So here's what I know:
Our SVN server is running VisualSVN Enterprise Edition rather than svnserve
Integrated Windows Authentication is a feature of that product, and
currently, if it's enabled, it's the only authentication method allowed.
I've run kinit on the server where I'm trying to install and configure RB,
and I can successfully use the command-line svn client.
The guy that does subvertpy is quite a few timezones away from me, so
conversation is slow going, but here's the exchange:
[01 Jul 16 00:43] * jelmer: cmullican: subvertpy does have authentication
support
[01 Jul 16 00:43] * jelmer: but it needs to be explicitly enabled
[01 Jul 16 10:50] * cmullican: Great!  How do I do that?  I'm finding the
documentation a little opaque.
[03 Jul 16 05:24] * jelmer: cmullican: see examples/ra_commit.py

I didn't find the example terribly enlightening, but was trying to do
something based on it to see if I could figure out what was going on.

My background is mostly Perl / *nix / SQL, so I'm pretty new to this mixed
*nix / Windows / LDAP / krb stuff myself.

I also have an email in to VisualSVN to see if they know of any tools that
support their authentication, with the secondary hope that they might be
inspired to allow a service user to authenticate through a different method
even when using Windows auth for everyone else.

The config file in /path/to/rbsitedir/data/.subversion/servers is identical
to the one in ~/.subversion/servers, which is working.

On Fri, Jul 8, 2016 at 4:13 AM, Christian Hammond <christ...@beanbaginc.com>
wrote:

> Hey Stephen, Cathy,
>
> Trying to educate myself on this... I'd love to get some sanity-checking
> and additional details on how this works.
>
> I dug through the Subversion and serf source code. It looks like libsvn
> handles doing SPNEGO on our behalf, so long as the user has run kinit at
> some point. What I don't know (still investigating the code, but it's 4AM
> here so I'm done for today) is whether we can use a keytab, or really how
> that works (still trying to learn this stuff).
>
> I *think* libsvn/serf will do the right thing in this case. From what I
> read, it should be possible for a keytab to be uploaded to the Review Board
> server and, somehow, establish a session that clients can use to request
> tickets. I need to figure this out, and would appreciate insights here.
>
> I think you also need to explicitly tell Subversion to use serf, but this
> might be outdated information. If so, you'd want to edit the Subversion
> config in /path/to/rbsitedir/data/.subversion/servers to have:
>
>     [global]
>     http-library = serf
>
> What I don't know yet is how kinit/keytabs relate to the user. Does this
> have to be run within the same login session as the apps needing tickets?
> I'm wondering if there's a way to have, say, an Apache crontab refresh a
> session periodically, so that svn can continue to get the right tickets
> when communicating.
>
> Christian
>
>
>
> --
> Christian Hammond
> President/CEO of Beanbag <https://www.beanbaginc.com/>
> Makers of Review Board <https://www.reviewboard.org/>
>
> On Tue, Jun 28, 2016 at 4:06 PM, Stephen Gallagher <
> step...@gallagherhome.com> wrote:
>
>> I don't have time to work on such a patch directly, but I'd be happy to
>> lend my Kerberos experience towards reviewing any such patch. I think that
>> would be a very useful feature.
>>
>> I'd recommend working on full SPNEGO support rather than a
>> Kerberos-specific solution. Take a look at the python-gssapi package; it
>> should do most of what is needed.
>> On Tue, Jun 28, 2016 at 7:00 PM Christian Hammond <
>> christ...@beanbaginc.com> wrote:
>>
>>> Hi Cathy,
>>>
>>> Would you or someone on your end who has a familiarity with Python and
>>> Kerberos be willing to work with us on adding support? Review Board is open
>>> source, and I'd be willing to take a patch and assist with any work toward
>>> it.
>>>
>>> Christian
>>>
>>>
>>> On Tuesday, June 28, 2016, Cathy Mullican <cmulli...@gmail.com> wrote:
>>>
>>>> It looks like RB isn't using (doesn't support?) kerberos
>>>> authentication, and that seems to be necessary for the set up we have.
>>>>
>>>> Sadly, this may mean we can't use RB at this time. :(
>>>>
>>>> On Monday, June 27, 2016 at 5:22:17 PM UTC-7, Cathy Mullican wrote:
>>>>>
>>>>> Since it is working on the command line at this point, my money would
>>>>> be on #2 rather than #1.
>>>>>
>>>>>
>>>>> http://serverfault.com/questions/183231/how-to-configure-review-board-running-under-linux-to-use-a-ldap-user
>>>>>
>>>>> is the most relevant-seeming info I've found so far, but enough has
>>>>> changed in the 5+ years since it was posted that applying the info there 
>>>>> is
>>>>> not entirely straightforward. (Recreating a .subversion/auth tree is
>>>>> relatively straightforward; figuring out the LDAP auth configuration, less
>>>>> so.)
