Kerberos/Apache configuration issue or libgit2 bug? #6603

SASStudioDev · 2023-07-19T15:44:47Z

SASStudioDev
Jul 19, 2023

Hi,

I'm currently trying to debug an issue with kerberos authentication and I'm stuck. Whenever a user tries to connect to the remote repository the initial kerberos handshake is successful but eventually fails with a 401 when sending the git-upload-pack POST. This is only happening with SSL turned on. I am able to clone, push, pull, and fetch when SSL is off.

Below is what my test environment looks like and the subsequent log files when attempting a clone. The clone attempt results in three exchanges between libgit2 and the git server. The first two result in 200s and both have a userName and a token associated with the request. The third request does not have a userName or token associated with the request which results in a 401.

Any help or input is greatly appreciated.

Thanks,
Danny

Test Environment:
Box 1: Application that uses libgit2. Libgit2 1.3.0 with Libssh2 1.10.0
CentOS 7.9.2009
OpenSSL 1.0.2k-fips

Box 2: Git Server - Apache 2.4.6 git-http-backend
CentOS 7.9.2009
OpenSSL 1.0.2k-fips
mod_auth_gssapi 1.5.1
Self-signed SSL certificate

Both boxes live in the same domain and kerberos is configured with constrained delegation.

Apache config:
/etc/httpd/conf.d/git.conf

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
<VirtualHost *:443>
  ServerName <serverName>
  SSLEngine On
  SSLCertificateFile /etc/httpd/conf/ssl.crt/website.cert
  SSLCertificateKeyFile /etc/httpd/conf/ssl.key/notEncodedPk.key
  SetEnv GIT_HTTP_EXPORT_ALL

  Include conf.d/git-repo.include

</VirtualHost>

/etc/httpd/conf.d/git-repo.include

ScriptAlias /git/repo /usr/libexec/git-core/git-http-backend/
<LocationMatch "^/git/repo">
  SetEnv GIT_PROJECT_ROOT /var/www/git

  AuthType GSSAPI
  AuthName <authName>
  GssapiCredStore keytab:<keytabPath>
  GssapiLocalName On

  Require valid-user
</LocationMatch>

<Files "git-http-backend">
  LogLevel trace6
  SetEnv GIT_PROJECT_ROOT /var/www/git
  AuthType GSSAPI
  AuthName <authName>
  GssapiCredStore keytab:<keytabPath>
  GssapiLocalName On

</Files>

Logs:
Apache access_log (/etc/httpd/logs/access_log)

10.122.33.54 - <userName> [17/Jul/2023:11:49:31 -0400] "GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1" 200 343 "-" "git/2.0 (libgit2 1.3.0)"
10.122.33.54 - <userName> [17/Jul/2023:11:49:31 -0400] "POST /git/repo/test.git/git-upload-pack HTTP/1.1" 200 - "-" "git/2.0 (libgit2 1.3.0)"
10.122.33.54 - - [17/Jul/2023:11:49:31 -0400] "POST /git/repo/test.git/git-upload-pack HTTP/1.1" 401 381 "-" "git/2.0 (libgit2 1.3.0)"

Apache trimmed error_log (/etc/httpd/logs/error_log)
First GET exchange resulting in 200:

[Mon Jul 17 11:49:31.777263 2023] [core:trace5] [pid 17598] protocol.c(656): [client 10.122.33.54:50126] Request received from client: GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1
[Mon Jul 17 11:49:31.777311 2023] [ssl:debug] [pid 17598] ssl_engine_kernel.c(225): [client 10.122.33.54:50126] AH02034: Initial (No.1) HTTPS request received for child 1 (server <serverName>:443)
[Mon Jul 17 11:49:31.777318 2023] [http:trace4] [pid 17598] http_request.c(323): [client 10.122.33.54:50126] Headers received from client:
[Mon Jul 17 11:49:31.777320 2023] [http:trace4] [pid 17598] http_request.c(327): [client 10.122.33.54:50126]   User-Agent: git/2.0 (libgit2 1.3.0)
[Mon Jul 17 11:49:31.777321 2023] [http:trace4] [pid 17598] http_request.c(327): [client 10.122.33.54:50126]   Host: <serverName>
[Mon Jul 17 11:49:31.777323 2023] [http:trace4] [pid 17598] http_request.c(327): [client 10.122.33.54:50126]   Accept: */*
[Mon Jul 17 11:49:31.777655 2023] [authz_core:debug] [pid 17598] mod_authz_core.c(809): [client 10.122.33.54:50126] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jul 17 11:49:31.777660 2023] [authz_core:debug] [pid 17598] mod_authz_core.c(809): [client 10.122.33.54:50126] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jul 17 11:49:31.777672 2023] [auth_gssapi:debug] [pid 17598] mod_auth_gssapi.c(870): [client 10.122.33.54:50126] URI: /git/repo/test.git/info/refs, no main, no prev
[Mon Jul 17 11:49:31.777684 2023] [auth_gssapi:info] [pid 17598] [client 10.122.33.54:50126] NO AUTH DATA Client did not send any authentication headers
[Mon Jul 17 11:49:31.777689 2023] [core:trace3] [pid 17598] request.c(119): [client 10.122.33.54:50126] auth phase 'check user' gave status 401: /git/repo/test.git/info/refs
[Mon Jul 17 11:49:31.777717 2023] [http:trace3] [pid 17598] http_filters.c(1129): [client 10.122.33.54:50126] Response sent with status 401, headers:
[Mon Jul 17 11:49:31.777718 2023] [http:trace5] [pid 17598] http_filters.c(1136): [client 10.122.33.54:50126]   Date: Mon, 17 Jul 2023 15:49:31 GMT
[Mon Jul 17 11:49:31.777720 2023] [http:trace5] [pid 17598] http_filters.c(1139): [client 10.122.33.54:50126]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1
[Mon Jul 17 11:49:31.777721 2023] [http:trace4] [pid 17598] http_filters.c(958): [client 10.122.33.54:50126]   WWW-Authenticate: Negotiate
[Mon Jul 17 11:49:31.777722 2023] [http:trace4] [pid 17598] http_filters.c(958): [client 10.122.33.54:50126]   Content-Length: 381
[Mon Jul 17 11:49:31.777724 2023] [http:trace4] [pid 17598] http_filters.c(958): [client 10.122.33.54:50126]   Content-Type: text/html; charset=iso-8859-1
[Mon Jul 17 11:49:31.777726 2023] [ssl:trace4] [pid 17598] ssl_engine_io.c(1515): [client 10.122.33.54:50126] coalesce: have 0 bytes, adding 234 more
... 
[Mon Jul 17 11:49:31.796907 2023] [core:trace5] [pid 17598] protocol.c(656): [client 10.122.33.54:50126] Request received from client: GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1
[Mon Jul 17 11:49:31.796925 2023] [ssl:debug] [pid 17598] ssl_engine_kernel.c(225): [client 10.122.33.54:50126] AH02034: Subsequent (No.2) HTTPS request received for child 1 (server <serverName>:443)
[Mon Jul 17 11:49:31.796929 2023] [http:trace4] [pid 17598] http_request.c(323): [client 10.122.33.54:50126] Headers received from client:
[Mon Jul 17 11:49:31.796931 2023] [http:trace4] [pid 17598] http_request.c(327): [client 10.122.33.54:50126]   User-Agent: git/2.0 (libgit2 1.3.0)
[Mon Jul 17 11:49:31.796932 2023] [http:trace4] [pid 17598] http_request.c(327): [client 10.122.33.54:50126]   Host: <serverName>
[Mon Jul 17 11:49:31.796933 2023] [http:trace4] [pid 17598] http_request.c(327): [client 10.122.33.54:50126]   Accept: */*
[Mon Jul 17 11:49:31.796940 2023] [http:trace4] [pid 17598] http_request.c(327): [client 10.122.33.54:50126]   Authorization: Negotiate <token>
[Mon Jul 17 11:49:31.796988 2023] [authz_core:debug] [pid 17598] mod_authz_core.c(809): [client 10.122.33.54:50126] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jul 17 11:49:31.796990 2023] [authz_core:debug] [pid 17598] mod_authz_core.c(809): [client 10.122.33.54:50126] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jul 17 11:49:31.796997 2023] [auth_gssapi:debug] [pid 17598] mod_auth_gssapi.c(870): [client 10.122.33.54:50126] URI: /git/repo/test.git/info/refs, no main, no prev
[Mon Jul 17 11:49:31.804837 2023] [authz_core:debug] [pid 17598] mod_authz_core.c(809): [client 10.122.33.54:50126] AH01626: authorization result of Require valid-user : granted
[Mon Jul 17 11:49:31.804849 2023] [authz_core:debug] [pid 17598] mod_authz_core.c(809): [client 10.122.33.54:50126] AH01626: authorization result of <RequireAny>: granted
[Mon Jul 17 11:49:31.805078 2023] [authz_core:debug] [pid 17598] mod_authz_core.c(809): [client 10.122.33.54:50126] AH01626: authorization result of Require all granted: granted
[Mon Jul 17 11:49:31.805082 2023] [authz_core:debug] [pid 17598] mod_authz_core.c(809): [client 10.122.33.54:50126] AH01626: authorization result of <RequireAny>: granted
[Mon Jul 17 11:49:31.805085 2023] [core:trace3] [pid 17598] request.c(312): [client 10.122.33.54:50126] request authorized without authentication by access_checker_ex hook: /test.git/info/refs
...
[Mon Jul 17 11:49:31.808061 2023] [cgi:trace4] [pid 17598] util_script.c(529): [client 10.122.33.54:50126] Headers from script 'git-http-backend':
[Mon Jul 17 11:49:31.808073 2023] [cgi:trace4] [pid 17598] util_script.c(530): [client 10.122.33.54:50126]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Mon Jul 17 11:49:31.808075 2023] [cgi:trace4] [pid 17598] util_script.c(530): [client 10.122.33.54:50126]   Pragma: no-cache
[Mon Jul 17 11:49:31.808077 2023] [cgi:trace4] [pid 17598] util_script.c(530): [client 10.122.33.54:50126]   Cache-Control: no-cache, max-age=0, must-revalidate
[Mon Jul 17 11:49:31.808078 2023] [cgi:trace4] [pid 17598] util_script.c(530): [client 10.122.33.54:50126]   Content-Type: application/x-git-upload-pack-advertisement
[Mon Jul 17 11:49:31.808096 2023] [http:trace3] [pid 17598] http_filters.c(1129): [client 10.122.33.54:50126] Response sent with status 200, headers:
[Mon Jul 17 11:49:31.808098 2023] [http:trace5] [pid 17598] http_filters.c(1136): [client 10.122.33.54:50126]   Date: Mon, 17 Jul 2023 15:49:31 GMT
[Mon Jul 17 11:49:31.808099 2023] [http:trace5] [pid 17598] http_filters.c(1139): [client 10.122.33.54:50126]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1
[Mon Jul 17 11:49:31.808101 2023] [http:trace4] [pid 17598] http_filters.c(958): [client 10.122.33.54:50126]   WWW-Authenticate: Negotiate <token>
[Mon Jul 17 11:49:31.808103 2023] [http:trace4] [pid 17598] http_filters.c(958): [client 10.122.33.54:50126]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Mon Jul 17 11:49:31.808104 2023] [http:trace4] [pid 17598] http_filters.c(958): [client 10.122.33.54:50126]   Pragma: no-cache
[Mon Jul 17 11:49:31.808106 2023] [http:trace4] [pid 17598] http_filters.c(958): [client 10.122.33.54:50126]   Cache-Control: no-cache, max-age=0, must-revalidate
[Mon Jul 17 11:49:31.808107 2023] [http:trace4] [pid 17598] http_filters.c(958): [client 10.122.33.54:50126]   Transfer-Encoding: chunked
[Mon Jul 17 11:49:31.808108 2023] [http:trace4] [pid 17598] http_filters.c(958): [client 10.122.33.54:50126]   Content-Type: application/x-git-upload-pack-advertisement

