Print

[grabner]

Hi!

I tried to setup apache-2.4 with subversion 1.9.0 and NTLM authentication (modules mod_dav_svn and mod_authn_ntlm) to replace an existing configuration of apache-2.2, subversion 1.6.6, and mod_auth_sspi. The old configuration with mod_auth_sspi supports single sign-on, but I can't get this feature working with mod_authn_ntlm. Has anybody successfully used subversion 1.9.0 with NTLM authentication and can provide an example configuration file?

Below are some details on my (unsuccessful) attempts I made so far. I created a minimal configuration from the templates in the documentation of subversion and mod_authn_ntlm:

<Location /svn/>
    AuthName "Subversion Repositories"
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
    NTLMOmitDomain On
    Require valid-user
    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]
    RequestHeader set X_ISRW_PROXY_AUTH_USER %{RU}e
    DAV svn
    SVNListParentPath on
    SVNParentPath "D:/SVN_Repositories"
    SVNPathAuthz on
    AuthzSVNAccessFile "D:/SVN_Repositories/svn-access-file"
</Location>

I first tried to give read access to everybody, i.e., the svn-access-file is simply:

[repo:/]
* = r

When accessing a file in the repository, the error.log contains a line

[Fri Sep 04 16:58:31.022312 2015] [auth_ntlm:debug] [pid 7116:tid 1180] mod_ntlm_authentication.c(600): [client ::1:53855] SSPI00009: Authenticated user: mgrabner, referer: ...

from which I conclude that the NTLMOmitDomain option is properly working. However, when replacing "* = r" by "mgrabner = r", I get an "Unauthorized" error message from the server when trying to access any file in the repository with a web browser. Moreover, the error.log not even contains any occurrence of mod_ntlm_authentication in this case. It seems the NTLM module is only queried if access control is disabled by the svn-access-file, which doesn't make any sense to me.

Do you have any ideas how to properly setup subversion 1.9.0 with NTLM authentication?

Thanks & kind regards,
Markus

[mario]

Hi Markus,

do you also load mod_authz_svn ?

I haven't tried yet to combine the auth against Windows and the auth file. From the theory it should work[1]

Cheers
Mario

[1] http://httpd.apache.org/docs/2.4/howto/auth.html#multprovider

[grabner]

do you also load mod_authz_svn ?

Yes, it is loaded. BTW, is the order relevant in which modules are loaded?

I haven't tried yet to combine the auth against Windows and the auth file. From the theory it should work[1]
[1] http://httpd.apache.org/docs/2.4/howto/auth.html#multprovider

I don't think that the multiple providers feature is even used in this example. There is a single authentication provider (NTLM, verifies user identity), and a single authorization provider (svn access file, defines which user may access which portions of the subversion repository).

One more detail after having restarted the machine in the morning: when trying to access the repositories with a web browser, I am always asked for a username/password pair (maybe it used cached data when I tried last week), and the log file states that the function authenticate_sspi_user() is entered, unfortunately there is now hint where or why it exited.

Do you have any other ideas what I could try?

Thanks & kind regards,
Markus

[mario]

Yes, it is loaded. BTW, is the order relevant in which modules are loaded?

The order with LoadModule in the apache config is irelevant.

There are two authentications. One against the NTLM provider and the other one checks against the file.

If you have an test enviroment you can set there the LogLevel to trace6[1]
And see what is going on in detail.

if the NTLM doesn't work you may try mod_authnz_ldap. There are some examples over the net[2]

[1] http://httpd.apache.org/docs/2.4/en/mod/core.html#loglevel
[2] https://blog.karssen.org/2010/03/03/using-windows-ad-for-apache-authentication/

[grabner]

There are two authentications. One against the NTLM provider and the other one checks against the file.

Just to make sure we're talking about the same thing: doesn't authentication mean to verify the user's identify? This is done by NTLM in my example. The svn-access-file does not contain user/password pairs or any other information suitable to verify a user's identify, it only tells the server which operations on which data are allowed to a particular user whose identity was already verified by another process (i.e., NTLM). So NTLM is responsible for authentication, and the svn-access-file is responsible for authorization. At least this is how I understood the brief introduction in http://httpd.apache.org/docs/2.4/howto/auth.html.

If you have an test enviroment you can set there the LogLevel to trace6[1]

Thanks for the hint, this revealed some interesting details. With "* = r" in the svn-access-file (i.e., allowing read access to everyone), I can see the line "WWW-Authenticate: NTLM" in the response header sent by the server. However, with "mgrabner = r" (i.e., allowing read access just to myself), the WWW-Authenticate line is missing from the response header, hence the client is not even trying to perform authentication, and the server finally reports an authentication failure.

It seems to me that NTLM authentication and subversion authorization are performed in the wrong order, I don't understand why the svn-access-file is even processed before a user is authenticated (or, as you suggest, both processes are treated as authentication, and the subversion one is arbitrarily chosen as the first one).

if the NTLM doesn't work you may try mod_authnz_ldap. There are some examples over the net[2]

I think the NTLM part is working fine. I repeated the experiment with toggling the NTLMOmitDomain flag, making sure that no cached data are used, and observed in the apache log file that the domain prefix was present or not in the username, depending on the value of NTLMOmitDomain (all with "* = r" in the svn-access-file since otherwise it wouldn't have entered NTLM authentication as stated above).

I'm not sure whether this issue is due to some misconfiguration or a bug in any of the related components. Do you have any ideas?

Thanks & kind regards,
Markus

[mario]

Well against AD I had to use the Sid's

e.g.

Code: [Select]

[/]
S-1-1-0=r
S-1-5-21-368584716-2338757681-3636766667-1003=rw

S-1-1-0 = Everyone ( Jeder )

[mario]

In the source code there is

NTLMChainAuth => set to 'on' if you want an alternative authorization module like SVNPathAuthz to work at the same level

[leekirby]

Just to make sure we're talking about the same thing: doesn't authentication mean to verify the user's identify? This is done by NTLM in my example. The svn-access-file does not contain user/password pairs or any other information suitable to verify a user's identify, it only tells the server which operations on which data are allowed to a particular user whose identity was already verified by another process (i.e., NTLM). So NTLM is responsible for authentication, and the svn-access-file is responsible for authorization. At least this is how I understood the brief introduction in
Thanks for the hint, this revealed some interesting details. With "* = r" in the svn-access-file (i.e., allowing read access to everyone), I can see the line "WWW-Authenticate: NTLM" in the response header sent by the server. However, with "mgrabner = r" (i.e., allowing read access just to myself), the WWW-Authenticate line is missing from the response header, hence the client is not even trying to perform authentication, and the server finally reports an authentication failure.

It seems to me that NTLM authentication and subversion authorization are performed in the wrong order, I don't understand why the svn-access-file is even processed before a user is authenticated (or, as you suggest, both processes are treated as authentication, and the subversion one is arbitrarily chosen as the first one).
I think the NTLM part is working fine. find more about phenq reviews here I repeated the experiment with toggling the NTLMOmitDomain flag, making sure that no cached data are used, and observed in the apache log file that the domain prefix was present or not in the username, depending on the value of NTLMOmitDomain (all with "* = r" in the svn-access-file since otherwise it wouldn't have entered NTLM authentication as stated above).

I'm not sure whether this issue is due to some misconfiguration or a bug in any of the related components. Do you have any ideas?

Thanks & kind regards,
Markus

Markus you understood it correctly. that is the way it is working. NTLM is responsible for authenticatio, and the svn-access-file is responsible for authorization. It looks like a bug to me. Whatever you are doing is totally understandable.