Subversion and mod_auth_kerb issues

Been trying to track down some issues with the new Subversion servers at work. They are setup to be accessed via https only, authentication provided by mod_auth_kerb. This works beautifully for doing Negotiate auth, however I’d been seeing some odd errors when it would fall back to Basic. I was seeing a bunch of replay errors logged:

krb5_verify_init_creds() failed: Request is a replay

Along with the more cryptic:

The locks could not be queried for verification against a possible "If:" header. [500, #0]

It was pretty obvious that the errors were related, however the replay message were spewing much more frequently. I enlisted the help of jorton (resident Apache guru) and we managed to fix a few other small annoyances, but got nowhere on the errors. Till yesterday. Joe forwarded me an email from the m_a_k mailing list that said to set kdc_timesync = 0. The thread has a good explanation of why this needs to be set, so go read it. 🙂

Leave a Reply