Hey Stephen, Cathy,

Trying to educate myself on this... I'd love to get some sanity-checking
and additional details on how this works.

I dug through the Subversion and serf source code. It looks like libsvn
handles doing SPNEGO on our behalf, so long as the user has run kinit at
some point. What I don't know (still investigating the code, but it's 4AM
here so I'm done for today) is whether we can use a keytab, or really how
that works (still trying to learn this stuff).

I *think* libsvn/serf will do the right thing in this case. From what I
read, it should be possible for a keytab to be uploaded to the Review Board
server and, somehow, establish a session that clients can use to request
tickets. I need to figure this out, and would appreciate insights here.

I think you also need to explicitly tell Subversion to use serf, but this
might be outdated information. If so, you'd want to edit the Subversion
config in /path/to/rbsitedir/data/.subversion/servers to have:

    [global]
    http-library = serf

What I don't know yet is how kinit/keytabs relate to the user. Does this
have to be run within the same login session as the apps needing tickets?
I'm wondering if there's a way to have, say, an Apache crontab refresh a
session periodically, so that svn can continue to get the right tickets
when communicating.

Christian



-- 
Christian Hammond
President/CEO of Beanbag <https://www.beanbaginc.com/>
Makers of Review Board <https://www.reviewboard.org/>

On Tue, Jun 28, 2016 at 4:06 PM, Stephen Gallagher <
step...@gallagherhome.com> wrote:

