info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GSSAPI + CVS


From: Derek R. Price
Subject: Re: GSSAPI + CVS
Date: Sun, 25 Feb 2001 09:23:09 -0500

Assar, do you have any comments?  From your previous patch submission it sounds
like you  have things working...  Jakob?

Tracy, is it possible you could get a copy of Bear Giles/Debian's patch to me
to look at?

I'll try to get Kerberos set up here so I can actually test this myself.  :)

Derek

--
Derek Price                      CVS Solutions Architect ( http://CVSHome.org )
mailto:address@hidden     OpenAvenue ( http://OpenAvenue.com )
--
It does me no injury for my neighbor to say there are twenty gods or no god.
It neither picks my pocket nor breaks my leg.

                        - Thomas Jefferson

Tracy Brown wrote:

> After digging around for a while I've got the configuration for GSSAPI
> setup. However, I believe that there is a bug in actually using Kerberos
> (krb5-1.2.1) to authenticate users. I'm getting the following errors using
> cvs 1-11:
>
> My Kerberos environment is issuing tickets and I can bounce around the
> network on kerberized applications. For CVS, my inetd.conf for the server is
> configured what seems to be accurately (pserver) and I've defined the
> cvs/my.cvsserver.com as a principle in the Kerberos database... note also
> that I've created a keytab for the cvs/my.cvsserver.com principle and it's
> stored in the default /etc/krb5.keytab spot.
>
> So I kinit and grab a TGT then issue my CVS command with the CVSROOT as
> ":gserver:my.cvsserver.com:/cvsroot"  Here's the error I'm getting:
>
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
>
> And if I klist - I get:
> Valid starting     Expires            Service principal
> 02/22/01 07:37:59  02/22/01 17:37:59  krbtgt/address@hidden
> 02/22/01 07:38:07  02/22/01 17:37:59  cvs/address@hidden
> 02/22/01 07:38:07  02/22/01 17:37:59  cvs/address@hidden
>
> And if I execute a few CVS commands in sequence, I get the following:
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs
>
> This last error is a little strange and cryptic. Interestingly enough, each
> time I issue a CVS command I am caching two Kerberos tickets - This scenario
> doesn't occur when using other kerberized applications like krlogin (only
> one ticket gets cached - even when it fails).
>
> klist:
> Valid starting     Expires            Service principal
> 02/22/01 12:21:02  02/22/01 22:21:02  krbtgt/address@hidden
> 02/22/01 12:21:05  02/22/01 22:21:02  cvs/address@hidden
> 02/22/01 12:21:05  02/22/01 22:21:02  cvs/address@hidden
> 02/22/01 12:28:07  02/22/01 22:21:02  cvs/address@hidden
> 02/22/01 12:28:08  02/22/01 22:21:02  cvs/address@hidden
> 02/22/01 12:28:10  02/22/01 22:21:02  cvs/address@hidden
> 02/22/01 12:28:11  02/22/01 22:21:02  cvs/address@hidden
>
> After talking to Bear Giles - he patched cvs the 1.10.7 GSSAPI code for the
> Debian distribution back in December 1999 - he noted that the 1.10.7 needed
> tweaking... Has the code for GSSAPI authentication been patched with any
> fixes?
>
> And for what it's worth I'd be happy to test authentication using the GSSAPI
> using the krb5 libraries if cvs-development needs someone...
>
> Cheers, Tracy.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]