Kerberos/Apache configuration issue or libgit2 bug? #6603
Replies: 4 comments 7 replies
-
You mentioned that it works with HTTP -- can you provide some more details there? I ask since I only see the HTTPS VirtualHost and logs. Is the set up the same sans the HTTPS setup? Is there anything useful in your KDC logs? Is the username in the logs correctly formatted? ( Any proxy living in front that changes the port away from 443? Does your server SPN have a port on it? eg, is it Same SPN for both HTTP and HTTPS? |
Beta Was this translation helpful? Give feedback.
-
Puzzling. I'm not a super krb5 expert, but I don't think that I've ever seen a failure where HTTP works and HTTPS doesn't. But this feels a bit sus to me. 🤨 But I don't know why it would happen. Do you have > 1 ticket (one for |
Beta Was this translation helpful? Give feedback.
-
Finally got back around to this. I configured the test environment with mod_auth_kerb and the results are the same. It works over HTTP but not HTTPS. See below: Apache Config (currently setup for http):
HTTPS Logs:
HTTP Logs:
|
Beta Was this translation helpful? Give feedback.
-
I was able to get it to work in my test environment using gssapi. I added the following attributes to my git-repo.include apache config file:
Below is the entire git apache config:
git-repo.include
When I tried using mod_auth_kerb previously, I removed the basic authentication stuff and I'm wondering if thats the reason why it also didn't work in my test environment. |
Beta Was this translation helpful? Give feedback.
-
Hi,
I'm currently trying to debug an issue with kerberos authentication and I'm stuck. Whenever a user tries to connect to the remote repository the initial kerberos handshake is successful but eventually fails with a 401 when sending the git-upload-pack POST. This is only happening with SSL turned on. I am able to clone, push, pull, and fetch when SSL is off.
Below is what my test environment looks like and the subsequent log files when attempting a clone. The clone attempt results in three exchanges between libgit2 and the git server. The first two result in 200s and both have a userName and a token associated with the request. The third request does not have a userName or token associated with the request which results in a 401.
Any help or input is greatly appreciated.
Thanks,
Danny
Test Environment:
Box 1: Application that uses libgit2. Libgit2 1.3.0 with Libssh2 1.10.0
CentOS 7.9.2009
OpenSSL 1.0.2k-fips
Box 2: Git Server - Apache 2.4.6 git-http-backend
CentOS 7.9.2009
OpenSSL 1.0.2k-fips
mod_auth_gssapi 1.5.1
Self-signed SSL certificate
Both boxes live in the same domain and kerberos is configured with constrained delegation.
Apache config:
/etc/httpd/conf.d/git.conf
/etc/httpd/conf.d/git-repo.include
Logs:
Apache access_log (/etc/httpd/logs/access_log)
Apache trimmed error_log (/etc/httpd/logs/error_log)
First GET exchange resulting in 200:
First POST exchange resulting in 200:
Last exchange. POST resulting in 401 with no token included:
Beta Was this translation helpful? Give feedback.
All reactions