kerberos authentication with neon 0.29.3

Joe Orton joe at manyfish.co.uk
Thu Mar 18 05:02:41 EDT 2010


On Mon, Mar 15, 2010 at 12:02:34PM +0100, Dariush Pietrzak wrote:
> > The SlikSvn commandline binaries from http://sliksvn.com/en/download use the exact same dependencies as SharpSvn/AnkhSVN and should support the normal debugging options available in a release build from Subversion.
> > (Not sure if you need a debug build for more complete output; but I assume Joe can tell us that).
>  I'm not 100% sure if SlikSvn and Tortoise behaves the same, but as it
> doesn't work, I'm attaching log from failed session from windows, and
> another log from linux, theoretically using the same code ( svn 1.6.9, neon
> 0.29.3 ).

Thanks for that.  Yes, I presume it's Danil's change to stop sending the 
SSPI token which causes the issue here.

Danil: the issue you saw with resending the SSPI token, was that only 
with an NTLM exchange, or a Negotiate exchange?  It doesn't really make 
sense to be resending the SSPI token in either case, but clearly it's 
making a difference somehow.  I notice that the SSPI code does not 
process the server's response token in the 2xx response as the GSSAPI 
code; maybe this is the issue but I can't fathom how.

We could do something like this which partially reverts the behaviour:

Index: src/ne_auth.c
===================================================================
--- src/ne_auth.c	(revision 1792)
+++ src/ne_auth.c	(working copy)
@@ -1468,8 +1468,8 @@
 #endif
 
 #ifdef HAVE_SSPI
-    /* whatever happens: forget the SSPI token cached thus far */
-    if (sess->sspi_token) {
+    /* For an NTLM exchange: forget the SSPI token cached thus far */
+    if (strcmp(sess->protocol->name, "NTLM") == 0 && sess->sspi_token) {
         ne_free(sess->sspi_token);
         sess->sspi_token = NULL;
     }
 
Regards, Joe



More information about the neon mailing list