Well, I finally was able to get a source control server setup. Our web guys (both of them) have been asking for this for a little while now. I have setup SVN servers in the past, but that was at a small shop with only a handful of people, all of whom needed access to it, so setup was a little less crazy. However, this time around, there were items that made it a little more difficult:
1. I needed to use Active Directory Server (ADS) to handle login authentication.
2. I wanted secure/encrypted connections to the server.
3. We have a mixture of clients, with 2 people covering Linux, OS X, and Windows XP.
Each of these are a little crazy on their own, but put them together and you can go nuts!
First off, here is the things you will need:
samba-common
openssh-server
subversion
Then, you will need any client software to connect to the server. This varies greatly, but a good place to start at is this wiki entry.
Winbind Authentication
Since we are using Fedora Core 8 for this server, there is a fairly easy way to setup ADS for logins. Just click on System->Administration->Authentication. This brings up the Authentication Configuration screen, and at the bottom of the first tab screen (User Information), check the Enable Winbind Support box and click Configure Winbind.
From the Winbind Settings screen, Domain will be the short name of the domain, while ADS Realm is the full name, such as DOMAIN.COMPANY.COM. The security model will be ads, enter the full DNS name of the domain controller, and then choose a shell if you wish. Now, you will NEED to click the Join Domain button.
Here, enter in an administrator account name and password. This step is necessary to setup your server as a computer account on the network. Now you click OK to close this window. Click OK to close the Winbind Settings window, and click OK to close Authentication Configuration.
NOTE: You do not have to go to the Authentication tab from the Authentication Configuration window, since the Winbind settings there are the same as the ones under User Information.
At this point I could open a Terminal and run wbinfo, however, I wasn’t able to log in. I then searched and found this article, which covered more information. Specifically, steps 7 through 10. After that, I just verified that the /etc/ssh/sshd_conf file had the setting
UsePAM yes
and I was able to both locally, and via SSH, but, the system kept complaining about /home/DOMAIN/domainuser folder missing. So, I guess I needed to create the folders for users. My two choices were to either hand-create a folder for each user that I felt needed access, or I could create them all.
If you choose to create each one, then remember that you can also chown the folder to the domain account name, and then chgrp to “domain users”. For me, I just made the /home/DOMAIN folder, then did a mkdir `wbinfo -u | grep -v “.*$.*”` to create all of the user account folders. The reason you need the last part (with the grep), is that trusted domains are also listed, but with a $ at the end of their name.
To make life easier, I just chmod -R a+rwx /home/DOMAIN and let that take care of things.
Subversion with SSH, svn+ssh
Now, I had to get Subversion running.
I installed subversion via yum, and sat there wondering “what do I do next?” Well, I went to the website for the Subversion book, and I downloaded the PDF version for reading at my leisure. I wanted to setup a repository so I could test against, but the book, and web sites, can be a little obtuse on this matter. I finally pieced together that I needed to create a directory for it, then use the svnadmin command to create the various files and folders to setup the base system.
Now, how should I handle access to this. Previously, I had setup subversion to work with the Apache web server, but this proved problematic, especially with some lower-bandwidth developers. So, I was going to use the svnserver server program which would accept svn requests directly. The only problem with it, was that it is not encrypted, and even the password file on the server is clear text, meaning that if someone could read it, they could read the svn password for each user. I really didn’t like that too much, and I wanted a way that the same mechanism to allow people to login to the server, handle authentication for subversion. Well, then walks in svnserve using SSH.
When you switch to svn+ssh, you can take care of a lot of problems. Anonymous access controls are not really an issue anymore, because there is no anonymous access to the server via SSH, so anyone who could get to it, would be a valid user. Then, I could setup the authorized file in svn to control which users could, or could not, have access to the svn server. The beauty of this is, you don’t have to leave svnserve running, it will be run as needed when users connect via the svn+ssh connection.
svnX and StrictModes
First test was svnX for our Mac user. Yes, for the MAC OS X user, you got a problem with that?
