Tuesday, May 1, 2012

SVN+GSSAPI : "Could not obtain list of SASL mechanisms" solved..kinda?

It doesn't take much of a Google query to find a good chunk of users trying to solve a seemingly intractable problem with their Subversion setups trying to authenticate through SASL via the GSSAPI, often back to a Windows Kerberos server.

This search stems from a chronic receipt of the title message:

"Could not obtain list of SASL mechanisms." with no error logging, and a seemingly correct configuration among the various configuration files for subversion - notably svn.conf and svnserve.conf.

For background, Subversion users can tell their SVNSERVE process to authenticate via the external SASL library. SASL, in turn, supports a variety of authentication mechanisms, including a local database, LDAP, and Kerberos. Set up the SVNSERVE.conf to enable SASL, and then write an SVN.CONF file that defines the proper plugins and authentication mechanisms, and you're off to the races. In most cases, this sequence works fairly well.

I needed to have SASL authenticate against my Windows AD/Kerberos server, which was (supposedly) possible by employing the GSSAPI mechanism in my svn.conf file, along with a keytab to identify SVN to AD. But blast if I could ever come close to making it work - with the message above my constant response.

I was plodding down the same road until I noticed amid a zillion lines of ProcMon traces and NetMon captures one interesting note - that the keytab file I had created that held the SPN to authenticate to the Windows Kerberos server was never being read. Procmon showed that the configuration file, svn.conf, was being read, and I knew the keytab designation was there. Yet it was never touched. That made me wonder what was going on....then, after what seemed to be the umpteenth Google search and iteration, I found this little gem arising from a Gentoo forum in which some poor soul was translating the same error from a German server (a link which you can follow here. and discovered this:


From what I gathered, it seems as if it might have been possible to use plain svnserve+sasl+gssapi two years ago. While the same text I linked to in the previous post is still in the source tarball, a little grepping and searching of bugtrackers revealed, that the files needed to do so are no longer in the source. 
Bottom line? SVN + GSSAPI + SASL may have worked at one point in Subversion, but apparently not anymore. 

Wow.

Open source software can be a great thing. Working several hours to make something work, only to find it isn't possible, isn't among them. This post is for anyone trying to resolve the same problem.

Caveat open-source emptor.