Kerberos Spnego sign in unable to find existing account.
Summary
After configuring GitLab to enable Kerberos without allow_single_sign_on. Adding a Kerberos identity to a user. As that user attain a Kerberos ticket and try to login to GitLab using "Sign in with kereros Spnego" You are return to sign in page with a error "Signing in using your Kerberos account without a pre-existing GitLab account is not allowed."
Steps to reproduce
This is for a self-hosted GitLab
Follow steps to enable Kerberos integration for Omnibus package installations in https://docs.gitlab.com/ee/integration/kerberos.html
Do not turn on allow_single_sign_on, so only existing accounts can use Kerberos.
After doing a gitlab-ctl reconfigure add a kerberos identity to an existing GitLab user, where that users host OS account has a Kerberos principle for the realm configured in GitLab.
Login to host user account gain a Kerberos ticket. Go to Gitlab sign in page try to log in using Kerberos.
What is the current bug behavior?
Can't find existing account and goes back to login with error message
"Signing in using your Kerberos account without a pre-existing GitLab account is not allowed."
What is the expected correct behavior?
Log you in to user account
Relevant details.
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Ubuntu 18.04 Proxy: no Current User: git Using RVM: no Ruby Version: 2.6.6p146 Gem Version: 2.7.10 Bundler Version:1.17.3 Rake Version: 12.3.3 Redis Version: 5.0.9 Git Version: 2.28.0 Sidekiq Version:5.2.9 Go Version: unknown GitLab information Version: 13.3.0-ee Revision: 4922d2720ac Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 11.7 URL: http://192.168.56.101 HTTP Clone URL: http://192.168.56.101/some-group/some-project.git SSH Clone URL: git@192.168.56.101:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: kerberos_spnego GitLab Shell Version: 13.6.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
sudo gitlab-rake gitlab:check SANITIZE=true Checking GitLab subtasks ...Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.6.0 ? ... OK (13.6.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 9/2 ... yes 9/3 ... yes 9/4 ... yes 12/5 ... yes 13/6 ... yes 14/7 ... yes 16/9 ... yes 17/10 ... yes 20/11 ... yes 25/12 ... yes 27/14 ... yes 33/15 ... yes 16/16 ... yes 38/18 ... yes 46/20 ... yes 52/21 ... yes 48/22 ... yes 57/23 ... yes 48/24 ... yes 60/25 ... yes 63/27 ... yes 59/28 ... yes 66/29 ... yes 67/30 ... yes 68/31 ... yes 58/32 ... yes 43/34 ... yes 60/36 ... yes 61/37 ... yes 21/45 ... yes 32/46 ... yes 76/47 ... yes 84/51 ... yes 81/53 ... yes 86/54 ... yes 11/55 ... yes 88/56 ... yes 87/57 ... yes 90/58 ... yes 31/59 ... yes 81/60 ... yes 9/61 ... yes 9/62 ... yes 11/64 ... yes 68/65 ... yes 55/66 ... yes 97/67 ... yes 94/69 ... yes 95/70 ... yes 96/72 ... yes 99/73 ... yes 92/74 ... yes 83/75 ... yes 93/76 ... yes 100/77 ... yes 98/78 ... yes 96/79 ... yes 106/80 ... yes 106/81 ... yes 11/82 ... yes 35/83 ... yes 18/86 ... yes 35/87 ... yes 108/90 ... yes 110/91 ... yes 23/92 ... yes 23/93 ... yes 115/94 ... yes 106/95 ... yes 116/96 ... yes 118/97 ... yes 110/98 ... yes 119/99 ... yes 116/102 ... yes 121/103 ... yes 127/106 ... yes 134/107 ... yes 11/111 ... yes 124/113 ... yes 137/114 ... yes 138/116 ... yes 122/119 ... yes 133/121 ... yes 139/122 ... yes 129/123 ... yes 137/126 ... yes 122/127 ... yes 136/128 ... yes 122/129 ... yes 127/130 ... yes 131/131 ... yes 134/132 ... yes 128/133 ... yes 125/135 ... yes 130/136 ... yes 124/137 ... yes 126/141 ... yes 119/142 ... yes 133/143 ... yes 129/144 ... yes 140/145 ... yes 30/146 ... yes 121/147 ... yes 15/148 ... yes 131/149 ... yes 40/150 ... yes 123/151 ... yes 137/152 ... yes 134/155 ... yes 121/156 ... yes 141/157 ... yes 70/159 ... yes 143/164 ... yes 127/165 ... yes 122/166 ... yes 132/167 ... yes 135/168 ... yes 61/169 ... yes 118/171 ... yes 81/172 ... yes 38/173 ... yes 100/175 ... yes 133/176 ... yes 130/177 ... yes 126/178 ... yes 125/179 ... yes 118/180 ... yes 127/181 ... yes 135/182 ... yes 120/183 ... yes 117/184 ... yes 122/185 ... yes 137/186 ... yes 129/187 ... yes 138/188 ... yes 131/189 ... yes 107/190 ... yes 130/192 ... yes 138/194 ... yes 126/195 ... yes 118/196 ... yes 134/197 ... yes 81/201 ... yes 140/204 ... yes 150/205 ... yes 105/207 ... yes 100/210 ... yes 123/211 ... yes 122/212 ... yes 130/213 ... yes 134/215 ... yes 129/216 ... yes 138/217 ... yes 130/218 ... yes 136/219 ... yes 119/220 ... yes 117/221 ... yes 140/222 ... yes 123/223 ... yes 118/224 ... yes 136/225 ... yes 136/226 ... yes 17/229 ... yes 11/232 ... yes 134/234 ... yes 11/235 ... yes 123/236 ... yes 133/237 ... yes 133/238 ... yes 137/239 ... yes 140/240 ... yes 122/241 ... yes 43/242 ... yes 117/243 ... yes 129/244 ... yes 132/245 ... yes 134/247 ... yes 117/248 ... yes 118/249 ... yes 138/250 ... yes 134/251 ... yes 126/252 ... yes 140/253 ... yes 123/254 ... yes 127/255 ... yes 136/256 ... yes 135/257 ... yes 137/258 ... yes 121/259 ... yes 119/260 ... yes 129/261 ... yes 136/262 ... yes 124/263 ... yes 133/264 ... yes 120/265 ... yes 120/266 ... yes 128/267 ... yes 102/268 ... yes 92/269 ... yes 92/270 ... yes 128/274 ... yes 122/275 ... yes 132/276 ... yes 110/277 ... yes 133/278 ... yes 117/279 ... yes 138/280 ... yes 126/281 ... yes 123/282 ... yes 130/283 ... yes 117/285 ... yes 133/286 ... yes 2/288 ... yes 134/290 ... yes 139/291 ... yes 155/293 ... yes 157/294 ... yes 158/296 ... yes 160/297 ... yes 162/298 ... yes 154/299 ... yes 165/300 ... yes 161/302 ... yes 104/303 ... yes 169/305 ... yes 168/307 ... yes 172/308 ... yes 176/309 ... yes 174/310 ... yes 175/311 ... yes 65/312 ... yes 179/313 ... yes 182/314 ... yes 180/315 ... yes 178/316 ... yes 181/317 ... yes 184/318 ... yes 183/319 ... yes 185/320 ... yes 181/321 ... yes 187/322 ... yes 172/323 ... yes 189/324 ... yes 190/325 ... yes 192/326 ... yes 182/327 ... yes 177/330 ... yes 199/331 ... yes 140/332 ... yes 119/333 ... yes 140/334 ... yes 140/335 ... yes 140/336 ... yes 140/337 ... yes 140/338 ... yes 140/339 ... yes 139/340 ... yes 140/341 ... yes 140/342 ... yes 132/343 ... yes 139/344 ... yes 134/345 ... yes 140/346 ... yes 134/347 ... yes 140/348 ... yes 81/350 ... yes 134/351 ... yes 140/352 ... yes 102/353 ... yes 140/354 ... yes 125/355 ... yes 186/356 ... yes 125/357 ... yes 207/358 ... yes 171/359 ... yes 140/362 ... yes 169/363 ... yes 43/364 ... yes 159/365 ... yes 212/367 ... yes 218/368 ... yes 125/369 ... yes 81/370 ... yes 211/371 ... yes 15/372 ... yes 177/373 ... yes 227/376 ... yes 192/377 ... yes 239/379 ... yes 168/380 ... yes 218/381 ... yes 185/382 ... yes 140/383 ... yes 125/384 ... yes 251/385 ... yes 193/387 ... yes 255/389 ... yes 244/390 ... yes 78/391 ... yes 262/392 ... yes 164/393 ... yes 133/395 ... yes 272/397 ... yes 279/398 ... yes 282/399 ... yes 183/400 ... yes 159/401 ... yes 140/403 ... yes 288/404 ... yes 120/405 ... yes 234/406 ... yes 250/409 ... yes 246/411 ... yes 158/412 ... yes 298/413 ... yes 134/414 ... yes 266/417 ... yes 128/418 ... yes 120/419 ... yes 134/420 ... yes 163/421 ... yes 163/422 ... yes 305/423 ... yes 150/426 ... yes 150/427 ... yes 126/428 ... yes 130/429 ... yes 140/430 ... yes 81/432 ... yes 134/433 ... yes 308/434 ... yes 308/435 ... yes 308/436 ... yes 308/437 ... yes 134/438 ... yes 130/439 ... yes 130/440 ... yes 308/441 ... yes 308/442 ... yes 266/443 ... yes 130/444 ... yes 133/445 ... yes 17/446 ... yes 253/447 ... yes 134/448 ... yes 266/449 ... yes 130/451 ... yes 140/452 ... yes 117/453 ... yes 133/454 ... yes 134/455 ... yes 130/456 ... yes 130/457 ... yes 130/458 ... yes 117/459 ... yes 134/460 ... yes 140/461 ... yes 117/462 ... yes 117/463 ... yes 117/464 ... yes 140/465 ... yes 140/466 ... yes 63/467 ... yes 121/468 ... yes 140/469 ... yes 140/470 ... yes 117/471 ... yes 117/472 ... yes 140/473 ... yes 130/474 ... yes 315/475 ... yes 315/476 ... yes 140/477 ... yes 140/478 ... yes 130/479 ... yes 312/480 ... yes 118/481 ... yes 125/482 ... yes 130/483 ... yes 125/484 ... yes 315/485 ... yes 315/486 ... yes 313/487 ... yes 313/488 ... yes 130/489 ... yes 134/490 ... yes 133/491 ... yes 125/493 ... yes 117/495 ... yes 319/496 ... yes 126/497 ... yes 151/499 ... yes 126/501 ... yes 321/502 ... yes 126/504 ... yes 313/506 ... yes 321/507 ... yes 126/508 ... yes 313/509 ... yes 313/510 ... yes 121/511 ... yes 121/513 ... yes 313/515 ... yes 121/516 ... yes 136/517 ... yes 136/518 ... yes 136/519 ... yes 125/520 ... yes 126/521 ... yes 125/522 ... yes 237/524 ... yes 324/526 ... yes 325/527 ... yes 326/528 ... yes 359/530 ... yes 329/531 ... yes 329/533 ... yes 341/535 ... yes 330/536 ... yes 369/537 ... yes 362/542 ... yes 361/543 ... yes 336/544 ... yes 325/545 ... yes 334/546 ... yes 370/547 ... yes 367/549 ... yes 275/550 ... yes 192/551 ... yes 381/552 ... yes 357/555 ... yes 374/556 ... yes 326/557 ... yes 379/558 ... yes 356/559 ... yes 324/560 ... yes 389/562 ... yes 266/564 ... yes 375/565 ... yes 348/566 ... yes 126/567 ... yes 351/568 ... yes 344/569 ... yes 347/570 ... yes 386/571 ... yes 285/572 ... yes 324/573 ... yes 392/574 ... yes 392/575 ... yes 284/576 ... yes 313/577 ... yes 313/578 ... yes 385/579 ... yes 185/580 ... yes 390/581 ... yes 391/582 ... yes 314/583 ... yes 233/584 ... yes 41/585 ... yes 171/589 ... yes 405/599 ... yes 415/600 ... yes 42/604 ... yes 365/605 ... yes 171/607 ... yes 266/608 ... yes 185/609 ... yes 324/610 ... yes 171/611 ... yes 383/612 ... yes 417/613 ... yes 417/614 ... yes 417/615 ... yes 417/616 ... yes 417/617 ... yes 417/618 ... yes 417/619 ... yes 417/620 ... yes 417/621 ... yes 417/622 ... yes 417/623 ... yes 417/624 ... yes 417/625 ... yes 417/626 ... yes 417/627 ... yes 417/628 ... yes 417/629 ... yes 417/630 ... yes 417/631 ... yes 417/632 ... yes 417/633 ... yes 417/634 ... yes 417/635 ... yes 417/636 ... yes 28/637 ... yes 266/639 ... yes 420/640 ... yes 369/641 ... yes 369/642 ... yes 395/643 ... yes 324/644 ... yes 423/645 ... yes 382/646 ... yes 174/647 ... yes 10/651 ... yes 249/652 ... yes 324/654 ... yes 324/655 ... yes 359/656 ... yes 233/657 ... yes 196/658 ... yes 264/659 ... yes 324/660 ... yes 188/662 ... yes 426/663 ... yes 150/664 ... yes 42/666 ... yes 42/667 ... yes 204/668 ... yes 324/669 ... yes 428/670 ... yes 393/671 ... yes 428/672 ... yes 428/673 ... yes 428/674 ... yes 384/675 ... yes 387/676 ... yes 324/677 ... yes 429/679 ... yes 223/680 ... yes 387/681 ... yes 387/682 ... yes 339/683 ... yes 42/684 ... yes 396/685 ... yes 329/687 ... yes 291/688 ... yes 416/690 ... yes 275/691 ... yes 432/692 ... yes 185/693 ... yes 28/695 ... yes 28/696 ... yes 435/697 ... yes 451/700 ... yes 438/701 ... yes 441/702 ... yes 448/703 ... yes 456/704 ... yes 11/705 ... yes 439/706 ... yes 459/708 ... yes 437/709 ... yes 447/712 ... yes 461/715 ... yes 445/716 ... yes 449/717 ... yes 450/718 ... yes 462/719 ... yes 452/721 ... yes 467/722 ... yes 440/723 ... yes 454/726 ... yes 463/727 ... yes 446/728 ... yes 457/729 ... yes 465/730 ... yes 453/731 ... yes 437/732 ... yes 464/733 ... yes 460/734 ... yes 445/735 ... yes 466/736 ... yes 232/737 ... yes 443/738 ... yes 441/740 ... yes 440/741 ... yes 442/743 ... yes 458/744 ... yes 453/745 ... yes 450/746 ... yes 458/747 ... yes 444/748 ... yes 451/749 ... yes 446/750 ... yes 465/751 ... yes 460/752 ... yes 448/753 ... yes 468/754 ... yes 452/755 ... yes 445/756 ... yes 437/758 ... yes 210/759 ... yes 470/762 ... yes 439/763 ... yes 449/764 ... yes 464/765 ... yes 456/766 ... yes 462/767 ... yes 462/768 ... yes 447/772 ... yes 233/773 ... yes 255/774 ... yes 196/775 ... yes 461/776 ... yes 28/777 ... yes 297/778 ... yes 273/779 ... yes 274/780 ... yes 435/781 ... yes 458/784 ... yes 214/785 ... yes 274/786 ... yes 271/787 ... yes 274/788 ... yes 357/789 ... yes 171/791 ... yes 240/792 ... yes 270/795 ... yes 499/797 ... yes 216/798 ... yes 327/799 ... yes 459/800 ... yes 448/801 ... yes 445/802 ... yes 437/803 ... yes 443/804 ... yes 438/805 ... yes 454/806 ... yes 447/807 ... yes 510/808 ... yes 456/809 ... yes 465/810 ... yes 458/811 ... yes 522/812 ... yes 336/813 ... yes 442/814 ... yes 517/815 ... yes 449/816 ... yes 2/817 ... yes 536/818 ... yes 2/819 ... yes 2/820 ... yes 2/821 ... yes 2/822 ... yes 546/823 ... yes 2/824 ... yes 2/825 ... yes 546/827 ... yes 1008/829 ... yes 1032/830 ... yes 1043/831 ... yes 1043/832 ... yes 1032/833 ... yes 10/834 ... yes 1044/835 ... yes 2/836 ... yes 684/838 ... yes 1055/844 ... yes 1046/856 ... yes 1046/857 ... yes Redis version >= 4.0.0? ... yes Ruby version >= 2.5.3 ? ... yes (2.6.6) Git version >= 2.24.0 ? ... yes (2.28.0) Git user has default SSH configuration? ... yes Active users: ... 599 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 6.x - 7.x? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
Adding Kerberos identity results in a row inserted into the Database identities table with the provider column containing "kerberos_spnego"
/opt/gitlab/embedded/service/gitlab-rails/ee/app/controllers/ee/omniauth_callbacks_controller.rb file has
def kerberos_spnego oauth['provider'] = 'kerberos' handle_omniauth end
Changing oauth['provider'] to 'kerberos_spnego' allows login to work