>>>>>
>>>>> On Monday, June 27, 2016 at 4:44:57 PM UTC-7, Christian Hammond wrote:
>>>>>>
>>>>>> Okay. So it's probably one of two things:
>>>>>>
>>>>>> 1) Something is still messed up somewhere with the recompilation. I
>>>>>> don't know what, and can't really debug that from here.
>>>>>>
>>>>>> 2) The standard way of authenticating that we do doesn't support your
>>>>>> setup.
>>>>>>
>>>>>> It could easily be #2. We must be able to authenticate to the
>>>>>> Subversion server using a username and password (or anonymously). If this
>>>>>> is going through some alternative method for authentication, then it may
>>>>>> require additional support in Review Board.
>>>>>>
>>>>>> Christian
>>>>>>
>>>>>> --
>>>>>> Christian Hammond
>>>>>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>>>>>> Makers of Review Board <https://www.reviewboard.org/>
>>>>>>
>>>>>> On Mon, Jun 27, 2016 at 4:34 PM, Cathy Mullican <cmul...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> The server is VisualSVN (paid edition), with Windows AD
>>>>>>> authentication.  The server where RB is running is joined to the domain,
>>>>>>> and I can authenticate from the command line. Most users connect via
>>>>>>> TortoiseSVN on their Windows systems; I also have one other Ubuntu box
>>>>>>> configured so that i can join the domain, authenticate with kinit, and 
>>>>>>> run
>>>>>>> svn from the command line.
>>>>>>>
>>>>>>> On Monday, June 27, 2016 at 3:43:19 PM UTC-7, Christian Hammond
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi Cathy,
>>>>>>>>
>>>>>>>> Progress is good! I think I'll need more info on your setup at this
>>>>>>>> point though.
>>>>>>>>
>>>>>>>> Can you tell me more about how authentication works on your
>>>>>>>> Subversion setup? From the client's end, is it a standard
>>>>>>>> username/password, or is more involved?
>>>>>>>>
>>>>>>>> What does the server setup look like?
>>>>>>>>
>>>>>>>> The error message shown there ("Error running context: An error
>>>>>>>> occurred during authentication") is coming from Subversion itself.
>>>>>>>>
>>>>>>>> Christian
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Christian Hammond
>>>>>>>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>>>>>>>> Makers of Review Board <https://www.reviewboard.org/>
>>>>>>>>
>>>>>>>> On Mon, Jun 27, 2016 at 10:06 AM, Cathy Mullican <cmul...@gmail.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> OK, it definitely works better when you don't accidentally skip a
>>>>>>>>> step!
>>>>>>>>>
>>>>>>>>> I can now successfully do svn info from the command line, but I
>>>>>>>>> still can't create the repo in RB. The error message in the log is 
>>>>>>>>> now:
>>>>>>>>>
>>>>>>>>> 2016-06-27 17:00:00,253 - ERROR -  - SVN: Failed to get repository
>>>>>>>>> information for https://az-fs1.revshare.int/svn/rad: Unable to
>>>>>>>>> connect to a repository at URL '
>>>>>>>>> https://az-fs1.revshare.int/svn/rad'
>>>>>>>>> Error running context: An error occurred during authentication
>>>>>>>>>
>>>>>>>>> No more ra_serf error, so that's progress, at least! But also
>>>>>>>>> nothing very informative, at least to my eye.
>>>>>>>>>
>>>>>>>>> On Monday, June 27, 2016 at 9:45:50 AM UTC-7, Cathy Mullican wrote:
>>>>>>>>>>
>>>>>>>>>> I did
>>>>>>>>>> apt-get source python-svn
>>>>>>>>>> then started trying to follow the directions in INSTALL.html, but
>>>>>>>>>> they didn't work at all...although lookin gback now, some of that 
>>>>>>>>>> may have
>>>>>>>>>> been because it was Friday afternoon and I missed something; I'm 
>>>>>>>>>> trying
>>>>>>>>>> again now.
>>>>>>>>>>
>>>>>>>>>> On Friday, June 24, 2016 at 5:44:51 PM UTC-7, Christian Hammond
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi Cathy,
>>>>>>>>>>>
>>>>>>>>>>> How are you trying to build from source? It is a bit of a pain
>>>>>>>>>>> to do from the upstream source, but perhaps you can rebuild the deb.
>>>>>>>>>>>
>>>>>>>>>>> Christian
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Christian Hammond
>>>>>>>>>>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>>>>>>>>>>> Makers of Review Board <https://www.reviewboard.org/>
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Jun 24, 2016 at 4:37 PM, Cathy Mullican <
>>>>>>>>>>> cmul...@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> The stock libserf in Ubuntu 14.04 lacks GSSAPI support, which
>>>>>>>>>>>> is why I have to build that from source.  (
>>>>>>>>>>>> https://bugs.launchpad.net/ubuntu/+source/serf/+bug/1303167 --
>>>>>>>>>>>> why they never released a fixed version, when the patch is right 
>>>>>>>>>>>> there in
>>>>>>>>>>>> the ticket, I can't say.) Everything except libserf is stock.