First POST exchange resulting in 200:

[Mon Jul 17 11:49:31.833053 2023] [core:trace5] [pid 17597] protocol.c(656): [client 10.122.33.54:50130] Request received from client: POST /git/repo/test.git/git-upload-pack HTTP/1.1
[Mon Jul 17 11:49:31.833119 2023] [ssl:debug] [pid 17597] ssl_engine_kernel.c(225): [client 10.122.33.54:50130] AH02034: Initial (No.1) HTTPS request received for child 0 (server <serverName>:443)
[Mon Jul 17 11:49:31.833126 2023] [http:trace4] [pid 17597] http_request.c(323): [client 10.122.33.54:50130] Headers received from client:
[Mon Jul 17 11:49:31.833128 2023] [http:trace4] [pid 17597] http_request.c(327): [client 10.122.33.54:50130]   User-Agent: git/2.0 (libgit2 1.3.0)
[Mon Jul 17 11:49:31.833129 2023] [http:trace4] [pid 17597] http_request.c(327): [client 10.122.33.54:50130]   Host: <serverName>
[Mon Jul 17 11:49:31.833131 2023] [http:trace4] [pid 17597] http_request.c(327): [client 10.122.33.54:50130]   Accept: application/x-git-upload-pack-result
[Mon Jul 17 11:49:31.833132 2023] [http:trace4] [pid 17597] http_request.c(327): [client 10.122.33.54:50130]   Content-Type: application/x-git-upload-pack-request
[Mon Jul 17 11:49:31.833133 2023] [http:trace4] [pid 17597] http_request.c(327): [client 10.122.33.54:50130]   Content-Length: 4
[Mon Jul 17 11:49:31.833137 2023] [http:trace4] [pid 17597] http_request.c(327): [client 10.122.33.54:50130]   Authorization: Negotiate <token>
[Mon Jul 17 11:49:31.833259 2023] [authz_core:debug] [pid 17597] mod_authz_core.c(809): [client 10.122.33.54:50130] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jul 17 11:49:31.833262 2023] [authz_core:debug] [pid 17597] mod_authz_core.c(809): [client 10.122.33.54:50130] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jul 17 11:49:31.833275 2023] [auth_gssapi:debug] [pid 17597] mod_auth_gssapi.c(870): [client 10.122.33.54:50130] URI: /git/repo/test.git/git-upload-pack, no main, no prev
[Mon Jul 17 11:49:31.835065 2023] [authz_core:debug] [pid 17597] mod_authz_core.c(809): [client 10.122.33.54:50130] AH01626: authorization result of Require valid-user : granted
[Mon Jul 17 11:49:31.835074 2023] [authz_core:debug] [pid 17597] mod_authz_core.c(809): [client 10.122.33.54:50130] AH01626: authorization result of <RequireAny>: granted
[Mon Jul 17 11:49:31.835213 2023] [authz_core:debug] [pid 17597] mod_authz_core.c(809): [client 10.122.33.54:50130] AH01626: authorization result of Require all granted: granted
[Mon Jul 17 11:49:31.835218 2023] [authz_core:debug] [pid 17597] mod_authz_core.c(809): [client 10.122.33.54:50130] AH01626: authorization result of <RequireAny>: granted
[Mon Jul 17 11:49:31.835221 2023] [core:trace3] [pid 17597] request.c(312): [client 10.122.33.54:50130] request authorized without authentication by access_checker_ex hook: /test.git/git-upload-pack
[Mon Jul 17 11:49:31.835228 2023] [auth_gssapi:debug] [pid 17597] mod_auth_gssapi.c(702): [client 10.122.33.54:50130] GSSapiImpersonate not On, skipping impersonation.
...
[Mon Jul 17 11:49:31.837562 2023] [cgi:trace4] [pid 17597] util_script.c(529): [client 10.122.33.54:50130] Headers from script 'git-http-backend':
[Mon Jul 17 11:49:31.837571 2023] [cgi:trace4] [pid 17597] util_script.c(530): [client 10.122.33.54:50130]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Mon Jul 17 11:49:31.837574 2023] [cgi:trace4] [pid 17597] util_script.c(530): [client 10.122.33.54:50130]   Pragma: no-cache
[Mon Jul 17 11:49:31.837575 2023] [cgi:trace4] [pid 17597] util_script.c(530): [client 10.122.33.54:50130]   Cache-Control: no-cache, max-age=0, must-revalidate
[Mon Jul 17 11:49:31.837577 2023] [cgi:trace4] [pid 17597] util_script.c(530): [client 10.122.33.54:50130]   Content-Type: application/x-git-upload-pack-result
[Mon Jul 17 11:49:31.837595 2023] [http:trace3] [pid 17597] http_filters.c(1129): [client 10.122.33.54:50130] Response sent with status 200, headers:
[Mon Jul 17 11:49:31.837597 2023] [http:trace5] [pid 17597] http_filters.c(1136): [client 10.122.33.54:50130]   Date: Mon, 17 Jul 2023 15:49:31 GMT
[Mon Jul 17 11:49:31.837598 2023] [http:trace5] [pid 17597] http_filters.c(1139): [client 10.122.33.54:50130]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1
[Mon Jul 17 11:49:31.837600 2023] [http:trace4] [pid 17597] http_filters.c(958): [client 10.122.33.54:50130]   WWW-Authenticate: Negotiate <token>
[Mon Jul 17 11:49:31.837602 2023] [http:trace4] [pid 17597] http_filters.c(958): [client 10.122.33.54:50130]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Mon Jul 17 11:49:31.837603 2023] [http:trace4] [pid 17597] http_filters.c(958): [client 10.122.33.54:50130]   Pragma: no-cache
[Mon Jul 17 11:49:31.837605 2023] [http:trace4] [pid 17597] http_filters.c(958): [client 10.122.33.54:50130]   Cache-Control: no-cache, max-age=0, must-revalidate
[Mon Jul 17 11:49:31.837606 2023] [http:trace4] [pid 17597] http_filters.c(958): [client 10.122.33.54:50130]   Transfer-Encoding: chunked
[Mon Jul 17 11:49:31.837607 2023] [http:trace4] [pid 17597] http_filters.c(958): [client 10.122.33.54:50130]   Content-Type: application/x-git-upload-pack-result

Last exchange. POST resulting in 401 with no token included:

[Mon Jul 17 11:49:31.843998 2023] [core:trace5] [pid 17597] protocol.c(656): [client 10.122.33.54:50130] Request received from client: POST /git/repo/test.git/git-upload-pack HTTP/1.1
[Mon Jul 17 11:49:31.844012 2023] [ssl:debug] [pid 17597] ssl_engine_kernel.c(225): [client 10.122.33.54:50130] AH02034: Subsequent (No.2) HTTPS request received for child 0 (server <serverName>:443)
[Mon Jul 17 11:49:31.844015 2023] [http:trace4] [pid 17597] http_request.c(323): [client 10.122.33.54:50130] Headers received from client:
[Mon Jul 17 11:49:31.844017 2023] [http:trace4] [pid 17597] http_request.c(327): [client 10.122.33.54:50130]   User-Agent: git/2.0 (libgit2 1.3.0)
[Mon Jul 17 11:49:31.844018 2023] [http:trace4] [pid 17597] http_request.c(327): [client 10.122.33.54:50130]   Host: <serverName>
[Mon Jul 17 11:49:31.844019 2023] [http:trace4] [pid 17597] http_request.c(327): [client 10.122.33.54:50130]   Accept: application/x-git-upload-pack-result
[Mon Jul 17 11:49:31.844020 2023] [http:trace4] [pid 17597] http_request.c(327): [client 10.122.33.54:50130]   Content-Type: application/x-git-upload-pack-request
[Mon Jul 17 11:49:31.844021 2023] [http:trace4] [pid 17597] http_request.c(327): [client 10.122.33.54:50130]   Content-Length: 179
[Mon Jul 17 11:49:31.844060 2023] [authz_core:debug] [pid 17597] mod_authz_core.c(809): [client 10.122.33.54:50130] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jul 17 11:49:31.844062 2023] [authz_core:debug] [pid 17597] mod_authz_core.c(809): [client 10.122.33.54:50130] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jul 17 11:49:31.844067 2023] [auth_gssapi:debug] [pid 17597] mod_auth_gssapi.c(870): [client 10.122.33.54:50130] URI: /git/repo/test.git/git-upload-pack, no main, no prev
[Mon Jul 17 11:49:31.844070 2023] [auth_gssapi:info] [pid 17597] [client 10.122.33.54:50130] NO AUTH DATA Client did not send any authentication headers
[Mon Jul 17 11:49:31.844073 2023] [core:trace3] [pid 17597] request.c(119): [client 10.122.33.54:50130] auth phase 'check user' gave status 401: /git/repo/test.git/git-upload-pack
...
[Mon Jul 17 11:49:31.884159 2023] [http:trace3] [pid 17597] http_filters.c(1129): [client 10.122.33.54:50130] Response sent with status 401, headers:
[Mon Jul 17 11:49:31.884161 2023] [http:trace5] [pid 17597] http_filters.c(1136): [client 10.122.33.54:50130]   Date: Mon, 17 Jul 2023 15:49:31 GMT
[Mon Jul 17 11:49:31.884162 2023] [http:trace5] [pid 17597] http_filters.c(1139): [client 10.122.33.54:50130]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1
[Mon Jul 17 11:49:31.884165 2023] [http:trace4] [pid 17597] http_filters.c(958): [client 10.122.33.54:50130]   WWW-Authenticate: Negotiate
[Mon Jul 17 11:49:31.884166 2023] [http:trace4] [pid 17597] http_filters.c(958): [client 10.122.33.54:50130]   Content-Length: 381
[Mon Jul 17 11:49:31.884167 2023] [http:trace4] [pid 17597] http_filters.c(958): [client 10.122.33.54:50130]   Content-Type: text/html; charset=iso-8859-1
[Mon Jul 17 11:49:31.884170 2023] [ssl:trace4] [pid 17597] ssl_engine_io.c(1515): [client 10.122.33.54:50130] coalesce: have 0 bytes, adding 234 more

