You are here
iFriend access to University central SVN repositories
Accessing the University SVN service as an iFriend is documented on the Version Control Service - Subversion page of the Edinburgh Compute and Data Facility.
Some client side configuration may be required for this to work correctly. This document explains why this may be necessary and what may need to be configured.
iFriend access to the central SVN service works through Kerberos cross-realm trusts, specifically a trust between the FRIEND.INF.ED.AC.UK realm and INF.ED.AC.UK and another trust between INF.ED.AC.UK and EASE.ED.AC.UK (where the SVN service is located).
For a client principal authenticated in the FRIEND.INF.ED.AC.UK realm to use a service in EASE.ED.AC.UK, it may be necessary to configure kerberos libraries so that they know how to use the trust chain described above.
This involves making changes to the following configuration file:
/etc/krb5.conf
(on Unix/Linux systems)/Library/Preferences/edu.mit.Kerberos
(on MacOS systems)
If you do not have permission to edit /etc/krb5.conf
, then you can set the KRB5_CONFIG
environment variable to use an alternative file, e.g.:
export KRB5_CONFIG=/tmp/krb5.conf
The first change should be made to the [libdefaults]
section of the file to add the following lines:
dns_lookup_kdc = true dns_lookup_realm = true
These lines ensure that kerberos can firstly locate the realm in which the SVN service is located (it is hosted in the DNS domain of ecdf.ed.ac.uk, but uses EASE.ED.AC.UK) and also locate the authentication services for that realm.
Secondly, the following section should be added to the file:
[capaths] FRIEND.INF.ED.AC.UK = { EASE.ED.AC.UK = INF.ED.AC.UK }
This tells the kerberos libraries about the realm trust chain in place.
With this configuration it should be possible to use SVN as an iFriend with something like this:
$: kinit friend%friend.domain@FRIEND.INF.ED.AC.UK friend%friend.domain@FRIEND.INF.ED.AC.UK's Password: $: svn co https://svn-kerberos.ecdf.ed.ac.uk/repo/inf/MyRepo ...
If you are using MacOS, you may see the following error:
svn: E120191: Error running context: The requested authentication type(s) are not supported
It appears that the version of svn
which ships with newer versions of MacOS does not support kerberos. This can be remedied by installing subversion using Homebrew, which is unfortunately beyond the scope of this document.