> I don't have time to work on such a patch directly, but I'd be happy to
> lend my Kerberos experience towards reviewing any such patch. I think that
> would be a very useful feature.
>
> I'd recommend working on full SPNEGO support rather than a
> Kerberos-specific solution. Take a look at the python-gssapi package; it
> should do most of what is needed.
> On Tue, Jun 28, 2016 at 7:00 PM Christian Hammond <
> christ...@beanbaginc.com> wrote:
>
>> Hi Cathy,
>>
>> Would you or someone on your end who has a familiarity with Python and
>> Kerberos be willing to work with us on adding support? Review Board is open
>> source, and I'd be willing to take a patch and assist with any work toward
>> it.
>>
>> Christian
>>
>>
>> On Tuesday, June 28, 2016, Cathy Mullican <cmulli...@gmail.com> wrote:
>>
>>> It looks like RB isn't using (doesn't support?) kerberos authentication,
>>> and that seems to be necessary for the set up we have.
>>>
>>> Sadly, this may mean we can't use RB at this time. :(
>>>
>>> On Monday, June 27, 2016 at 5:22:17 PM UTC-7, Cathy Mullican wrote:
>>>>
>>>> Since it is working on the command line at this point, my money would
>>>> be on #2 rather than #1.
>>>>
>>>>
>>>> http://serverfault.com/questions/183231/how-to-configure-review-board-running-under-linux-to-use-a-ldap-user
>>>>
>>>> is the most relevant-seeming info I've found so far, but enough has
>>>> changed in the 5+ years since it was posted that applying the info there is
>>>> not entirely straightforward. (Recreating a .subversion/auth tree is
>>>> relatively straightforward; figuring out the LDAP auth configuration, less
>>>> so.)
>>>>
>>>> On Monday, June 27, 2016 at 4:44:57 PM UTC-7, Christian Hammond wrote:
>>>>>
>>>>> Okay. So it's probably one of two things:
>>>>>
>>>>> 1) Something is still messed up somewhere with the recompilation. I
>>>>> don't know what, and can't really debug that from here.
>>>>>
>>>>> 2) The standard way of authenticating that we do doesn't support your
>>>>> setup.
>>>>>
>>>>> It could easily be #2. We must be able to authenticate to the
>>>>> Subversion server using a username and password (or anonymously). If this
>>>>> is going through some alternative method for authentication, then it may
>>>>> require additional support in Review Board.
>>>>>
>>>>> Christian
>>>>>
>>>>> --
>>>>> Christian Hammond
>>>>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>>>>> Makers of Review Board <https://www.reviewboard.org/>
>>>>>
>>>>> On Mon, Jun 27, 2016 at 4:34 PM, Cathy Mullican <cmul...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> The server is VisualSVN (paid edition), with Windows AD
>>>>>> authentication.  The server where RB is running is joined to the domain,
>>>>>> and I can authenticate from the command line. Most users connect via
>>>>>> TortoiseSVN on their Windows systems; I also have one other Ubuntu box
>>>>>> configured so that i can join the domain, authenticate with kinit, and 
>>>>>> run
>>>>>> svn from the command line.
>>>>>>
>>>>>> On Monday, June 27, 2016 at 3:43:19 PM UTC-7, Christian Hammond wrote:
>>>>>>>
>>>>>>> Hi Cathy,
>>>>>>>
>>>>>>> Progress is good! I think I'll need more info on your setup at this
>>>>>>> point though.
>>>>>>>
>>>>>>> Can you tell me more about how authentication works on your
>>>>>>> Subversion setup? From the client's end, is it a standard
>>>>>>> username/password, or is more involved?
>>>>>>>
>>>>>>> What does the server setup look like?
>>>>>>>
>>>>>>> The error message shown there ("Error running context: An error
>>>>>>> occurred during authentication") is coming from Subversion itself.
>>>>>>>
>>>>>>> Christian
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Christian Hammond
>>>>>>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>>>>>>> Makers of Review Board <https://www.reviewboard.org/>
>>>>>>>
>>>>>>> On Mon, Jun 27, 2016 at 10:06 AM, Cathy Mullican <cmul...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> OK, it definitely works better when you don't accidentally skip a
>>>>>>>> step!
>>>>>>>>
>>>>>>>> I can now successfully do svn info from the command line, but I
>>>>>>>> still can't create the repo in RB. The error message in the log is now:
>>>>>>>>
>>>>>>>> 2016-06-27 17:00:00,253 - ERROR -  - SVN: Failed to get repository
>>>>>>>> information for https://az-fs1.revshare.int/svn/rad: Unable to
>>>>>>>> connect to a repository at URL 'https://az-fs1.revshare.int/svn/rad
>>>>>>>> '
>>>>>>>> Error running context: An error occurred during authentication
>>>>>>>>
>>>>>>>> No more ra_serf error, so that's progress, at least! But also
>>>>>>>> nothing very informative, at least to my eye.
>>>>>>>>
>>>>>>>> On Monday, June 27, 2016 at 9:45:50 AM UTC-7, Cathy Mullican wrote:
>>>>>>>>>
>>>>>>>>> I did
>>>>>>>>> apt-get source python-svn
>>>>>>>>> then started trying to follow the directions in INSTALL.html, but
>>>>>>>>> they didn't work at all...although lookin gback now, some of that may 
>>>>>>>>> have
>>>>>>>>> been because it was Friday afternoon and I missed something; I'm 
>>>>>>>>> trying
>>>>>>>>> again now.
>>>>>>>>>
>>>>>>>>> On Friday, June 24, 2016 at 5:44:51 PM UTC-7, Christian Hammond