ethomson · 2023-07-20T08:33:38Z

ethomson
Jul 20, 2023
Maintainer

You mentioned that it works with HTTP -- can you provide some more details there? I ask since I only see the HTTPS VirtualHost and logs. Is the set up the same sans the HTTPS setup?

Is there anything useful in your KDC logs? Is the username in the logs correctly formatted? (user@SERVER?)

Any proxy living in front that changes the port away from 443?

Does your server SPN have a port on it? eg, is it HTTP/server.name@DOMAIN or HTTP/server.name:443@DOMAIN

Same SPN for both HTTP and HTTPS?

1 reply

SASStudioDev Jul 20, 2023
Author

Yes, the HTTP setup is the same setup sans the SSL stuff.

The kdc trace log shows the credentials being acquired for the correct user but it shows user@DOMAIN rather than user@SERVER.

[5799] 1689702447.402047: Getting credentials <userName>@<DOMAIN> -> HTTP/<serverName>@<DOMAIN>using ccache FILE:/tmp/tktxr8daq
[5799] 1689702447.402048: Retrieving <userName>@<DOMAIN> -> HTTP/<serverName>@<DOMAIN> from FILE:/tmp/tktxr8daq with result: 0/Success

No proxy.

No, the server SPN does not have a port on it. SPN is formatted as HTTP/<serverName>@<DOMAIN>.
Yes, same SPN for both HTTP and HTTPS.

ethomson · 2023-07-20T15:22:08Z

ethomson
Jul 20, 2023
Maintainer

The kdc trace log shows the credentials being acquired for the correct user but it shows user@DOMAIN rather than user@SERVER.

Puzzling. I'm not a super krb5 expert, but I don't think that I've ever seen a failure where HTTP works and HTTPS doesn't. But this feels a bit sus to me. 🤨

But I don't know why it would happen. Do you have > 1 ticket (one for user@DOMAIN and one for user@SERVER)?

5 replies

SASStudioDev Jul 20, 2023
Author

But I don't know why it would happen. Do you have > 1 ticket (one for user@DOMAIN and one for user@SERVER)?

Only one ticket file gets generated when a user logs into the application. The top two lines are from the user login. The third line was generated when I tried to clone within the application. Here is the output of the ticket cache (klist -c /tmp/tktName):

Ticket cache: FILE:/tmp/tktName
Default principal: user@DOMAIN

Valid starting       Expires              Service principal
07/20/2023 14:03:33  07/21/2023 00:03:33  app-launcher/applicationServerName@DOMAIN
        renew until 07/21/2023 14:03:33
07/20/2023 12:00:10  07/20/2023 22:00:10  krbtgt/DOMAIN@DOMAIN
        for client app-launcher/applicationServerName@DOMAIN, renew until 07/27/2023 12:00:10
07/20/2023 14:05:10  07/20/2023 22:00:10  HTTP/gitServerName@DOMAIN
        renew until 07/27/2023 12:00:10

Also I set the git server back up for http so I could get the log output. We still get a 401 on the git-upload-pack POST but its followed up with application/x-git-upload-pack-result request with another POST with a token included.

Here is the configuration and the log output of a successful clone attempt:
git.conf:

<VirtualHost *:80>
  ServerName <serverName>
  SetEnv GIT_HTTP_EXPORT_ALL

  Include conf.d/git-repo.include

</VirtualHost>

git-repo.include:

ScriptAlias /git/repo /usr/libexec/git-core/git-http-backend/
<LocationMatch "^/git/repo">
  SetEnv GIT_PROJECT_ROOT /var/www/git

  AuthType GSSAPI
  AuthName <authName>
  GssapiCredStore keytab:<keytabPath>
  GssapiLocalName On
  GSSapiImpersonate On

  Require valid-user

</LocationMatch>

<Files "git-http-backend">
  LogLevel trace6
  SetEnv GIT_PROJECT_ROOT /var/www/git
  AuthType GSSAPI
  AuthName <authName>
  GssapiCredStore keytab:<keytabPath>
  GssapiLocalName On
  GSSapiImpersonate On
</Files>

access_log:

10.122.33.54 - - [20/Jul/2023:12:01:05 -0400] "GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1" 401 381 "-" "git/2.0 (libgit2 1.3.0)"
10.122.33.54 - userName [20/Jul/2023:12:01:05 -0400] "GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1" 200 343 "-" "git/2.0 (libgit2 1.3.0)"
10.122.33.54 - - [20/Jul/2023:12:01:05 -0400] "POST /git/repo/test.git/git-upload-pack HTTP/1.1" 401 381 "-" "git/2.0 (libgit2 1.3.0)"
10.122.33.54 - userName [20/Jul/2023:12:01:05 -0400] "POST /git/repo/test.git/git-upload-pack HTTP/1.1" 200 1496 "-" "git/2.0 (libgit2 1.3.0)"

error_log:

[Thu Jul 20 12:01:05.395583 2023] [core:trace5] [pid 18853] protocol.c(656): [client 10.122.33.54:44148] Request received from client: GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1
[Thu Jul 20 12:01:05.395674 2023] [http:trace4] [pid 18853] http_request.c(323): [client 10.122.33.54:44148] Headers received from client:
[Thu Jul 20 12:01:05.395676 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   User-Agent: git/2.0 (libgit2 1.3.0)
[Thu Jul 20 12:01:05.395678 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Host: <serverName>
[Thu Jul 20 12:01:05.395679 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Accept: */*
[Thu Jul 20 12:01:05.396332 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Jul 20 12:01:05.396342 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Jul 20 12:01:05.396361 2023] [auth_gssapi:debug] [pid 18853] mod_auth_gssapi.c(870): [client 10.122.33.54:44148] URI: /git/repo/test.git/info/refs, no main, no prev
[Thu Jul 20 12:01:05.396369 2023] [auth_gssapi:info] [pid 18853] [client 10.122.33.54:44148] NO AUTH DATA Client did not send any authentication headers
[Thu Jul 20 12:01:05.396375 2023] [core:trace3] [pid 18853] request.c(119): [client 10.122.33.54:44148] auth phase 'check user' gave status 401: /git/repo/test.git/info/refs
[Thu Jul 20 12:01:05.396435 2023] [http:trace3] [pid 18853] http_filters.c(1129): [client 10.122.33.54:44148] Response sent with status 401, headers:
[Thu Jul 20 12:01:05.396439 2023] [http:trace5] [pid 18853] http_filters.c(1136): [client 10.122.33.54:44148]   Date: Thu, 20 Jul 2023 16:01:05 GMT
[Thu Jul 20 12:01:05.396440 2023] [http:trace5] [pid 18853] http_filters.c(1139): [client 10.122.33.54:44148]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1
[Thu Jul 20 12:01:05.396442 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   WWW-Authenticate: Negotiate
[Thu Jul 20 12:01:05.396444 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Content-Length: 381
[Thu Jul 20 12:01:05.396445 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Content-Type: text/html; charset=iso-8859-1
...
[Thu Jul 20 12:01:05.413665 2023] [core:trace5] [pid 18853] protocol.c(656): [client 10.122.33.54:44148] Request received from client: GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1
[Thu Jul 20 12:01:05.413712 2023] [http:trace4] [pid 18853] http_request.c(323): [client 10.122.33.54:44148] Headers received from client:
[Thu Jul 20 12:01:05.413714 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   User-Agent: git/2.0 (libgit2 1.3.0)
[Thu Jul 20 12:01:05.413716 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Host: <serverName>
[Thu Jul 20 12:01:05.413717 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Accept: */*
[Thu Jul 20 12:01:05.413720 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Authorization: Negotiate <token>
[Thu Jul 20 12:01:05.413782 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Jul 20 12:01:05.413784 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Jul 20 12:01:05.413790 2023] [auth_gssapi:debug] [pid 18853] mod_auth_gssapi.c(870): [client 10.122.33.54:44148] URI: /git/repo/test.git/info/refs, no main, no prev
[Thu Jul 20 12:01:05.421673 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of Require valid-user : granted
[Thu Jul 20 12:01:05.421686 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of <RequireAny>: granted
[Thu Jul 20 12:01:05.421933 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of Require all granted: granted
[Thu Jul 20 12:01:05.421939 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of <RequireAny>: granted
[Thu Jul 20 12:01:05.421941 2023] [core:trace3] [pid 18853] request.c(312): [client 10.122.33.54:44148] request authorized without authentication by access_checker_ex hook: /test.git/info/refs
...
[Thu Jul 20 12:01:05.424578 2023] [cgi:trace4] [pid 18853] util_script.c(529): [client 10.122.33.54:44148] Headers from script 'git-http-backend':
[Thu Jul 20 12:01:05.424594 2023] [cgi:trace4] [pid 18853] util_script.c(530): [client 10.122.33.54:44148]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Thu Jul 20 12:01:05.424597 2023] [cgi:trace4] [pid 18853] util_script.c(530): [client 10.122.33.54:44148]   Pragma: no-cache
[Thu Jul 20 12:01:05.424599 2023] [cgi:trace4] [pid 18853] util_script.c(530): [client 10.122.33.54:44148]   Cache-Control: no-cache, max-age=0, must-revalidate
[Thu Jul 20 12:01:05.424600 2023] [cgi:trace4] [pid 18853] util_script.c(530): [client 10.122.33.54:44148]   Content-Type: application/x-git-upload-pack-advertisement
[Thu Jul 20 12:01:05.424619 2023] [http:trace3] [pid 18853] http_filters.c(1129): [client 10.122.33.54:44148] Response sent with status 200, headers:
[Thu Jul 20 12:01:05.424621 2023] [http:trace5] [pid 18853] http_filters.c(1136): [client 10.122.33.54:44148]   Date: Thu, 20 Jul 2023 16:01:05 GMT
[Thu Jul 20 12:01:05.424622 2023] [http:trace5] [pid 18853] http_filters.c(1139): [client 10.122.33.54:44148]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1
[Thu Jul 20 12:01:05.424625 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   WWW-Authenticate: Negotiate <token>
[Thu Jul 20 12:01:05.424630 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Thu Jul 20 12:01:05.424632 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Pragma: no-cache
[Thu Jul 20 12:01:05.424633 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Cache-Control: no-cache, max-age=0, must-revalidate
[Thu Jul 20 12:01:05.424634 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Transfer-Encoding: chunked
[Thu Jul 20 12:01:05.424635 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Content-Type: application/x-git-upload-pack-advertisement
...
[Thu Jul 20 12:01:05.433579 2023] [core:trace5] [pid 18853] protocol.c(656): [client 10.122.33.54:44148] Request received from client: POST /git/repo/test.git/git-upload-pack HTTP/1.1
[Thu Jul 20 12:01:05.433615 2023] [http:trace4] [pid 18853] http_request.c(323): [client 10.122.33.54:44148] Headers received from client:
[Thu Jul 20 12:01:05.433617 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   User-Agent: git/2.0 (libgit2 1.3.0)
[Thu Jul 20 12:01:05.433619 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Host: <serverName>
[Thu Jul 20 12:01:05.433620 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Accept: application/x-git-upload-pack-result
[Thu Jul 20 12:01:05.433622 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Content-Type: application/x-git-upload-pack-request
[Thu Jul 20 12:01:05.433623 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Content-Length: 4
[Thu Jul 20 12:01:05.433671 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Jul 20 12:01:05.433673 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Jul 20 12:01:05.433679 2023] [auth_gssapi:debug] [pid 18853] mod_auth_gssapi.c(870): [client 10.122.33.54:44148] URI: /git/repo/test.git/git-upload-pack, no main, no prev
[Thu Jul 20 12:01:05.433682 2023] [auth_gssapi:info] [pid 18853] [client 10.122.33.54:44148] NO AUTH DATA Client did not send any authentication headers
[Thu Jul 20 12:01:05.433685 2023] [core:trace3] [pid 18853] request.c(119): [client 10.122.33.54:44148] auth phase 'check user' gave status 401: /git/repo/test.git/git-upload-pack
[Thu Jul 20 12:01:05.473158 2023] [http:trace3] [pid 18853] http_filters.c(1129): [client 10.122.33.54:44148] Response sent with status 401, headers:
[Thu Jul 20 12:01:05.473184 2023] [http:trace5] [pid 18853] http_filters.c(1136): [client 10.122.33.54:44148]   Date: Thu, 20 Jul 2023 16:01:05 GMT
[Thu Jul 20 12:01:05.473194 2023] [http:trace5] [pid 18853] http_filters.c(1139): [client 10.122.33.54:44148]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1
[Thu Jul 20 12:01:05.473196 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   WWW-Authenticate: Negotiate
[Thu Jul 20 12:01:05.473198 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Content-Length: 381
[Thu Jul 20 12:01:05.473199 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Content-Type: text/html; charset=iso-8859-1
...
[Thu Jul 20 12:01:05.483791 2023] [core:trace5] [pid 18853] protocol.c(656): [client 10.122.33.54:44148] Request received from client: POST /git/repo/test.git/git-upload-pack HTTP/1.1
[Thu Jul 20 12:01:05.483851 2023] [http:trace4] [pid 18853] http_request.c(323): [client 10.122.33.54:44148] Headers received from client:
[Thu Jul 20 12:01:05.483853 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   User-Agent: git/2.0 (libgit2 1.3.0)
[Thu Jul 20 12:01:05.483855 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Host: <serverName>
[Thu Jul 20 12:01:05.483856 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Accept: application/x-git-upload-pack-result
[Thu Jul 20 12:01:05.483858 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Content-Type: application/x-git-upload-pack-request
[Thu Jul 20 12:01:05.483859 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Content-Length: 179
[Thu Jul 20 12:01:05.483862 2023] [http:trace4] [pid 18853] http_request.c(327): [client 10.122.33.54:44148]   Authorization: Negotiate <token>
[Thu Jul 20 12:01:05.483928 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Jul 20 12:01:05.483931 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Jul 20 12:01:05.483937 2023] [auth_gssapi:debug] [pid 18853] mod_auth_gssapi.c(870): [client 10.122.33.54:44148] URI: /git/repo/test.git/git-upload-pack, no main, no prev
[Thu Jul 20 12:01:05.485491 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of Require valid-user : granted
[Thu Jul 20 12:01:05.485501 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of <RequireAny>: granted
[Thu Jul 20 12:01:05.485581 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of Require all granted: granted
[Thu Jul 20 12:01:05.485584 2023] [authz_core:debug] [pid 18853] mod_authz_core.c(809): [client 10.122.33.54:44148] AH01626: authorization result of <RequireAny>: granted
[Thu Jul 20 12:01:05.485586 2023] [core:trace3] [pid 18853] request.c(312): [client 10.122.33.54:44148] request authorized without authentication by access_checker_ex hook: /test.git/git-upload-pack
...
[Thu Jul 20 12:01:05.487950 2023] [cgi:trace4] [pid 18853] util_script.c(529): [client 10.122.33.54:44148] Headers from script 'git-http-backend':
[Thu Jul 20 12:01:05.487961 2023] [cgi:trace4] [pid 18853] util_script.c(530): [client 10.122.33.54:44148]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Thu Jul 20 12:01:05.487963 2023] [cgi:trace4] [pid 18853] util_script.c(530): [client 10.122.33.54:44148]   Pragma: no-cache
[Thu Jul 20 12:01:05.487965 2023] [cgi:trace4] [pid 18853] util_script.c(530): [client 10.122.33.54:44148]   Cache-Control: no-cache, max-age=0, must-revalidate
[Thu Jul 20 12:01:05.487966 2023] [cgi:trace4] [pid 18853] util_script.c(530): [client 10.122.33.54:44148]   Content-Type: application/x-git-upload-pack-result
[Thu Jul 20 12:01:05.487980 2023] [http:trace3] [pid 18853] http_filters.c(1129): [client 10.122.33.54:44148] Response sent with status 200, headers:
[Thu Jul 20 12:01:05.487983 2023] [http:trace5] [pid 18853] http_filters.c(1136): [client 10.122.33.54:44148]   Date: Thu, 20 Jul 2023 16:01:05 GMT
[Thu Jul 20 12:01:05.487985 2023] [http:trace5] [pid 18853] http_filters.c(1139): [client 10.122.33.54:44148]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1
[Thu Jul 20 12:01:05.487987 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   WWW-Authenticate: Negotiate <token>
[Thu Jul 20 12:01:05.487989 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Thu Jul 20 12:01:05.487990 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Pragma: no-cache
[Thu Jul 20 12:01:05.487991 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Cache-Control: no-cache, max-age=0, must-revalidate
[Thu Jul 20 12:01:05.487997 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Transfer-Encoding: chunked
[Thu Jul 20 12:01:05.487999 2023] [http:trace4] [pid 18853] http_filters.c(958): [client 10.122.33.54:44148]   Content-Type: application/x-git-upload-pack-result

ethomson Jul 20, 2023
Maintainer

Thanks for the details. I'm still pretty stumped. One thing I can do though is copy/paste our Apache config for test.libgit2.org which has a krb5 over https setup in Apache, so there may be something there that's helpful. (I can do this tomorrow.)

ethomson Jul 21, 2023
Maintainer

Oh - I forgot to ask one question - does your setup work with git itself over HTTP and / or HTTPS?

Our setup is rather different. We're using mod_auth_kerb:

<VirtualHost _default_:443>
  DocumentRoot /var/www/html
  SSLEngine on
  ErrorLog ...
  CustomLog ...

  SSLCertificateFile ...
  SSLCertificateKeyFile ...

  <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
  </Directory>

  SetEnv GIT_PROJECT_ROOT /data/git
  SetEnv GIT_HTTP_EXPORT_ALL
  SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER

  ScriptAlias /anonymous/ /usr/lib/git-core/git-http-backend/
  ScriptAlias /basic/ /usr/lib/git-core/git-http-backend/
  ScriptAlias /kerberos/ /usr/lib/git-core/git-http-backend/

  <Directory /usr/lib/git-core>
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
  </Directory>

  <Location /basic>
    AuthType Basic
    AuthName "Git"
    AuthUserFile /etc/apache2/git.passwd
    Require valid-user
  </Location>

  <Location /kerberos/>
    AuthType Kerberos
    AuthName "Git"
    KrbAuthRealm LIBGIT2.ORG
    KrbServiceName HTTP/test.libgit2.org@LIBGIT2.ORG
    Krb5KeyTab "/etc/apache2/http.keytab"
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    # KrbSaveCredentials on
    # KrbVerifyKDC on
    Require valid-user
  </Location>
</VirtualHost>

SASStudioDev Jul 21, 2023
Author

Sorry got sidetracked today.

I haven't configured git itself to use kerberos authentication in the test environment but I know the user that I'm debugging the problem for was able to clone using git itself in their environment which my test environment mimics.

