kerberos authentication with neon 0.29.3
Joe Orton
joe at manyfish.co.uk
Thu Mar 18 05:02:41 EDT 2010
On Mon, Mar 15, 2010 at 12:02:34PM +0100, Dariush Pietrzak wrote:
> > The SlikSvn commandline binaries from http://sliksvn.com/en/download use the exact same dependencies as SharpSvn/AnkhSVN and should support the normal debugging options available in a release build from Subversion.
> > (Not sure if you need a debug build for more complete output; but I assume Joe can tell us that).
> I'm not 100% sure if SlikSvn and Tortoise behaves the same, but as it
> doesn't work, I'm attaching log from failed session from windows, and
> another log from linux, theoretically using the same code ( svn 1.6.9, neon
> 0.29.3 ).
Thanks for that. Yes, I presume it's Danil's change to stop sending the
SSPI token which causes the issue here.
Danil: the issue you saw with resending the SSPI token, was that only
with an NTLM exchange, or a Negotiate exchange? It doesn't really make
sense to be resending the SSPI token in either case, but clearly it's
making a difference somehow. I notice that the SSPI code does not
process the server's response token in the 2xx response as the GSSAPI
code; maybe this is the issue but I can't fathom how.
We could do something like this which partially reverts the behaviour:
Index: src/ne_auth.c
===================================================================
--- src/ne_auth.c (revision 1792)
+++ src/ne_auth.c (working copy)
@@ -1468,8 +1468,8 @@
#endif
#ifdef HAVE_SSPI
- /* whatever happens: forget the SSPI token cached thus far */
- if (sess->sspi_token) {
+ /* For an NTLM exchange: forget the SSPI token cached thus far */
+ if (strcmp(sess->protocol->name, "NTLM") == 0 && sess->sspi_token) {
ne_free(sess->sspi_token);
sess->sspi_token = NULL;
}
Regards, Joe
More information about the neon
mailing list