Solved Subversion with SASL: "No repository found" but works locally

I'm stuck. I got this working, without SASL or any security. That is, I'm able to checkout my repo to home from the server. But now I'm trying to use SASL following obsigna tutorial here. The only thing different from the tutorial was the paths. I can checkout and commit files on the server but I can't access it from home..

svn checkout svn://XXX.XXX.XXX.XXX/var/svn/repos/drhoward
svn: E170013: Unable to connect to a repository at URL 'svn://xxx.xxx.xxx.xxx/var/svn/repos/drhoward'
svn: E210005: No repository found in 'svn://xxx.xxx.xxx.xxx/var/svn/repos/drhoward'

I question whether the stuff at the end of the tutorial about sasl2db is correct. The db created is sasl2db.db and the instructions say to change permissions on that before it exists. Unless I'm misunderstanding.

In /etc/rc.conf I did
Code:
svnserve_data="/var/svn/repos"
for my path and this might be the problem. when I svn to the server I would have expected to not need the
Code:
/var/svn/repos
in the URI but it doesn't work either way. In fact, just putting
Code:
/drhoward
at the end gives a
SASL(-4): no mechanism available
error.

So I'm hoping obsigna sees this and recognizes the problem but here's to hoping anyone can give me something to look for, check, or test.
 
I just saw your message. However, note, I am a German (born in the river Rhine area) living in Brazil ...
 
I am a German (born in the river Rhine area)
My mother's side of the family is all from Germany. I even learned German in grade school but remember almost none of it.

unitrunker Yeah I've got the book and flip through it a lot but I don't think SASL is really the issue. Of course, if I knew what I was talking about I wouldn't be here now.
 
Oh! Well. Maybe it is SASL. In my mailbox this morning:
Code:
saslauthd[58837]:                 : auth failure: [user=drhoward] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
 
I don't think that is the same as the Cyrus sasl used by svnserve. Here are my notes from a year ago:


For Cyrus SASL2 ...

Hypothetical realm named "gnarly".

Edit /usr/local/etc/sasl2/svn.conf :

Code:
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /usr/local/etc/svn.sasl.db
mech_list: DIGEST-MD5

Code:
# saslpasswd2 -c -f svn.sasl.db -u gnarly $username
(command will prompt you for the user's password)

Assuming "/var/svn" is your repo, edit /var/svn/conf/svnserve.conf ...

Code:
[general]
realm = gnarly

[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256

Your /etc/rc.conf should have:

Code:
svnserve_data="/var/svn"

Manually run svnserve to test ...

Code:
# svnserve -d -r /var/svn

As a service ...

Code:
# service svnserve [one]start

... and finally ...

Code:
# svn checkout svn://host.example.com/project1
 
unitrunker That's exactly what I have and have done but with the failed attempts of "No repository found" while, on the server itself, svn checkout file:///var/svn/repos/drhoward works (with slightly different pathname).
 
I'm stuck. I got this working, without SASL or any security. That is, I'm able to checkout my repo to home from the server. But now I'm trying to use SASL following obsigna tutorial here. The only thing different from the tutorial was the paths. I can checkout and commit files on the server but I can't access it from home..

svn checkout svn://XXX.XXX.XXX.XXX/var/svn/repos/drhoward
Code:
svn: E170013: Unable to connect to a repository at URL 'svn://xxx.xxx.xxx.xxx/var/svn/repos/drhoward'
svn: E210005: No repository found in 'svn://xxx.xxx.xxx.xxx/var/svn/repos/drhoward'

Like you stated below, when connecting remotely, you won’t inform the local path to the respective SVN repository. the command should be:
svn checkout svn://XXX.XXX.XXX.XXX/drhoward

Your command asked for checking out the repository at /var/svn/repos/var/svn/repos/drhoward which presumably does not exist and we may read the error message literally.

svnserve is listening on TCP port 3690. However, if a firewall would block the connection, the svn command would simply time out without giving an error.

I question whether the stuff at the end of the tutorial about sasl2db is correct. The db created is sasl2db.db and the instructions say to change permissions on that before it exists. Unless I'm misunderstanding.