I'll look into getting my test environment to use mod_auth_kerb to see if that makes a difference on Monday.

ethomson Jul 21, 2023
Maintainer

That would be helpful. I won't have a lot of time to experiment but I'd like to try mod_auth_gssapi on my test system as well.

SASStudioDev · 2023-07-28T18:23:02Z

SASStudioDev
Jul 28, 2023
Author

Finally got back around to this.

I configured the test environment with mod_auth_kerb and the results are the same. It works over HTTP but not HTTPS. See below:

Apache Config (currently setup for http):

#Listen 443
#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
#<VirtualHost _default_:443>
<VirtualHost _default_:80>
  DocumentRoot /var/www/html
  #SSLEngine On

  #SSLCertificateFile <sslCertPath>
  #SSLCertificateKeyFile <sslCertKeyFilePath>

  SetEnv GIT_PROJECT_ROOT /var/www/git
  SetEnv GIT_HTTP_EXPORT_ALL

  ScriptAlias /git/repo /usr/libexec/git-core/git-http-backend/
  <LocationMatch "^/git/repo">
    #SetEnv GIT_PROJECT_ROOT /var/www/git

    AuthType Kerberos
    AuthName "Git"
    KrbAuthRealm DOMAIN
    KrbServiceName HTTP/serverName@DOMAIN
    Krb5KeyTab "<keyTabPath>"
    KrbMethodNegotiate on
    KrbMethodK5Passwd off

    Require valid-user

  </LocationMatch>

  <Files "git-http-backend">
    LogLevel trace6
    #SetEnv GIT_PROJECT_ROOT /var/www/git
    AuthType Kerberos
    AuthName "Git"
    KrbAuthRealm DOMAIN
    KrbServiceName HTTP/serverName@DOMAIN
    Krb5KeyTab "<keyTabPath>"
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
  </Files>
</VirtualHost>

HTTPS Logs:

**access_log**
10.122.33.54 - - [28/Jul/2023:10:14:02 -0400] "GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1" 401 381 "-" "git/2.0 (libgit2 1.3.0)"
10.122.33.54 - userName@DOMAIN [28/Jul/2023:10:14:02 -0400] "GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1" 200 343 "-" "git/2.0 (libgit2 1.3.0)"
10.122.33.54 - userName@DOMAIN [28/Jul/2023:10:14:02 -0400] "POST /git/repo/test.git/git-upload-pack HTTP/1.1" 200 - "-" "git/2.0 (libgit2 1.3.0)"
10.122.33.54 - - [28/Jul/2023:10:14:02 -0400] "POST /git/repo/test.git/git-upload-pack HTTP/1.1" 401 381 "-" "git/2.0 (libgit2 1.3.0)"