Well, for svnX you also need to install svn, because svnX is just a GUI front-end to svn commands, and not as elegant a system as I would like for OS X, but still usable. So, you need to install svn on your mac clients. But don’t go to the svn site and look for a Mac download, because either you get the Universal binary from CallabNet, which requires you to register with them, or Metissian’s site, which is only up to 1.3.1. Instead, go to Martin Ott’s site for a 1.4.4 version, that doesn’t make you beg and plead for the download.
Once you have subversion installed, and if you are wondering, it is found under /usr/local, then you can fire up svnX, and not get anywhere. Why? Well, since we are using svn+ssh, then we also need SSHKeychain, to handle the ssh part of things. So, we get that installed and… still nothing. What now? Well, as far as I can tell, and that isn’t much, is that svnX tries to issue the command:
svn list svn+ssh://server/svn –username domainuser –password domainpassword
but that doesn’t work, because svn on OS X can not parse options given after the server. So, you would have to issue:
svn list –username domainuser –password domainpassword svn+ssh://server/svn
However, there is no way to tell svnX to do that. Soooo, you have to setup a public/private key pair on OS X and copy that to the server. The usual ssh-keygen -t dsa should do the trick. Then you have to SCP that over to the svn server, cat it into the authorized keys file, and then try again.
Again, doesn’t work. If I try to ssh domainuser@server, then I get denied. I looked at the /var/log/secure and see the message:
Authentication refused: bad ownership or modes for directory /home/DOMAIN/domainuser
Well, that seems that the problem is that SSH on the server does not like the fact that the domain login’s folder, is not owned by the individual user. This is where either making the home folders by hand with proper permissions, or writing a script to change the ownership of each /home/DOMAIN/user folder to the user, would be handy. For me, I just turned off strict modes in SSH by adding StrictModes no, to the sshd_configuration file.
Domain Users?
Well, now that svnX could connect to the server, and see the repository, the next step was to create a test folder. Well, that didn’t go well. The error message kept saying that it couldn’t create the folder /svn/db/transactions/{transaction}. I started going over the log files on the server. Nope, nothing that ssh was doing was causing this. So, I finally tracked it down, I didn’t have the correct permissions on the /svn folder itself. So, I had to fix those. I found the correct group by ls -l /home/{DOMAIN}/{USERNAME} which showed me that the group for the logins was “domain users,” so I made a little change.
chmod -R g+w /svn
chgrp -R “domain users” /svn
chmod a+s /svn
Now I tried it, and everything worked.
Final notes, and the step by step howto.
- Install Fedore Core 8, using just the base system.
- Install the components for source code access
yum update
yum install samba-common
yum install openssh
yum install subversion - Setup Winbind Authentication (see above, or wait for me to fill out later)
- Setup user account folders
cd /home
mkdir DOMAIN
cd DOMAIN
mkdir `wbinfo -u | grep -v “.*$.*”`
chgrp -R “domain users” /home/DOMAIN
chmod g+rwx /home/DOMAIN - Setup subversion
mkdir /svn
svnadmin create /svn
chmod -R g+w /svn
chgrp -R “domain users” /svn
chmod a+s /svn
edit /svn/conf/svnserve.conf file as needed
edit /svn/conf/authz to include
[/svn]
* = rw - Setup SSH
edit /etc/ssh/sshd_config
UsePAM yes
StrictModes no - svn, svnX, and SSHKeychain
Install svn on the Mac OS X client
Install svnX
Install SSHKeychain
Open SSHKeychain
Open Terminal
ssh-keygen -t dsa
cd .ssh
scp id_dsa.pub domainuser@server:.
ssh domainuser@server
cat id_dsa.pub > .ssh/authorized_keys2
exit
Go to Keychain
Select Agent menu
Then Add single key…
Choose id_dsa and click OPEN
Go back to Terminal to test password-less login
ssh domainuser@server
exit
Exit Terminal
Open svnX
From the Repositories window, click the +
Enter a Name for the svn server (anything you want to call it)
The Path with be svn+ssh://server/svn
You can leave User and Pass empty, click hit tab, or click in another field
Double-click the name from the list at the top of the window
Well, that should be it. I will add to this post, or do another one, on the other clients when I have the step-by-steps worked out.
Filed under: Tech |
Something witty, part deux 
Leave a Reply