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Cathy,
>>>>>>>>>>
>>>>>>>>>> How are you trying to build from source? It is a bit of a pain to
>>>>>>>>>> do from the upstream source, but perhaps you can rebuild the deb.
>>>>>>>>>>
>>>>>>>>>> Christian
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Christian Hammond
>>>>>>>>>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>>>>>>>>>> Makers of Review Board <https://www.reviewboard.org/>
>>>>>>>>>>
>>>>>>>>>> On Fri, Jun 24, 2016 at 4:37 PM, Cathy Mullican <
>>>>>>>>>> cmul...@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> The stock libserf in Ubuntu 14.04 lacks GSSAPI support, which is
>>>>>>>>>>> why I have to build that from source.  (
>>>>>>>>>>> https://bugs.launchpad.net/ubuntu/+source/serf/+bug/1303167 --
>>>>>>>>>>> why they never released a fixed version, when the patch is right 
>>>>>>>>>>> there in
>>>>>>>>>>> the ticket, I can't say.) Everything except libserf is stock.
>>>>>>>>>>>
>>>>>>>>>>> Trying to reinstall pysvn with apt tells me it's already up to
>>>>>>>>>>> date; trying to build from source is...not working well, but that's
>>>>>>>>>>> probably going off into the weeds.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Friday, June 24, 2016 at 4:06:12 PM UTC-7, Christian Hammond
>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi Cathy,
>>>>>>>>>>>>
>>>>>>>>>>>> This might be an incompatibility between libsvn and pysvn. You
>>>>>>>>>>>> may need to now recompile pysvn and replace the copies on the 
>>>>>>>>>>>> filesystem.
>>>>>>>>>>>> That or go back to purely system libs for svn, libsvn, pysvn, 
>>>>>>>>>>>> serf, etc.
>>>>>>>>>>>>
>>>>>>>>>>>> Christian
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Christian Hammond
>>>>>>>>>>>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>>>>>>>>>>>> Makers of Review Board <https://www.reviewboard.org/>
>>>>>>>>>>>>
>>>>>>>>>>>> On Fri, Jun 24, 2016 at 1:54 PM, Cathy Mullican <
>>>>>>>>>>>> cmul...@gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Same error with the repository root path -- I actually started
>>>>>>>>>>>>> with that.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I enabled logging, and now have this error message:
>>>>>>>>>>>>> 2016-06-24 20:29:24,091 - ERROR -  - SVN: Failed to get
>>>>>>>>>>>>> repository information for https://az-fs1.revshare.int/svn/rad:
>>>>>>>>>>>>> ra_serf was compiled for serf 1.3.8 but loaded an incompatible
>>>>>>>>>>>>> 32676.1946284232.32676 library
>>>>>>>>>>>>>
>>>>>>>>>>>>> Which I thought told me what I needed; Ubuntu 14.0.4 ships
>>>>>>>>>>>>> with serf 1.3.3 -- but I've upgraded to 1.3.8 (built from source, 
>>>>>>>>>>>>> confirmed
>>>>>>>>>>>>> GSSAPI support included), and I'm still getting the same error.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I can successfully run svn info on the commend line; the
>>>>>>>>>>>>> Ubuntu box is joined to the AD domain.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Friday, June 24, 2016 at 1:04:19 PM UTC-7, Christian
>>>>>>>>>>>>> Hammond wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Cathy,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> You may need to enable logging in Admin UI -> Logging
>>>>>>>>>>>>>> Settings.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> For the SVN repository path, you'll need to point it to the
>>>>>>>>>>>>>> root of the SVN repository, rather than a subdirectory within it.
>>>>>>>>>>>>>> Basically, the "Repository Root" value from "svn info".
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> See if that fixes it. If not, I'll help with some additional
>>>>>>>>>>>>>> commands you can try on the server to better diagnose this.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> One last thing: Make sure to enter your credentials in the
>>>>>>>>>>>>>> Username/Password fields again once you've hit an error like 
>>>>>>>>>>>>>> this. The
>>>>>>>>>>>>>> browser has a nasty tendency to overwrite the values you've 
>>>>>>>>>>>>>> provided with
>>>>>>>>>>>>>> what's in the password manager. We've worked around this several 
>>>>>>>>>>>>>> times in
>>>>>>>>>>>>>> the past, but some browsers (ahem, Chrome) have been working 
>>>>>>>>>>>>>> tirelessly to
>>>>>>>>>>>>>> override what webapp developers want in this regard.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Christian
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Christian Hammond
>>>>>>>>>>>>>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>>>>>>>>>>>>>> Makers of Review Board <https://www.reviewboard.org/>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Fri, Jun 24, 2016 at 12:51 PM, Cathy Mullican <
>>>>>>>>>>>>>> cmul...@gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <https://lh3.googleusercontent.com/-HPUcudJKt-Y/V22OjqvsWXI/AAAAAAAABKg/6upZE0bJH6QZYheLe24Ub-JCdaUM5gCDwCLcB/s1600/rb_error.PNG>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> There's not much to show -- see the attached screenshot.
>>>>>>>>>>>>>>> That is the correct URL, as shown by svn info, and googling 
>>>>>>>>>>>>>>> tells me that's
>>>>>>>>>>>>>>> the message I'd see with an authentication error.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> There are no files in /var/www/rb.revshare.int/logs/ ; is