**error_log**
...
[Fri Jul 28 10:14:02.334102 2023] [core:trace5] [pid 16006] protocol.c(656): [client 10.122.33.54:40206] Request received from client: GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1
[Fri Jul 28 10:14:02.334150 2023] [ssl:debug] [pid 16006] ssl_engine_kernel.c(225): [client 10.122.33.54:40206] AH02034: Initial (No.1) HTTPS request received for child 1 (server serverName:443)
[Fri Jul 28 10:14:02.334156 2023] [http:trace4] [pid 16006] http_request.c(323): [client 10.122.33.54:40206] Headers received from client:
[Fri Jul 28 10:14:02.334157 2023] [http:trace4] [pid 16006] http_request.c(327): [client 10.122.33.54:40206]   User-Agent: git/2.0 (libgit2 1.3.0)
[Fri Jul 28 10:14:02.334161 2023] [http:trace4] [pid 16006] http_request.c(327): [client 10.122.33.54:40206]   Host: serverName
[Fri Jul 28 10:14:02.334162 2023] [http:trace4] [pid 16006] http_request.c(327): [client 10.122.33.54:40206]   Accept: */*
[Fri Jul 28 10:14:02.334501 2023] [authz_core:debug] [pid 16006] mod_authz_core.c(809): [client 10.122.33.54:40206] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Jul 28 10:14:02.334504 2023] [authz_core:debug] [pid 16006] mod_authz_core.c(809): [client 10.122.33.54:40206] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Jul 28 10:14:02.334520 2023] [auth_kerb:debug] [pid 16006] src/mod_auth_kerb.c(1954): [client 10.122.33.54:40206] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Jul 28 10:14:02.334526 2023] [core:trace3] [pid 16006] request.c(119): [client 10.122.33.54:40206] auth phase 'check user' gave status 401: /git/repo/test.git/info/refs
[Fri Jul 28 10:14:02.334556 2023] [http:trace3] [pid 16006] http_filters.c(1129): [client 10.122.33.54:40206] Response sent with status 401, headers:
[Fri Jul 28 10:14:02.334557 2023] [http:trace5] [pid 16006] http_filters.c(1136): [client 10.122.33.54:40206]   Date: Fri, 28 Jul 2023 14:14:02 GMT
[Fri Jul 28 10:14:02.334559 2023] [http:trace5] [pid 16006] http_filters.c(1139): [client 10.122.33.54:40206]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
[Fri Jul 28 10:14:02.334560 2023] [http:trace4] [pid 16006] http_filters.c(958): [client 10.122.33.54:40206]   WWW-Authenticate: Negotiate
[Fri Jul 28 10:14:02.334561 2023] [http:trace4] [pid 16006] http_filters.c(958): [client 10.122.33.54:40206]   Content-Length: 381
[Fri Jul 28 10:14:02.334563 2023] [http:trace4] [pid 16006] http_filters.c(958): [client 10.122.33.54:40206]   Content-Type: text/html; charset=iso-8859-1
[Fri Jul 28 10:14:02.334565 2023] [ssl:trace4] [pid 16006] ssl_engine_io.c(1515): [client 10.122.33.54:40206] coalesce: have 0 bytes, adding 230 more
...
[Fri Jul 28 10:14:02.355332 2023] [core:trace5] [pid 16006] protocol.c(656): [client 10.122.33.54:40206] Request received from client: GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1
[Fri Jul 28 10:14:02.355347 2023] [ssl:debug] [pid 16006] ssl_engine_kernel.c(225): [client 10.122.33.54:40206] AH02034: Subsequent (No.2) HTTPS request received for child 1 (server serverName:443)
[Fri Jul 28 10:14:02.355350 2023] [http:trace4] [pid 16006] http_request.c(323): [client 10.122.33.54:40206] Headers received from client:
[Fri Jul 28 10:14:02.355354 2023] [http:trace4] [pid 16006] http_request.c(327): [client 10.122.33.54:40206]   User-Agent: git/2.0 (libgit2 1.3.0)
[Fri Jul 28 10:14:02.355355 2023] [http:trace4] [pid 16006] http_request.c(327): [client 10.122.33.54:40206]   Host: serverName
[Fri Jul 28 10:14:02.355356 2023] [http:trace4] [pid 16006] http_request.c(327): [client 10.122.33.54:40206]   Accept: */*
[Fri Jul 28 10:14:02.355360 2023] [http:trace4] [pid 16006] http_request.c(327): [client 10.122.33.54:40206]   Authorization: Negotiate <token>
[Fri Jul 28 10:14:02.355388 2023] [authz_core:debug] [pid 16006] mod_authz_core.c(809): [client 10.122.33.54:40206] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Jul 28 10:14:02.355390 2023] [authz_core:debug] [pid 16006] mod_authz_core.c(809): [client 10.122.33.54:40206] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Jul 28 10:14:02.355395 2023] [auth_kerb:debug] [pid 16006] src/mod_auth_kerb.c(1954): [client 10.122.33.54:40206] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Jul 28 10:14:02.355417 2023] [auth_kerb:debug] [pid 16006] src/mod_auth_kerb.c(1295): [client 10.122.33.54:40206] Acquiring creds for HTTP/serverName@DOMAIN
[Fri Jul 28 10:14:02.356884 2023] [auth_kerb:debug] [pid 16006] src/mod_auth_kerb.c(1708): [client 10.122.33.54:40206] Verifying client data using KRB5 GSS-API
[Fri Jul 28 10:14:02.357573 2023] [auth_kerb:debug] [pid 16006] src/mod_auth_kerb.c(1724): [client 10.122.33.54:40206] Client didn't delegate us their credential
[Fri Jul 28 10:14:02.357583 2023] [auth_kerb:debug] [pid 16006] src/mod_auth_kerb.c(1743): [client 10.122.33.54:40206] GSS-API token of length 186 bytes will be sent back
[Fri Jul 28 10:14:02.357621 2023] [authz_core:debug] [pid 16006] mod_authz_core.c(809): [client 10.122.33.54:40206] AH01626: authorization result of Require valid-user : granted
[Fri Jul 28 10:14:02.357625 2023] [authz_core:debug] [pid 16006] mod_authz_core.c(809): [client 10.122.33.54:40206] AH01626: authorization result of <RequireAny>: granted
[Fri Jul 28 10:14:02.357737 2023] [authz_core:debug] [pid 16006] mod_authz_core.c(809): [client 10.122.33.54:40206] AH01626: authorization result of Require all granted: granted
[Fri Jul 28 10:14:02.357742 2023] [authz_core:debug] [pid 16006] mod_authz_core.c(809): [client 10.122.33.54:40206] AH01626: authorization result of <RequireAny>: granted
[Fri Jul 28 10:14:02.357744 2023] [core:trace3] [pid 16006] request.c(312): [client 10.122.33.54:40206] request authorized without authentication by access_checker_ex hook: /test.git/info/refs
[Fri Jul 28 10:14:02.360233 2023] [cgi:trace4] [pid 16006] util_script.c(529): [client 10.122.33.54:40206] Headers from script 'git-http-backend':
[Fri Jul 28 10:14:02.360245 2023] [cgi:trace4] [pid 16006] util_script.c(530): [client 10.122.33.54:40206]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Fri Jul 28 10:14:02.360248 2023] [cgi:trace4] [pid 16006] util_script.c(530): [client 10.122.33.54:40206]   Pragma: no-cache
[Fri Jul 28 10:14:02.360249 2023] [cgi:trace4] [pid 16006] util_script.c(530): [client 10.122.33.54:40206]   Cache-Control: no-cache, max-age=0, must-revalidate
[Fri Jul 28 10:14:02.360251 2023] [cgi:trace4] [pid 16006] util_script.c(530): [client 10.122.33.54:40206]   Content-Type: application/x-git-upload-pack-advertisement
[Fri Jul 28 10:14:02.360278 2023] [http:trace3] [pid 16006] http_filters.c(1129): [client 10.122.33.54:40206] Response sent with status 200, headers:
[Fri Jul 28 10:14:02.360280 2023] [http:trace5] [pid 16006] http_filters.c(1136): [client 10.122.33.54:40206]   Date: Fri, 28 Jul 2023 14:14:02 GMT
[Fri Jul 28 10:14:02.360281 2023] [http:trace5] [pid 16006] http_filters.c(1139): [client 10.122.33.54:40206]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
[Fri Jul 28 10:14:02.360283 2023] [http:trace4] [pid 16006] http_filters.c(958): [client 10.122.33.54:40206]   WWW-Authenticate: Negotiate <token>
[Fri Jul 28 10:14:02.360285 2023] [http:trace4] [pid 16006] http_filters.c(958): [client 10.122.33.54:40206]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Fri Jul 28 10:14:02.360286 2023] [http:trace4] [pid 16006] http_filters.c(958): [client 10.122.33.54:40206]   Pragma: no-cache
[Fri Jul 28 10:14:02.360288 2023] [http:trace4] [pid 16006] http_filters.c(958): [client 10.122.33.54:40206]   Cache-Control: no-cache, max-age=0, must-revalidate
[Fri Jul 28 10:14:02.360289 2023] [http:trace4] [pid 16006] http_filters.c(958): [client 10.122.33.54:40206]   Transfer-Encoding: chunked
[Fri Jul 28 10:14:02.360290 2023] [http:trace4] [pid 16006] http_filters.c(958): [client 10.122.33.54:40206]   Content-Type: application/x-git-upload-pack-advertisement
...
[Fri Jul 28 10:14:02.391771 2023] [core:trace5] [pid 16005] protocol.c(656): [client 10.122.33.54:40212] Request received from client: POST /git/repo/test.git/git-upload-pack HTTP/1.1
[Fri Jul 28 10:14:02.391808 2023] [ssl:debug] [pid 16005] ssl_engine_kernel.c(225): [client 10.122.33.54:40212] AH02034: Initial (No.1) HTTPS request received for child 0 (server serverName:443)
[Fri Jul 28 10:14:02.391818 2023] [http:trace4] [pid 16005] http_request.c(323): [client 10.122.33.54:40212] Headers received from client:
[Fri Jul 28 10:14:02.391820 2023] [http:trace4] [pid 16005] http_request.c(327): [client 10.122.33.54:40212]   User-Agent: git/2.0 (libgit2 1.3.0)
[Fri Jul 28 10:14:02.391822 2023] [http:trace4] [pid 16005] http_request.c(327): [client 10.122.33.54:40212]   Host: serverName
[Fri Jul 28 10:14:02.391823 2023] [http:trace4] [pid 16005] http_request.c(327): [client 10.122.33.54:40212]   Accept: application/x-git-upload-pack-result
[Fri Jul 28 10:14:02.391824 2023] [http:trace4] [pid 16005] http_request.c(327): [client 10.122.33.54:40212]   Content-Type: application/x-git-upload-pack-request
[Fri Jul 28 10:14:02.391825 2023] [http:trace4] [pid 16005] http_request.c(327): [client 10.122.33.54:40212]   Content-Length: 4
[Fri Jul 28 10:14:02.391828 2023] [http:trace4] [pid 16005] http_request.c(327): [client 10.122.33.54:40212]   Authorization: Negotiate <token>
[Fri Jul 28 10:14:02.391912 2023] [authz_core:debug] [pid 16005] mod_authz_core.c(809): [client 10.122.33.54:40212] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Jul 28 10:14:02.391915 2023] [authz_core:debug] [pid 16005] mod_authz_core.c(809): [client 10.122.33.54:40212] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Jul 28 10:14:02.391927 2023] [auth_kerb:debug] [pid 16005] src/mod_auth_kerb.c(1954): [client 10.122.33.54:40212] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Jul 28 10:14:02.391946 2023] [auth_kerb:debug] [pid 16005] src/mod_auth_kerb.c(1295): [client 10.122.33.54:40212] Acquiring creds for HTTP/serverName@DOMAIN
[Fri Jul 28 10:14:02.393015 2023] [auth_kerb:debug] [pid 16005] src/mod_auth_kerb.c(1708): [client 10.122.33.54:40212] Verifying client data using KRB5 GSS-API
[Fri Jul 28 10:14:02.393372 2023] [auth_kerb:debug] [pid 16005] src/mod_auth_kerb.c(1724): [client 10.122.33.54:40212] Client didn't delegate us their credential
[Fri Jul 28 10:14:02.393379 2023] [auth_kerb:debug] [pid 16005] src/mod_auth_kerb.c(1743): [client 10.122.33.54:40212] GSS-API token of length 186 bytes will be sent back
[Fri Jul 28 10:14:02.393412 2023] [authz_core:debug] [pid 16005] mod_authz_core.c(809): [client 10.122.33.54:40212] AH01626: authorization result of Require valid-user : granted
[Fri Jul 28 10:14:02.393415 2023] [authz_core:debug] [pid 16005] mod_authz_core.c(809): [client 10.122.33.54:40212] AH01626: authorization result of <RequireAny>: granted
[Fri Jul 28 10:14:02.393516 2023] [authz_core:debug] [pid 16005] mod_authz_core.c(809): [client 10.122.33.54:40212] AH01626: authorization result of Require all granted: granted
[Fri Jul 28 10:14:02.393524 2023] [authz_core:debug] [pid 16005] mod_authz_core.c(809): [client 10.122.33.54:40212] AH01626: authorization result of <RequireAny>: granted
[Fri Jul 28 10:14:02.393526 2023] [core:trace3] [pid 16005] request.c(312): [client 10.122.33.54:40212] request authorized without authentication by access_checker_ex hook: /test.git/git-upload-pack
...
[Fri Jul 28 10:14:02.395402 2023] [cgi:trace4] [pid 16005] util_script.c(529): [client 10.122.33.54:40212] Headers from script 'git-http-backend':
[Fri Jul 28 10:14:02.395408 2023] [cgi:trace4] [pid 16005] util_script.c(530): [client 10.122.33.54:40212]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Fri Jul 28 10:14:02.395411 2023] [cgi:trace4] [pid 16005] util_script.c(530): [client 10.122.33.54:40212]   Pragma: no-cache
[Fri Jul 28 10:14:02.395412 2023] [cgi:trace4] [pid 16005] util_script.c(530): [client 10.122.33.54:40212]   Cache-Control: no-cache, max-age=0, must-revalidate
[Fri Jul 28 10:14:02.395414 2023] [cgi:trace4] [pid 16005] util_script.c(530): [client 10.122.33.54:40212]   Content-Type: application/x-git-upload-pack-result
[Fri Jul 28 10:14:02.395430 2023] [http:trace3] [pid 16005] http_filters.c(1129): [client 10.122.33.54:40212] Response sent with status 200, headers:
[Fri Jul 28 10:14:02.395432 2023] [http:trace5] [pid 16005] http_filters.c(1136): [client 10.122.33.54:40212]   Date: Fri, 28 Jul 2023 14:14:02 GMT
[Fri Jul 28 10:14:02.395433 2023] [http:trace5] [pid 16005] http_filters.c(1139): [client 10.122.33.54:40212]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
[Fri Jul 28 10:14:02.395435 2023] [http:trace4] [pid 16005] http_filters.c(958): [client 10.122.33.54:40212]   WWW-Authenticate: Negotiate <token>
[Fri Jul 28 10:14:02.395437 2023] [http:trace4] [pid 16005] http_filters.c(958): [client 10.122.33.54:40212]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Fri Jul 28 10:14:02.395438 2023] [http:trace4] [pid 16005] http_filters.c(958): [client 10.122.33.54:40212]   Pragma: no-cache
[Fri Jul 28 10:14:02.395439 2023] [http:trace4] [pid 16005] http_filters.c(958): [client 10.122.33.54:40212]   Cache-Control: no-cache, max-age=0, must-revalidate
[Fri Jul 28 10:14:02.395440 2023] [http:trace4] [pid 16005] http_filters.c(958): [client 10.122.33.54:40212]   Transfer-Encoding: chunked
[Fri Jul 28 10:14:02.395442 2023] [http:trace4] [pid 16005] http_filters.c(958): [client 10.122.33.54:40212]   Content-Type: application/x-git-upload-pack-result
...
[Fri Jul 28 10:14:02.402484 2023] [core:trace5] [pid 16005] protocol.c(656): [client 10.122.33.54:40212] Request received from client: POST /git/repo/test.git/git-upload-pack HTTP/1.1
[Fri Jul 28 10:14:02.402492 2023] [ssl:debug] [pid 16005] ssl_engine_kernel.c(225): [client 10.122.33.54:40212] AH02034: Subsequent (No.2) HTTPS request received for child 0 (server serverName:443)
[Fri Jul 28 10:14:02.402494 2023] [http:trace4] [pid 16005] http_request.c(323): [client 10.122.33.54:40212] Headers received from client:
[Fri Jul 28 10:14:02.402496 2023] [http:trace4] [pid 16005] http_request.c(327): [client 10.122.33.54:40212]   User-Agent: git/2.0 (libgit2 1.3.0)
[Fri Jul 28 10:14:02.402497 2023] [http:trace4] [pid 16005] http_request.c(327): [client 10.122.33.54:40212]   Host: serverName
[Fri Jul 28 10:14:02.402498 2023] [http:trace4] [pid 16005] http_request.c(327): [client 10.122.33.54:40212]   Accept: application/x-git-upload-pack-result
[Fri Jul 28 10:14:02.402499 2023] [http:trace4] [pid 16005] http_request.c(327): [client 10.122.33.54:40212]   Content-Type: application/x-git-upload-pack-request
[Fri Jul 28 10:14:02.402501 2023] [http:trace4] [pid 16005] http_request.c(327): [client 10.122.33.54:40212]   Content-Length: 179
[Fri Jul 28 10:14:02.402522 2023] [authz_core:debug] [pid 16005] mod_authz_core.c(809): [client 10.122.33.54:40212] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Jul 28 10:14:02.402524 2023] [authz_core:debug] [pid 16005] mod_authz_core.c(809): [client 10.122.33.54:40212] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Jul 28 10:14:02.402529 2023] [auth_kerb:debug] [pid 16005] src/mod_auth_kerb.c(1954): [client 10.122.33.54:40212] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Jul 28 10:14:02.402533 2023] [core:trace3] [pid 16005] request.c(119): [client 10.122.33.54:40212] auth phase 'check user' gave status 401: /git/repo/test.git/git-upload-pack
...
[Fri Jul 28 10:14:02.442005 2023] [http:trace3] [pid 16005] http_filters.c(1129): [client 10.122.33.54:40212] Response sent with status 401, headers:
[Fri Jul 28 10:14:02.442009 2023] [http:trace5] [pid 16005] http_filters.c(1136): [client 10.122.33.54:40212]   Date: Fri, 28 Jul 2023 14:14:02 GMT
[Fri Jul 28 10:14:02.442010 2023] [http:trace5] [pid 16005] http_filters.c(1139): [client 10.122.33.54:40212]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
[Fri Jul 28 10:14:02.442012 2023] [http:trace4] [pid 16005] http_filters.c(958): [client 10.122.33.54:40212]   WWW-Authenticate: Negotiate
[Fri Jul 28 10:14:02.442013 2023] [http:trace4] [pid 16005] http_filters.c(958): [client 10.122.33.54:40212]   Content-Length: 381
[Fri Jul 28 10:14:02.442014 2023] [http:trace4] [pid 16005] http_filters.c(958): [client 10.122.33.54:40212]   Content-Type: text/html; charset=iso-8859-1
...
[Fri Jul 28 10:14:02.442385 2023] [ssl:debug] [pid 16005] ssl_engine_io.c(993): [client 10.122.33.54:40212] AH02001: Connection closed to child 0 with standard shutdown (server serverName:443)