I just checked the respective BLog post, and the permissions are set after the SASL user db has been created, c.f.:
Code:
saslpasswd2 -c -f /usr/local/etc/sasl2db -u SVN user_name
chown svn:svn /usr/local/etc/sasl2db
chmod 0400 /usr/local/etc/sasl2db
In any case, here I got:
ls -l /usr/local/etc/sasl*
Code:
-r--------  1 svn    svn   49152 Oct 31  2018 /usr/local/etc/sasl2db
-rw-r-----  1 cyrus  mail  49152 Jan 18 10:10 /usr/local/etc/sasldb2

/usr/local/etc/sasl2:
total 4
-rw-r-----  1 root  svn  105 Dec 26  2012 svn.conf

In /etc/rc.conf I did
Code:
svnserve_data="/var/svn/repos"
for my path and this might be the problem. when I svn to the server I would have expected to not need the
Code:
/var/svn/repos
in the URI but it doesn't work either way. In fact, just putting
Code:
/drhoward
at the end gives a error.
Code:
SASL(-4): no mechanism available

The error tells us that the SVN client and the SVN server, failed to negotiate the SASL authentication mechanism. I would expect the error in case SASL support was not compiled into the SVN client.

Please show us the output of your svn --version on the client and the server. For example on my macOS clients I need to build a customized Subversion v1.9 for having SASL support from within Xcode 9.

svn --version
Code:
 svn --version
svn, version 1.9.12 (r1863368)
   compiled Nov 17 2019, 10:54:46 on x86_64-apple-darwin18.7.0

Copyright (C) 2019 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

WARNING: Plaintext password storage is enabled!

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
  - with Cyrus SASL authentication
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
  - using serf 1.3.9 (compiled with 1.3.9)
  - handles 'http' scheme
  - handles 'https' scheme

The following authentication credential caches are available:

* Plaintext cache in /Users/rolf/.subversion
* GPG-Agent
* Mac OS X Keychain
 
In the blog, it says the created db name is sasl2db but I get sasl2db.db

On the server. This is different in that it says i386-portbld. It's on a VPS:
Code:
svn, version 1.13.0 (r1867053)
   compiled Feb 24 2020, 09:11:56 on i386-portbld-freebsd12.1

Copyright (C) 2019 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
  - with Cyrus SASL authentication
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
  - using serf 1.3.9 (compiled with 1.3.9)
  - handles 'http' scheme
  - handles 'https' scheme

The following authentication credential caches are available:

* Gnome Keyring
* KWallet (KDE)

On the client:
Code:
svn, version 1.13.0 (r1867053)
   compiled Feb 24 2020, 09:21:16 on amd64-portbld-freebsd12.1

Copyright (C) 2019 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
  - with Cyrus SASL authentication
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
  - using serf 1.3.9 (compiled with 1.3.9)
  - handles 'http' scheme
  - handles 'https' scheme

The following authentication credential caches are available:

* Gnome Keyring
* KWallet (KDE)
 
Note: if I ever sound curt or short in any of my postings it's because I'm juggling a lot of things right now at the same time. Patching holes in a bedroom in preparation for painting, learning how to install a water softener and heater for my son who lives an hour away, general running around and, I'm choking up to mention this, my little buddy...my best friend...my dog...died a couple of weeks ago...and my heart is broken.
 
Found the issue. For whatever reason, the config for the cyrus-sasl port on my VPS only has LOGIN, ANONYMOUS and PLAIN plugins checked. I checked DIGEST, rebuilt the port, and now everything works.

Thanks obsigna and unitrunker for looking into this.
 
and my heart is broken.

Ah sorry to hear about your buddy. :(

Glad you got the svn login sorted. I was going to suggest restricting the svnserve daemon to listening on local ports and using ssh tunnel / port forwarding. I used to do that until I ended up just using svn+ssh:// and a folder. It seems the latter is how most VCS works these days so I deemed it fairly "standard".
 
On a related note - while recently rebuilding subversion, I found some of the 'make config' options fail to build. I had to experiment with different options to get something that had SASL and would also compile. I need to repeat the experiments so I can report a bug to the maintainer.
 
Back
Top