Kerberos + Apache + SVN HOWTO

Kerberos + Apache + SVN
=======================

I did this on Ubuntu server 10.10. Based on this: https://help.ubuntu.com/community/Kerberos

1) Make sure the server has appropriate DNS info, e.g.: (/etc/hosts)

10.0.1.147	draco.madebysofa.com 
127.0.0.1	localhost ubuntu

Note that 'host' and 'nslookup' won't actually use this info to resolve, so you can't check the correct config that way. It's apparently important that the server has reverse DNS setup correctly. You can check it using Ruby for instance:

irb(main):008:0> Socket.getaddrinfo("10.0.1.147", nil)
=> [["AF_INET", 0, "draco.madebysofa.com", "10.0.1.147", 2, 1, 6], ["AF_INET", 0, "draco.madebysofa.com", "10.0.1.147", 2, 2, 17], ["AF_INET", 0, "draco.madebysofa.com", "10.0.1.147", 2, 3, 0]]

====

Now, do the first stuff in the howto linked above.

===


Make sure to check the admin ACL: the domain should be correct in the */admin@REALM.TEST * line, and it should be uncommented. If not, edit it and run the command as it says in the comment.

create a user:

sudo kadmin.local
ank pieter/admin #

now you can authenticate with that user to create new users:

kadmin -p pieter/admin
ank pieter # Create a normal user

create a service:

ank http/draco.madebysofa.com

export key:

ktadd -k /etc/apache2/http.keytab http/draco.madebysofa.com

Install apache stuff:

sudo apt-get install apache2 libapache2-mod-auth-ekerb libapache2-svn subversion

Add something like the following to your mod_davsvn config:

<Location /svn>
  DAV svn
  SVNParentPath /var/www/repositories

  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms REALM.TEST
  Krb5KeyTab /etc/apache2/http.keytab
  KrbServiceName http
  require valid-user

</Location>

Now, connecting to /svn/repository_name should work (make sure /var/www/repositories/repository_name is a valid svn repository and readable by www-data)