>>>>>>>>>>>>
>>>>>>>>>>>> Trying to reinstall pysvn with apt tells me it's already up to
>>>>>>>>>>>> date; trying to build from source is...not working well, but that's
>>>>>>>>>>>> probably going off into the weeds.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Friday, June 24, 2016 at 4:06:12 PM UTC-7, Christian Hammond
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Cathy,
>>>>>>>>>>>>>
>>>>>>>>>>>>> This might be an incompatibility between libsvn and pysvn. You
>>>>>>>>>>>>> may need to now recompile pysvn and replace the copies on the 
>>>>>>>>>>>>> filesystem.
>>>>>>>>>>>>> That or go back to purely system libs for svn, libsvn, pysvn, 
>>>>>>>>>>>>> serf, etc.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Christian
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Christian Hammond
>>>>>>>>>>>>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>>>>>>>>>>>>> Makers of Review Board <https://www.reviewboard.org/>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Fri, Jun 24, 2016 at 1:54 PM, Cathy Mullican <
>>>>>>>>>>>>> cmul...@gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Same error with the repository root path -- I actually
>>>>>>>>>>>>>> started with that.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I enabled logging, and now have this error message:
>>>>>>>>>>>>>> 2016-06-24 20:29:24,091 - ERROR -  - SVN: Failed to get
>>>>>>>>>>>>>> repository information for
>>>>>>>>>>>>>> https://az-fs1.revshare.int/svn/rad: ra_serf was compiled
>>>>>>>>>>>>>> for serf 1.3.8 but loaded an incompatible 32676.1946284232.32676 
>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Which I thought told me what I needed; Ubuntu 14.0.4 ships
>>>>>>>>>>>>>> with serf 1.3.3 -- but I've upgraded to 1.3.8 (built from 
>>>>>>>>>>>>>> source, confirmed
>>>>>>>>>>>>>> GSSAPI support included), and I'm still getting the same error.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I can successfully run svn info on the commend line; the
>>>>>>>>>>>>>> Ubuntu box is joined to the AD domain.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Friday, June 24, 2016 at 1:04:19 PM UTC-7, Christian
>>>>>>>>>>>>>> Hammond wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi Cathy,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> You may need to enable logging in Admin UI -> Logging
>>>>>>>>>>>>>>> Settings.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> For the SVN repository path, you'll need to point it to the
>>>>>>>>>>>>>>> root of the SVN repository, rather than a subdirectory within 
>>>>>>>>>>>>>>> it.
>>>>>>>>>>>>>>> Basically, the "Repository Root" value from "svn info".
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> See if that fixes it. If not, I'll help with some additional
>>>>>>>>>>>>>>> commands you can try on the server to better diagnose this.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> One last thing: Make sure to enter your credentials in the
>>>>>>>>>>>>>>> Username/Password fields again once you've hit an error like 
>>>>>>>>>>>>>>> this. The
>>>>>>>>>>>>>>> browser has a nasty tendency to overwrite the values you've 
>>>>>>>>>>>>>>> provided with
>>>>>>>>>>>>>>> what's in the password manager. We've worked around this 
>>>>>>>>>>>>>>> several times in
>>>>>>>>>>>>>>> the past, but some browsers (ahem, Chrome) have been working 
>>>>>>>>>>>>>>> tirelessly to
>>>>>>>>>>>>>>> override what webapp developers want in this regard.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Christian
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Christian Hammond
>>>>>>>>>>>>>>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>>>>>>>>>>>>>>> Makers of Review Board <https://www.reviewboard.org/>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, Jun 24, 2016 at 12:51 PM, Cathy Mullican <
>>>>>>>>>>>>>>> cmul...@gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <https://lh3.googleusercontent.com/-HPUcudJKt-Y/V22OjqvsWXI/AAAAAAAABKg/6upZE0bJH6QZYheLe24Ub-JCdaUM5gCDwCLcB/s1600/rb_error.PNG>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> There's not much to show -- see the attached screenshot.