>>>>>>>>>>>>>>> there another location I should be checking?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I've used RB before, but this is the first time I've set it
>>>>>>>>>>>>>>> up.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <https://lh3.googleusercontent.com/-HPUcudJKt-Y/V22OjqvsWXI/AAAAAAAABKg/6upZE0bJH6QZYheLe24Ub-JCdaUM5gCDwCLcB/s1600/rb_error.PNG>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Friday, June 24, 2016 at 1:23:24 AM UTC-7, Christian
>>>>>>>>>>>>>>> Hammond wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi Cathy,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Can you show me what errors you're seeing, along with the
>>>>>>>>>>>>>>>> configuration set for the repository? Also, is there anything 
>>>>>>>>>>>>>>>> in the Review
>>>>>>>>>>>>>>>> Board log files?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Christian
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Christian Hammond
>>>>>>>>>>>>>>>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>>>>>>>>>>>>>>>> Makers of Review Board <https://www.reviewboard.org/>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Thu, Jun 23, 2016 at 5:06 PM, Cathy Mullican <
>>>>>>>>>>>>>>>> cmul...@gmail.com> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I have RB 2.5.6.1 set up and working on Ubuntu 14.04, with
>>>>>>>>>>>>>>>>> AD authentication -- I can log in to RB as admin or as my 
>>>>>>>>>>>>>>>>> domain user.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Now I'm trying to add a repo.  Our SVN repo runs under
>>>>>>>>>>>>>>>>> VisualSVN (Pro), with AD authentication.  I can set up the 
>>>>>>>>>>>>>>>>> server to join
>>>>>>>>>>>>>>>>> the group, and run svn info from the command line 
>>>>>>>>>>>>>>>>> successfully, but I get
>>>>>>>>>>>>>>>>> errors trying to create the repo. Not really sure where to go 
>>>>>>>>>>>>>>>>> with it from
>>>>>>>>>>>>>>>>> here; any suggestions?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Supercharge your Review Board with Power Pack:
>>>>>>>>>>>>>>>>> https://www.reviewboard.org/powerpack/
>>>>>>>>>>>>>>>>> Want us to host Review Board for you? Check out RBCommons:
>>>>>>>>>>>>>>>>> https://rbcommons.com/
>>>>>>>>>>>>>>>>> Happy user? Let us know!
>>>>>>>>>>>>>>>>> https://www.reviewboard.org/users/
>>>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>>>> You received this message because you are subscribed to
>>>>>>>>>>>>>>>>> the Google Groups "reviewboard" group.
>>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails
>>>>>>>>>>>>>>>>> from it, send an email to reviewboard...@googlegroups.com.
>>>>>>>>>>>>>>>>> For more options, visit https://groups.google.com/d/optout
>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Supercharge your Review Board with Power Pack:
>>>>>>>>>>>>>>> https://www.reviewboard.org/powerpack/
>>>>>>>>>>>>>>> Want us to host Review Board for you? Check out RBCommons:
>>>>>>>>>>>>>>> https://rbcommons.com/
>>>>>>>>>>>>>>> Happy user? Let us know! https://www.reviewboard.org/users/
>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>> You received this message because you are subscribed to the
>>>>>>>>>>>>>>> Google Groups "reviewboard" group.
>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails
>>>>>>>>>>>>>>> from it, send an email to reviewboard...@googlegroups.com.
>>>>>>>>>>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>> Supercharge your Review Board with Power Pack:
>>>>>>>> https://www.reviewboard.org/powerpack/
>>>>>>>> Want us to host Review Board for you? Check out RBCommons:
>>>>>>>> https://rbcommons.com/
>>>>>>>> Happy user? Let us know! https://www.reviewboard.org/users/
>>>>>>>> ---
>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>> Groups "reviewboard" group.
>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>> send an email to reviewboard...@googlegroups.com.
>>>>>>>>
>>>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>
>> --
>> --
>> Christian Hammond
>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>> Makers of Review Board <https://www.reviewboard.org/>
>>
>> --
>> Supercharge your Review Board with Power Pack:
>> https://www.reviewboard.org/powerpack/
>> Want us to host Review Board for you? Check out RBCommons:
>> https://rbcommons.com/
>> Happy user? Let us know! https://www.reviewboard.org/users/
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "reviewboard" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to reviewboard+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
> Supercharge your Review Board with Power Pack:
> https://www.reviewboard.org/powerpack/
> Want us to host Review Board for you? Check out RBCommons:
> https://rbcommons.com/
> Happy user? Let us know! https://www.reviewboard.org/users/
> ---
> You received this message because you are subscribed to the Google Groups
> "reviewboard" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to reviewboard+unsubscr...@googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
Supercharge your Review Board with Power Pack: 
https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: 
https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to