-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Git 2.6.2 and higher sending NTLM token instead of Kerberos when Negotiate is used #611
Comments
If you have posted this upstream and the issue exists on linux too, I don't think we will solve this.
You said the issue exists on 2.6.2 and newer. 1.9.5 is definitly lower than 2.6.2 |
Hi Ryan, If I remember correctly the list did have some discussion about similar authentication issues, with brian carlson being a contributor. The mailing list archives are at http://news.gmane.org/gmane.comp.version-control.git with alternates at http://marc.info/?l=git&r=1&b=201403&w=2 or http://git.661346.n2.nabble.com/, so you should be able to find something via one of them.Philip I am running into an issue where I am seeing Git 262 on both Windows, and Linux, where the Git client appears to be selecting NTLM instead of Kerberos I am posting here as I have been unsuccessful at getting this issue posted to the Git mailing list Kerberos support is Git on Windows is a primary concern Curiously, GUI programs that are using the embedded Git 195msysgit don't seem to have this issue and work correctly We are in the process of setting up a Git repository manager that is sitting behind an Nginx or Apache reverse proxy, which authenticates clients using Kerberos From a general authentication perspective, kerberos appears to be working just fine as browsers and cURL are authenticated just fine Some of our developers are using Atlasssian SourceTree (which uses an embedded version of git), and Kerberos authentication is working for them Using Git 262 on the command line on the same system simply does not work On a Windows 7 system, I have set the GIT_CURL_VERBOSE=1 to see what is going on Atlasssian SourceTree uses embedded Git 195msysgit and when I issue a pull request to private repo, I get the following (token abbreviated):
Authorization: Negotiate YIILjgYGKwYBBQUCoIILgj (Removed for Brevity) Accept-Encoding: gzip < HTTP/11 200 OK
PS C:\Users\myuserid> git clone http://myuserid@myrepocom/scm/repo/
< HTTP/11 401 Authorization Required
< HTTP/11 401 Authorization Required
< HTTP/11 401 Authorization Required
< HTTP/11 401 Authorization Required
[Fri Oct 30 13:14:14 2015] [debug] src/mod_auth_kerbc(1279): Ryan- — |
Might be related to this? |
@damnhandy when I compare the communication between the 2 releases for me it looks like that the older release is not passing any proxy but the new is passing a proxy which supports only NTLM authentication. |
@damnhandy have you tried to follow @PhilipOakley's advice? |
We also encountered this problem with |
I am running into an issue where I am seeing Git 2.6.2 and higher on both Windows and Linux, where the Git client appears to be selecting NTLM instead of Kerberos. I am posting here as I have been unsuccessful at getting this issue posted to the Git mailing list. Kerberos support is Git on Windows is a primary concern. Curiously, GUI programs that are using the embedded Git 1.9.5.msysgit don't seem to have this issue and work correctly.
We are in the process of setting up a Git repository manager that is sitting behind an Nginx or Apache reverse proxy, which authenticates clients using Kerberos. From a general authentication perspective, kerberos appears to be working just fine as browsers and cURL are authenticated just fine. Some of our developers are using Atlasssian SourceTree (which uses an embedded version of git), and Kerberos authentication is working for them. Using Git 2.6.2 on the command line on the same system simply does not work.
On a Windows 7 system, I have set the
GIT_CURL_VERBOSE=1
to see what is going on. Atlasssian SourceTree uses embedded Git 1.9.5.msysgit and when I issue a pull request to private repo, I get the following (token abbreviated):With git/1.9.5.msysgit.0, everything works great, no issues.
On the same system using Git 2.6.2, I get the following:
And here it fails. The authentication fails at the web server and it’s never hitting the Bitbucket Server behind it. I have tried this with Nginx and the spnego-http-auth-nginx-module. To rule out if it was something with the spnego-http-auth-nginx-module implementation, I have also tried it with Apache 2.2 and mod_auth_kerb and got similar results. Here is the server side logs from Apache:
It would appear that the Git client is somehow defaulting to NTLM rather than Kerberos and causing things to break. The story is the same on the Linux side as well. Is there a similar environment variable in Git like
GIT_CURL_VERBOSE
that can used to control the authentication mechanism being used? Or is there some more information on how Git/libcurl make the determination to use NTLM vs Kerberos?Ryan-
The text was updated successfully, but these errors were encountered: