[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GSSAPI + CVS
From: |
Tracy Brown |
Subject: |
GSSAPI + CVS |
Date: |
Thu, 22 Feb 2001 15:00:44 -0800 |
After digging around for a while I've got the configuration for GSSAPI
setup. However, I believe that there is a bug in actually using Kerberos
(krb5-1.2.1) to authenticate users. I'm getting the following errors using
cvs 1-11:
My Kerberos environment is issuing tickets and I can bounce around the
network on kerberized applications. For CVS, my inetd.conf for the server is
configured what seems to be accurately (pserver) and I've defined the
cvs/my.cvsserver.com as a principle in the Kerberos database... note also
that I've created a keytab for the cvs/my.cvsserver.com principle and it's
stored in the default /etc/krb5.keytab spot.
So I kinit and grab a TGT then issue my CVS command with the CVSROOT as
":gserver:my.cvsserver.com:/cvsroot" Here's the error I'm getting:
cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
aborted]: could not acquire GSSAPI server credentials
And if I klist - I get:
Valid starting Expires Service principal
02/22/01 07:37:59 02/22/01 17:37:59 krbtgt/address@hidden
02/22/01 07:38:07 02/22/01 17:37:59 cvs/address@hidden
02/22/01 07:38:07 02/22/01 17:37:59 cvs/address@hidden
And if I execute a few CVS commands in sequence, I get the following:
(cvsserver)% cvs -a co compnews
cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
aborted]: could not acquire GSSAPI server credentials
(cvsserver)% cvs -a co compnews
cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
aborted]: could not acquire GSSAPI server credentials
(cvsserver)% cvs -a co compnews
cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
aborted]: could not acquire GSSAPI server credentials
(cvsserver)% cvs -a co compnews
cvs [checkout aborted]: error from server my.cvsserver.com: cvs
This last error is a little strange and cryptic. Interestingly enough, each
time I issue a CVS command I am caching two Kerberos tickets - This scenario
doesn't occur when using other kerberized applications like krlogin (only
one ticket gets cached - even when it fails).
klist:
Valid starting Expires Service principal
02/22/01 12:21:02 02/22/01 22:21:02 krbtgt/address@hidden
02/22/01 12:21:05 02/22/01 22:21:02 cvs/address@hidden
02/22/01 12:21:05 02/22/01 22:21:02 cvs/address@hidden
02/22/01 12:28:07 02/22/01 22:21:02 cvs/address@hidden
02/22/01 12:28:08 02/22/01 22:21:02 cvs/address@hidden
02/22/01 12:28:10 02/22/01 22:21:02 cvs/address@hidden
02/22/01 12:28:11 02/22/01 22:21:02 cvs/address@hidden
After talking to Bear Giles - he patched cvs the 1.10.7 GSSAPI code for the
Debian distribution back in December 1999 - he noted that the 1.10.7 needed
tweaking... Has the code for GSSAPI authentication been patched with any
fixes?
And for what it's worth I'd be happy to test authentication using the GSSAPI
using the krb5 libraries if cvs-development needs someone...
Cheers, Tracy.
- GSSAPI + CVS,
Tracy Brown <=