We use svn DAV with kerberos authentication which worked fine. However
recently we created a /secure folder with restricted access. Any attempt to
access the folder using kerberos authentication causes svn to fail with the
error:
svn: Not authorized to open root of edit operation

Looking in the Apache logs, this is caused by the REPORT command
returning 500.

Using basic authorization the commands complete successfully.

The Authz file contains:
"""
[groups]
admins = dgp

[/]
* = r
@admins = rw

[/secure]
* =
@admins = rw
"""

Apache config DAV section:
<Location /svn>
  DAV svn
  SVNPath /srv/svn/root
  SVNPathAuthz On
  AuthzSVNAccessFile /srv/svn/etc/svnpasswd
  Satisfy Any
  AuthType Kerberos
  AuthName "Subversion (or use kerberos)"
  Krb5Keytab "/etc/apache2/apache2.keytab"
  KrbLocalUserMapping on
  KrbDelegateBasic on
  Require valid-user
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    Require valid-user
  </LimitExcept>
</Location>

Apache log for "svn up" using kerberos (libapache2-mod-auth-kerb):
127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "OPTIONS /svn/secure HTTP/1.1" 401 5964
127.0.1.1 - dgp [08/Mar/2011:17:39:09 +0000] "OPTIONS /svn/secure HTTP/1.1" 200 1236
127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/secure HTTP/1.1" 401 708
127.0.1.1 - dgp [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 916
127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/secure HTTP/1.1" 401 708
127.0.1.1 - dgp [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 916
127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/!svn/vcc/default HTTP/1.1" 207 580
127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/!svn/bln/6 HTTP/1.1" 207 580
127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "REPORT /svn/!svn/vcc/default HTTP/1.1" 500 532

Corresponding entries when falling back to basic auth:
127.0.1.1 - - [08/Mar/2011:18:22:27 +0000] "OPTIONS /svn/secure HTTP/1.1" 401 820
127.0.1.1 - dgp [08/Mar/2011:18:22:30 +0000] "OPTIONS /svn/secure HTTP/1.1" 200 996
127.0.1.1 - dgp [08/Mar/2011:18:22:30 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 676
127.0.1.1 - dgp [08/Mar/2011:18:22:30 +0000] "PROPFIND /svn/!svn/vcc/default HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:30 +0000] "PROPFIND /svn/!svn/bln/6 HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 676
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/!svn/vcc/default HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/!svn/bln/6 HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 676
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/!svn/vcc/default HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/!svn/bc/6/secure HTTP/1.1" 207 676
127.0.1.1 - - [08/Mar/2011:18:22:32 +0000] "OPTIONS /svn/secure HTTP/1.1" 401 6028
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "OPTIONS /svn/secure HTTP/1.1" 200 996
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 676
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 676
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/!svn/vcc/default HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/!svn/bln/6 HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/secure HTTP/1.1" 207 676
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/!svn/vcc/default HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/!svn/bln/6 HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "REPORT /svn/!svn/vcc/default HTTP/1.1" 200 1042

REPORT fails to ask for authentication if none has been provided and instead
throws an error.

Removing anon access ("Satify All" and removing the "LimitExcept" clause)
allows kerberos auth to work correctly.

libapache2-mod-auth-kerb  5.4-1