You are here

iFriend access to University central SVN repositories

Accessing the University SVN service as an iFriend is documented on the Version Control Service - Subversion page of the Edinburgh Compute and Data Facility.

Some client side configuration may be required for this to work correctly. This document explains why this may be necessary and what may need to be configured.

iFriend access to the central SVN service works through Kerberos cross-realm trusts, specifically a trust between the FRIEND.INF.ED.AC.UK realm and INF.ED.AC.UK and another trust between INF.ED.AC.UK and EASE.ED.AC.UK (where the SVN service is located).

For a client principal authenticated in the FRIEND.INF.ED.AC.UK realm to use a service in EASE.ED.AC.UK, it may be necessary to configure kerberos libraries so that they know how to use the trust chain described above.

This involves making changes to the following configuration file:

  • /etc/krb5.conf (on Unix/Linux systems)
  • /Library/Preferences/edu.mit.Kerberos (on MacOS systems)

If you do not have permission to edit /etc/krb5.conf, then you can set the KRB5_CONFIG environment variable to use an alternative file, e.g.:

export KRB5_CONFIG=/tmp/krb5.conf

The first change should be made to the [libdefaults] section of the file to add the following lines:

 dns_lookup_kdc = true
 dns_lookup_realm = true

These lines ensure that kerberos can firstly locate the realm in which the SVN service is located (it is hosted in the DNS domain of ecdf.ed.ac.uk, but uses EASE.ED.AC.UK) and also locate the authentication services for that realm.

Secondly, the following section should be added to the file:

[capaths]
 FRIEND.INF.ED.AC.UK = {
  EASE.ED.AC.UK = INF.ED.AC.UK
 }

This tells the kerberos libraries about the realm trust chain in place.

With this configuration it should be possible to use SVN as an iFriend with something like this:

$: kinit friend%friend.domain@FRIEND.INF.ED.AC.UK
friend%friend.domain@FRIEND.INF.ED.AC.UK's Password: 
$: svn co https://svn-kerberos.ecdf.ed.ac.uk/repo/inf/MyRepo
...

If you are using MacOS, you may see the following error:

svn: E120191: Error running context: The requested authentication type(s) are not supported

It appears that the version of svn which ships with newer versions of MacOS does not support kerberos. This can be remedied by installing subversion using Homebrew, which is unfortunately beyond the scope of this document.

Last reviewed: 
03/10/2023

System Status

Home dirs (AFS)
Network
Mail
Other services
University services
Scheduled downtime

Choose a topic