HTTP Logs:

**access_log**
10.122.33.54 - - [28/Jul/2023:10:56:56 -0400] "GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1" 401 381 "-" "git/2.0 (libgit2 1.3.0)"
10.122.33.54 - userName@DOMAIN [28/Jul/2023:10:56:56 -0400] "GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1" 200 343 "-" "git/2.0 (libgit2 1.3.0)"
10.122.33.54 - - [28/Jul/2023:10:56:56 -0400] "POST /git/repo/test.git/git-upload-pack HTTP/1.1" 401 381 "-" "git/2.0 (libgit2 1.3.0)"
10.122.33.54 - userName@DOMAIN [28/Jul/2023:10:56:56 -0400] "POST /git/repo/test.git/git-upload-pack HTTP/1.1" 200 1491 "-" "git/2.0 (libgit2 1.3.0)"

**error_log**
[Fri Jul 28 10:56:56.695765 2023] [core:trace5] [pid 22468] protocol.c(656): [client 10.122.33.54:34222] Request received from client: GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1
[Fri Jul 28 10:56:56.695852 2023] [http:trace4] [pid 22468] http_request.c(323): [client 10.122.33.54:34222] Headers received from client:
[Fri Jul 28 10:56:56.695856 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   User-Agent: git/2.0 (libgit2 1.3.0)
[Fri Jul 28 10:56:56.695857 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Host: serverName
[Fri Jul 28 10:56:56.695859 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Accept: */*
[Fri Jul 28 10:56:56.696201 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Jul 28 10:56:56.696205 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Jul 28 10:56:56.696229 2023] [auth_kerb:debug] [pid 22468] src/mod_auth_kerb.c(1954): [client 10.122.33.54:34222] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Jul 28 10:56:56.696240 2023] [core:trace3] [pid 22468] request.c(119): [client 10.122.33.54:34222] auth phase 'check user' gave status 401: /git/repo/test.git/info/refs
[Fri Jul 28 10:56:56.696272 2023] [http:trace3] [pid 22468] http_filters.c(1129): [client 10.122.33.54:34222] Response sent with status 401, headers:
[Fri Jul 28 10:56:56.696274 2023] [http:trace5] [pid 22468] http_filters.c(1136): [client 10.122.33.54:34222]   Date: Fri, 28 Jul 2023 14:56:56 GMT
[Fri Jul 28 10:56:56.696275 2023] [http:trace5] [pid 22468] http_filters.c(1139): [client 10.122.33.54:34222]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
[Fri Jul 28 10:56:56.696277 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   WWW-Authenticate: Negotiate
[Fri Jul 28 10:56:56.696278 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Content-Length: 381
[Fri Jul 28 10:56:56.696280 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Content-Type: text/html; charset=iso-8859-1
[Fri Jul 28 10:56:56.696293 2023] [core:trace6] [pid 22468] core_filters.c(525): [client 10.122.33.54:34222] core_output_filter: flushing because of FLUSH bucket
[Fri Jul 28 10:56:56.716479 2023] [core:trace5] [pid 22468] protocol.c(656): [client 10.122.33.54:34222] Request received from client: GET /git/repo/test.git/info/refs?service=git-upload-pack HTTP/1.1
[Fri Jul 28 10:56:56.716502 2023] [http:trace4] [pid 22468] http_request.c(323): [client 10.122.33.54:34222] Headers received from client:
[Fri Jul 28 10:56:56.716504 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   User-Agent: git/2.0 (libgit2 1.3.0)
[Fri Jul 28 10:56:56.716505 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Host: serverName
[Fri Jul 28 10:56:56.716506 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Accept: */*
[Fri Jul 28 10:56:56.716509 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Authorization: Negotiate <token>
[Fri Jul 28 10:56:56.716543 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Jul 28 10:56:56.716546 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Jul 28 10:56:56.716553 2023] [auth_kerb:debug] [pid 22468] src/mod_auth_kerb.c(1954): [client 10.122.33.54:34222] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Jul 28 10:56:56.716574 2023] [auth_kerb:debug] [pid 22468] src/mod_auth_kerb.c(1295): [client 10.122.33.54:34222] Acquiring creds for HTTP/serverName@DOMAIN
[Fri Jul 28 10:56:56.717832 2023] [auth_kerb:debug] [pid 22468] src/mod_auth_kerb.c(1708): [client 10.122.33.54:34222] Verifying client data using KRB5 GSS-API
[Fri Jul 28 10:56:56.718297 2023] [auth_kerb:debug] [pid 22468] src/mod_auth_kerb.c(1724): [client 10.122.33.54:34222] Client didn't delegate us their credential
[Fri Jul 28 10:56:56.718304 2023] [auth_kerb:debug] [pid 22468] src/mod_auth_kerb.c(1743): [client 10.122.33.54:34222] GSS-API token of length 186 bytes will be sent back
[Fri Jul 28 10:56:56.718340 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of Require valid-user : granted
[Fri Jul 28 10:56:56.718343 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of <RequireAny>: granted
[Fri Jul 28 10:56:56.718461 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of Require all granted: granted
[Fri Jul 28 10:56:56.718466 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of <RequireAny>: granted
[Fri Jul 28 10:56:56.718468 2023] [core:trace3] [pid 22468] request.c(312): [client 10.122.33.54:34222] request authorized without authentication by access_checker_ex hook: /test.git/info/refs
[Fri Jul 28 10:56:56.721232 2023] [cgi:trace4] [pid 22468] util_script.c(529): [client 10.122.33.54:34222] Headers from script 'git-http-backend':
[Fri Jul 28 10:56:56.721244 2023] [cgi:trace4] [pid 22468] util_script.c(530): [client 10.122.33.54:34222]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Fri Jul 28 10:56:56.721246 2023] [cgi:trace4] [pid 22468] util_script.c(530): [client 10.122.33.54:34222]   Pragma: no-cache
[Fri Jul 28 10:56:56.721248 2023] [cgi:trace4] [pid 22468] util_script.c(530): [client 10.122.33.54:34222]   Cache-Control: no-cache, max-age=0, must-revalidate
[Fri Jul 28 10:56:56.721250 2023] [cgi:trace4] [pid 22468] util_script.c(530): [client 10.122.33.54:34222]   Content-Type: application/x-git-upload-pack-advertisement
[Fri Jul 28 10:56:56.721266 2023] [http:trace3] [pid 22468] http_filters.c(1129): [client 10.122.33.54:34222] Response sent with status 200, headers:
[Fri Jul 28 10:56:56.721268 2023] [http:trace5] [pid 22468] http_filters.c(1136): [client 10.122.33.54:34222]   Date: Fri, 28 Jul 2023 14:56:56 GMT
[Fri Jul 28 10:56:56.721269 2023] [http:trace5] [pid 22468] http_filters.c(1139): [client 10.122.33.54:34222]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
[Fri Jul 28 10:56:56.721271 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   WWW-Authenticate: Negotiate <token>
[Fri Jul 28 10:56:56.721274 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Fri Jul 28 10:56:56.721275 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Pragma: no-cache
[Fri Jul 28 10:56:56.721276 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Cache-Control: no-cache, max-age=0, must-revalidate
[Fri Jul 28 10:56:56.721278 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Transfer-Encoding: chunked
[Fri Jul 28 10:56:56.721279 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Content-Type: application/x-git-upload-pack-advertisement
[Fri Jul 28 10:56:56.721289 2023] [core:trace6] [pid 22468] core_filters.c(525): [client 10.122.33.54:34222] core_output_filter: flushing because of FLUSH bucket
[Fri Jul 28 10:56:56.722850 2023] [core:trace6] [pid 22468] core_filters.c(525): [client 10.122.33.54:34222] core_output_filter: flushing because of FLUSH bucket
[Fri Jul 28 10:56:56.723001 2023] [core:trace6] [pid 22468] core_filters.c(525): [client 10.122.33.54:34222] core_output_filter: flushing because of FLUSH bucket
[Fri Jul 28 10:56:56.723023 2023] [core:trace6] [pid 22468] core_filters.c(525): [client 10.122.33.54:34222] core_output_filter: flushing because of FLUSH bucket
[Fri Jul 28 10:56:56.723274 2023] [core:trace6] [pid 22468] core_filters.c(525): [client 10.122.33.54:34222] core_output_filter: flushing because of FLUSH bucket
[Fri Jul 28 10:56:56.730725 2023] [core:trace5] [pid 22468] protocol.c(656): [client 10.122.33.54:34222] Request received from client: POST /git/repo/test.git/git-upload-pack HTTP/1.1
[Fri Jul 28 10:56:56.730742 2023] [http:trace4] [pid 22468] http_request.c(323): [client 10.122.33.54:34222] Headers received from client:
[Fri Jul 28 10:56:56.730744 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   User-Agent: git/2.0 (libgit2 1.3.0)
[Fri Jul 28 10:56:56.730745 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Host: serverName
[Fri Jul 28 10:56:56.730746 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Accept: application/x-git-upload-pack-result
[Fri Jul 28 10:56:56.730748 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Content-Type: application/x-git-upload-pack-request
[Fri Jul 28 10:56:56.730752 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Content-Length: 4
[Fri Jul 28 10:56:56.730778 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Jul 28 10:56:56.730780 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Jul 28 10:56:56.730785 2023] [auth_kerb:debug] [pid 22468] src/mod_auth_kerb.c(1954): [client 10.122.33.54:34222] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Jul 28 10:56:56.730788 2023] [core:trace3] [pid 22468] request.c(119): [client 10.122.33.54:34222] auth phase 'check user' gave status 401: /git/repo/test.git/git-upload-pack
[Fri Jul 28 10:56:56.770018 2023] [http:trace3] [pid 22468] http_filters.c(1129): [client 10.122.33.54:34222] Response sent with status 401, headers:
[Fri Jul 28 10:56:56.770027 2023] [http:trace5] [pid 22468] http_filters.c(1136): [client 10.122.33.54:34222]   Date: Fri, 28 Jul 2023 14:56:56 GMT
[Fri Jul 28 10:56:56.770029 2023] [http:trace5] [pid 22468] http_filters.c(1139): [client 10.122.33.54:34222]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
[Fri Jul 28 10:56:56.770030 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   WWW-Authenticate: Negotiate
[Fri Jul 28 10:56:56.770032 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Content-Length: 381
[Fri Jul 28 10:56:56.770033 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Content-Type: text/html; charset=iso-8859-1
[Fri Jul 28 10:56:56.770038 2023] [core:trace6] [pid 22468] core_filters.c(525): [client 10.122.33.54:34222] core_output_filter: flushing because of FLUSH bucket
[Fri Jul 28 10:56:56.780443 2023] [core:trace5] [pid 22468] protocol.c(656): [client 10.122.33.54:34222] Request received from client: POST /git/repo/test.git/git-upload-pack HTTP/1.1
[Fri Jul 28 10:56:56.780458 2023] [http:trace4] [pid 22468] http_request.c(323): [client 10.122.33.54:34222] Headers received from client:
[Fri Jul 28 10:56:56.780460 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   User-Agent: git/2.0 (libgit2 1.3.0)
[Fri Jul 28 10:56:56.780461 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Host: serverName
[Fri Jul 28 10:56:56.780462 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Accept: application/x-git-upload-pack-result
[Fri Jul 28 10:56:56.780464 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Content-Type: application/x-git-upload-pack-request
[Fri Jul 28 10:56:56.780465 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Content-Length: 179
[Fri Jul 28 10:56:56.780468 2023] [http:trace4] [pid 22468] http_request.c(327): [client 10.122.33.54:34222]   Authorization: Negotiate <token>
[Fri Jul 28 10:56:56.780497 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Jul 28 10:56:56.780499 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Jul 28 10:56:56.780504 2023] [auth_kerb:debug] [pid 22468] src/mod_auth_kerb.c(1954): [client 10.122.33.54:34222] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Jul 28 10:56:56.780514 2023] [auth_kerb:debug] [pid 22468] src/mod_auth_kerb.c(1295): [client 10.122.33.54:34222] Acquiring creds for HTTP/serverName@DOMAIN
[Fri Jul 28 10:56:56.780833 2023] [auth_kerb:debug] [pid 22468] src/mod_auth_kerb.c(1708): [client 10.122.33.54:34222] Verifying client data using KRB5 GSS-API
[Fri Jul 28 10:56:56.781045 2023] [auth_kerb:debug] [pid 22468] src/mod_auth_kerb.c(1724): [client 10.122.33.54:34222] Client didn't delegate us their credential
[Fri Jul 28 10:56:56.781050 2023] [auth_kerb:debug] [pid 22468] src/mod_auth_kerb.c(1743): [client 10.122.33.54:34222] GSS-API token of length 186 bytes will be sent back
[Fri Jul 28 10:56:56.781082 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of Require valid-user : granted
[Fri Jul 28 10:56:56.781084 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of <RequireAny>: granted
[Fri Jul 28 10:56:56.781135 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of Require all granted: granted
[Fri Jul 28 10:56:56.781137 2023] [authz_core:debug] [pid 22468] mod_authz_core.c(809): [client 10.122.33.54:34222] AH01626: authorization result of <RequireAny>: granted
[Fri Jul 28 10:56:56.781138 2023] [core:trace3] [pid 22468] request.c(312): [client 10.122.33.54:34222] request authorized without authentication by access_checker_ex hook: /test.git/git-upload-pack
[Fri Jul 28 10:56:56.782898 2023] [cgi:trace4] [pid 22468] util_script.c(529): [client 10.122.33.54:34222] Headers from script 'git-http-backend':
[Fri Jul 28 10:56:56.782906 2023] [cgi:trace4] [pid 22468] util_script.c(530): [client 10.122.33.54:34222]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Fri Jul 28 10:56:56.782913 2023] [cgi:trace4] [pid 22468] util_script.c(530): [client 10.122.33.54:34222]   Pragma: no-cache
[Fri Jul 28 10:56:56.782914 2023] [cgi:trace4] [pid 22468] util_script.c(530): [client 10.122.33.54:34222]   Cache-Control: no-cache, max-age=0, must-revalidate
[Fri Jul 28 10:56:56.782916 2023] [cgi:trace4] [pid 22468] util_script.c(530): [client 10.122.33.54:34222]   Content-Type: application/x-git-upload-pack-result
[Fri Jul 28 10:56:56.782926 2023] [http:trace3] [pid 22468] http_filters.c(1129): [client 10.122.33.54:34222] Response sent with status 200, headers:
[Fri Jul 28 10:56:56.782929 2023] [http:trace5] [pid 22468] http_filters.c(1136): [client 10.122.33.54:34222]   Date: Fri, 28 Jul 2023 14:56:56 GMT
[Fri Jul 28 10:56:56.782930 2023] [http:trace5] [pid 22468] http_filters.c(1139): [client 10.122.33.54:34222]   Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
[Fri Jul 28 10:56:56.782932 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   WWW-Authenticate: Negotiate <token>
[Fri Jul 28 10:56:56.782933 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Expires: Fri, 01 Jan 1980 00:00:00 GMT
[Fri Jul 28 10:56:56.782934 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Pragma: no-cache
[Fri Jul 28 10:56:56.782936 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Cache-Control: no-cache, max-age=0, must-revalidate
[Fri Jul 28 10:56:56.782937 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Transfer-Encoding: chunked
[Fri Jul 28 10:56:56.782938 2023] [http:trace4] [pid 22468] http_filters.c(958): [client 10.122.33.54:34222]   Content-Type: application/x-git-upload-pack-result
...

