On Tue, 2007-07-03 at 08:41 -0500, Alec Kloss wrote: > Can we be cautious about implementing DNS-based SPN > canonicalization?
I agree. It appears that no canonization is done by SSPI whereas GSSAPI does it. My fix only concerns client-side usage of SSPI to provide a consistent SPN compared to GSSAPI (same behavior in case of a Unix client and a Windows client) My IE and Firefox does the job properly with the virtual host based URL ! So I guess it is the right thing to do in svn/neon. > 1. I've compiled Tortoise against MIT GSSAPI, and yes, it all works > great... Wow ! Respect. I have set up a Subversion compilation environnement for windows but I gave up to do it with Tortoise for the moment... If you have a procedure to set up such an environment, I'm interested too. > 2. I've hacked up mod_auth_kerb to support multiple SPN's on the > server side, so if you have a machine which tends to canonicalize > to different SPNs (mine canonicalizes into at least 7) you can > still get everything to work. I have done this too to support authentication from two seperate AD domains (no trust for political reasons !) but I'm stuck with the svn client crash. For the moment, only one domain is used and I enforce permissions against a group in AD thanks to the Apache::AuthzNetLDAP Perl module. > 3. I've discovered that stock TortoiseSVN 1.4.4 crashes after > authenticating to the web server. The version I've built against > MIT works fine. I'm fighting with svn/neon since release 1.4.0 and tortoise since 1.4.1 to get a win32 binary working with https/SPNEGO. I have just created the ticket 2807 for Subversion. You should compile against current neon 0.26.x branch (instead of 0.26.2 or 0.26.3 tags) to get it work. Thank you for your feedback. Regards -- Yves Martin _______________________________________________ neon mailing list [email protected] http://mailman.webdav.org/mailman/listinfo/neon
