenticate against > the Kerberos server on the RHEL 6 host. I built serf to link against > GSSAPI on Solaris (so -DSERF_HAVE_GSSAPI was defined when building > serf and serf is linked against -ssl). Subversion appears to be > hanging: > $ svn info http://shu.il.thewrittenword.com > [hang] > On the server, access_log shows the following ad infinitum: > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > ... > I also built subversion 1.8.15 on a Solaris 11 host and it behaves > correctly. serf was built the same way on this platform. So, maybe > some hiccup with serf+GSSAPI on Solaris 9/10? > With verbose logging enabled in serf-1.3.8 (CONN_VERBOSE=1 > AUTH_VERBOSE=1 in serf_private.h), I see the following: > (Solaris 11/SPARC, working) > [2015-12-31T09:54:58.607054+00] outgoing.c: created connection 0xd9f38 > [2015-12-31T09:54:58.615186+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.615282+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.615330+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.615384+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.615430+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Initialized Kerberos context for this connection. > [2015-12-31T09:54:58.615486+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.645588+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.663860+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate response header. > [2015-12-31T09:54:58.663907+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: SPNEGO handshake completed. > [2015-12-31T09:54:58.664483+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Assume for now that the server supports persistent SPNEGO > authentication. > [2015-12-31T09:54:58.665046+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.665101+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.665148+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.665195+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Server requires per-request SPNEGO authn, switching to > stateless mode. > [2015-12-31T09:54:58.665239+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.665305+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.666779+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.685354+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate response header. > [2015-12-31T09:54:58.685401+00] [l:10.191.57.128:36956 r:10.191.57.117:80] >
[jira] [Commented] (SERF-177) svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos
[ https://issues.apache.org/jira/browse/SERF-177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15076115#comment-15076115 ] The Written Word, Inc. commented on SERF-177: - Might need to update the patch to use >gss_mech as Solaris 9/SPARC is segfaulting with NULL. > svn 1.8.15 + serf on Solaris 9/10 + httpd 2.2.27 + kerberos > --- > > Key: SERF-177 > URL: https://issues.apache.org/jira/browse/SERF-177 > Project: serf > Issue Type: Bug >Affects Versions: serf-1.3.8 > Environment: Solaris 9/SPARC, 10/SPARC >Reporter: The Written Word, Inc. > Labels: kerberos > Attachments: PR177.patch > > > I have Apache httpd 2.2.27 + mod_auth_kerb-5.4 on a RHEL 6 host and > subversion 1.8.15 + serf-1.3.8 built on a Solaris 9/10 host. I would > like to use subversion on the Solaris hosts to authenticate against > the Kerberos server on the RHEL 6 host. I built serf to link against > GSSAPI on Solaris (so -DSERF_HAVE_GSSAPI was defined when building > serf and serf is linked against -ssl). Subversion appears to be > hanging: > $ svn info http://shu.il.thewrittenword.com > [hang] > On the server, access_log shows the following ad infinitum: > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > 10.191.57.54 - - [31/Dec/2015:08:50:11 +] "OPTIONS / HTTP/1.1" 401 - > ... > I also built subversion 1.8.15 on a Solaris 11 host and it behaves > correctly. serf was built the same way on this platform. So, maybe > some hiccup with serf+GSSAPI on Solaris 9/10? > With verbose logging enabled in serf-1.3.8 (CONN_VERBOSE=1 > AUTH_VERBOSE=1 in serf_private.h), I see the following: > (Solaris 11/SPARC, working) > [2015-12-31T09:54:58.607054+00] outgoing.c: created connection 0xd9f38 > [2015-12-31T09:54:58.615186+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.615282+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.615330+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.615384+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.615430+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Initialized Kerberos context for this connection. > [2015-12-31T09:54:58.615486+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.645588+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.663860+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate response header. > [2015-12-31T09:54:58.663907+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: SPNEGO handshake completed. > [2015-12-31T09:54:58.664483+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Assume for now that the server supports persistent SPNEGO > authentication. > [2015-12-31T09:54:58.665046+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Server authz required. Response header(s): Negotiate,Negotiate > [2015-12-31T09:54:58.665101+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: Client supports: Negotiate > [2015-12-31T09:54:58.665148+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth.c: ... matched: Negotiate > [2015-12-31T09:54:58.665195+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Server requires per-request SPNEGO authn, switching to > stateless mode. > [2015-12-31T09:54:58.665239+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > outgoing.c: Limit max. nr. of outstanding requests for this connection to 1. > [2015-12-31T09:54:58.665305+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego_gss.c: Get principal for h...@shu.il.thewrittenword.com > [2015-12-31T09:54:58.666779+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Set Negotiate authn header on retried request. > [2015-12-31T09:54:58.685354+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Validate Negotiate response header. > [2015-12-31T09:54:58.685401+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: SPNEGO handshake completed. > [2015-12-31T09:54:58.685521+00] [l:10.191.57.128:36956 r:10.191.57.117:80] > auth/auth_spnego.c: Add initial Negotiate header to request. >