0 replies

SASStudioDev · 2023-08-04T15:10:56Z

SASStudioDev
Aug 4, 2023
Author

I was able to get it to work in my test environment using gssapi.

I added the following attributes to my git-repo.include apache config file:

  GssapiBasicAuth On
  GssapiBasicAuthMech krb5

Below is the entire git apache config:
git.conf

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
<VirtualHost *:443>
  ServerName <serverName>
  SSLEngine On
  SSLCertificateFile <sslCertFilePath>
  SSLCertificateKeyFile <sslCertKeyFilePath>
  SetEnv GIT_HTTP_EXPORT_ALL

  Include conf.d/git-repo.include

</VirtualHost>

git-repo.include

ScriptAlias /git/repo /usr/libexec/git-core/git-http-backend/
<LocationMatch "^/git/repo">
  SetEnv GIT_PROJECT_ROOT /var/www/git

  AuthType GSSAPI
  AuthName <DOMAIN>
  GssapiCredStore keytab:<keyTabPath>
  GssapiBasicAuth On
  GssapiBasicAuthMech krb5

  Require valid-user

</LocationMatch>

<Files "git-http-backend">
  LogLevel trace6
  SetEnv GIT_PROJECT_ROOT /var/www/git
  AuthType GSSAPI
  AuthName <DOMAIN>
</Files>

When I tried using mod_auth_kerb previously, I removed the basic authentication stuff and I'm wondering if thats the reason why it also didn't work in my test environment.

1 reply

ethomson Aug 5, 2023
Maintainer

Oh that's really interesting. I wonder if the problem is selection of the mechanism. One difference here is that we explicitly don't do basic over http (only https). So I wonder if that's why it's confused - maybe it's preferring basic over krb5. 🤔

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Kerberos/Apache configuration issue or libgit2 bug? #6603

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 4 comments 7 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Kerberos/Apache configuration issue or libgit2 bug? #6603

SASStudioDev Jul 19, 2023

Replies: 4 comments · 7 replies

ethomson Jul 20, 2023 Maintainer

SASStudioDev Jul 20, 2023 Author

ethomson Jul 20, 2023 Maintainer

SASStudioDev Jul 20, 2023 Author

ethomson Jul 20, 2023 Maintainer

ethomson Jul 21, 2023 Maintainer

SASStudioDev Jul 21, 2023 Author

ethomson Jul 21, 2023 Maintainer

SASStudioDev Jul 28, 2023 Author

SASStudioDev Aug 4, 2023 Author

ethomson Aug 5, 2023 Maintainer

SASStudioDev
Jul 19, 2023

Replies: 4 comments 7 replies

ethomson
Jul 20, 2023
Maintainer

SASStudioDev Jul 20, 2023
Author

ethomson
Jul 20, 2023
Maintainer

SASStudioDev Jul 20, 2023
Author

ethomson Jul 20, 2023
Maintainer

ethomson Jul 21, 2023
Maintainer

SASStudioDev Jul 21, 2023
Author

ethomson Jul 21, 2023
Maintainer

SASStudioDev
Jul 28, 2023
Author

SASStudioDev
Aug 4, 2023
Author

ethomson Aug 5, 2023
Maintainer