GSSAPI against Microsoft AD

Ken Hornstein kenh at cmf.nrl.navy.mil
Fri Jul 11 09:03:13 EDT 2008


>What I am trying to do is run run subversion on a Linux box, and have users 
>coming through svnserve, which can use SASL to authenticate them. I am 
>trying to use SASL to authenticate my users against the Microsoft AD server.
>MS AD is based on Kerberos 5 and can act as krb5 server. I've done that with 
>Apache mod_auth_kerb, and also with CVS (gserver).

Okay, well, that is a LOT more information.

>It mostly work:
>When I do kinit, then klist, I can see the tgt from the AD server, then when 
>I run sasl2-sample-client, it starts negotiating, then fails with 
>"athentication failure". If I run klist at this point again, I can see a new 
>ticket for the service I asked for (host, or svn).

There should be, somewhere, the "real" error message you get from GSSAPI.
It doesn't sound like the Subversion SASL code gives you that "real" message.
That's what you need to debug the problem.

--Ken


More information about the Cyrus-sasl mailing list