>>>>>>>>>>>>>>>> That is the correct URL, as shown by svn info, and googling 
>>>>>>>>>>>>>>>> tells me that's
>>>>>>>>>>>>>>>> the message I'd see with an authentication error.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> There are no files in /var/www/rb.revshare.int/logs/ ; is
>>>>>>>>>>>>>>>> there another location I should be checking?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I've used RB before, but this is the first time I've set it
>>>>>>>>>>>>>>>> up.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <https://lh3.googleusercontent.com/-HPUcudJKt-Y/V22OjqvsWXI/AAAAAAAABKg/6upZE0bJH6QZYheLe24Ub-JCdaUM5gCDwCLcB/s1600/rb_error.PNG>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Friday, June 24, 2016 at 1:23:24 AM UTC-7, Christian
>>>>>>>>>>>>>>>> Hammond wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi Cathy,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Can you show me what errors you're seeing, along with the
>>>>>>>>>>>>>>>>> configuration set for the repository? Also, is there anything 
>>>>>>>>>>>>>>>>> in the Review
>>>>>>>>>>>>>>>>> Board log files?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Christian
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Christian Hammond
>>>>>>>>>>>>>>>>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>>>>>>>>>>>>>>>>> Makers of Review Board <https://www.reviewboard.org/>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Thu, Jun 23, 2016 at 5:06 PM, Cathy Mullican <
>>>>>>>>>>>>>>>>> cmul...@gmail.com> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I have RB 2.5.6.1 set up and working on Ubuntu 14.04,
>>>>>>>>>>>>>>>>>> with AD authentication -- I can log in to RB as admin or as 
>>>>>>>>>>>>>>>>>> my domain user.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Now I'm trying to add a repo.  Our SVN repo runs under
>>>>>>>>>>>>>>>>>> VisualSVN (Pro), with AD authentication.  I can set up the 
>>>>>>>>>>>>>>>>>> server to join
>>>>>>>>>>>>>>>>>> the group, and run svn info from the command line 
>>>>>>>>>>>>>>>>>> successfully, but I get
>>>>>>>>>>>>>>>>>> errors trying to create the repo. Not really sure where to 
>>>>>>>>>>>>>>>>>> go with it from
>>>>>>>>>>>>>>>>>> here; any suggestions?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> Supercharge your Review Board with Power Pack:
>>>>>>>>>>>>>>>>>> https://www.reviewboard.org/powerpack/
>>>>>>>>>>>>>>>>>> Want us to host Review Board for you? Check out
>>>>>>>>>>>>>>>>>> RBCommons: https://rbcommons.com/
>>>>>>>>>>>>>>>>>> Happy user? Let us know!
>>>>>>>>>>>>>>>>>> https://www.reviewboard.org/users/
>>>>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>>>>> You received this message because you are subscribed to
>>>>>>>>>>>>>>>>>> the Google Groups "reviewboard" group.
>>>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails
>>>>>>>>>>>>>>>>>> from it, send an email to reviewboard...@googlegroups.com
>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>> For more options, visit
>>>>>>>>>>>>>>>>>> https://groups.google.com/d/optout.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Supercharge your Review Board with Power Pack:
>>>>>>>>>>>>>>>> https://www.reviewboard.org/powerpack/
>>>>>>>>>>>>>>>> Want us to host Review Board for you? Check out RBCommons:
>>>>>>>>>>>>>>>> https://rbcommons.com/
>>>>>>>>>>>>>>>> Happy user? Let us know! https://www.reviewboard.org/users/
>>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>>> You received this message because you are subscribed to the
>>>>>>>>>>>>>>>> Google Groups "reviewboard" group.
>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails
>>>>>>>>>>>>>>>> from it, send an email to reviewboard...@googlegroups.com.
>>>>>>>>>>>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>> Supercharge your Review Board with Power Pack:
>>>>>>>>> https://www.reviewboard.org/powerpack/
>>>>>>>>> Want us to host Review Board for you? Check out RBCommons:
>>>>>>>>> https://rbcommons.com/
>>>>>>>>> Happy user? Let us know! https://www.reviewboard.org/users/
>>>>>>>>> ---
>>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>>> Groups "reviewboard" group.
>>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>>> send an email to reviewboard...@googlegroups.com.
>>>>>>>>>
>>>>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>
>>> --
>>> --
>>> Christian Hammond
>>> President/CEO of Beanbag <https://www.beanbaginc.com/>
>>> Makers of Review Board <https://www.reviewboard.org/>
>>>
>>> --
>>> Supercharge your Review Board with Power Pack:
>>> https://www.reviewboard.org/powerpack/
>>> Want us to host Review Board for you? Check out RBCommons:
>>> https://rbcommons.com/
>>> Happy user? Let us know! https://www.reviewboard.org/users/
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "reviewboard" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to reviewboard+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>> Supercharge your Review Board with Power Pack:
>> https://www.reviewboard.org/powerpack/
>> Want us to host Review Board for you? Check out RBCommons:
>> https://rbcommons.com/
>> Happy user? Let us know! https://www.reviewboard.org/users/
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "reviewboard" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to reviewboard+unsubscr...@googlegroups.com.
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
Supercharge your Review Board with Power Pack: 
https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: 
https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to