Git clone fails using Kerberos authentication and Git version 2.11 and newer
We configured our GitLab EE version 8.17.3 to support Kerberos authentication.
We did git clone <KRB5 path>
using Git for Windows version 2.8.2 (64bit) and it works.
On the same machine, we tried to do the same thing using Git for Windows version 2.13.0 (64bit) and 2.12.0 (64bit) and both failed.
For http path it works fine with passwords but most of our users are using SmartCard and not Password.
Logs:
Kerberos-specific configuration from /etc/gitlab/gitlab.rb
:
## Setting up Kerberos (EE only)
## See http://doc.gitlab.com/ee/integration/kerberos.html#http-git-access
gitlab_rails['kerberos_enabled'] = true
gitlab_rails['kerberos_keytab'] = "/my/keytab/location"
# gitlab_rails['kerberos_service_principal_name'] = HTTP/gitlab.example.com@EXAMPLE.COM
gitlab_rails['kerberos_use_dedicated_port'] = true
gitlab_rails['kerberos_port'] = 8443
# gitlab_rails['kerberos_https'] = true
## For setting up omniauth
## see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#omniauth-google-twitter-github-login
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['kerberos']
Output of GIT_TRACE=1 git clone <KRB5 path>
using Git for Windows 2.13.0:
$ GIT_TRACE=1 git clone <KRB5 path>
08:32:57.995723 git.c:369 trace: built-in: git 'clone' '<KRB5 path>'
Cloning into 'Test'...
08:32:58.026923 run-command.c:369 trace: run_command: 'git-remote-http' 'origin' '<KRB5 path>'
08:32:58.182924 run-command.c:369 trace: run_command: 'git credential-manager erase'
08:32:58.276525 git.c:594 trace: exec: 'git-credential-manager' 'erase'
08:32:58.276525 run-command.c:369 trace: run_command: 'git-credential-manager' 'erase'
08:32:58.432526 run-command.c:369 trace: run_command: 'git credential-manager erase'
08:32:58.510526 git.c:594 trace: exec: 'git-credential-manager' 'erase'
08:32:58.510526 run-command.c:369 trace: run_command: 'git-credential-manager' 'erase'
remote: HTTP Basic: Access denied
fatal: Authentication failed for '<KRB5 path>/'
Output of sudo gitlab-ctl tail
while reproducing the error:
Copy of the logs here. (Only GitLab internal)
Links/References:
Zendesk ticket: https://gitlab.zendesk.com/agent/tickets/76569
Edited by Collen