- Using Google Chrome with Kerberos authentication against Windows AD
- Test connectivity between the GitLab and Kerberos servers
- Unsupported GSSAPI mechanism
- HTTP Basic: Access denied when cloning
- Git cloning with Kerberos over proxied HTTPS
- Helpful links
Troubleshooting GitLab with Kerberos integration
When working with GitLab with Kerberos integration, you might encounter the following issues.
Using Google Chrome with Kerberos authentication against Windows AD
When you use Google Chrome to sign in to GitLab with Kerberos, you must enter your full username. For example, username@domain.com
.
If you do not enter your full username, the sign-in fails. Check the logs to see the following event message as evidence of this sign-in failure:
"message":"OmniauthKerberosController: failed to process Negotiate/Kerberos authentication: gss_accept_sec_context did not return GSS_S_COMPLETE: An unsupported mechanism was requested\nUnknown error".
Test connectivity between the GitLab and Kerberos servers
You can use utilities like kinit
and klist
to test connectivity between the GitLab server
and the Kerberos server. How you install these depends on your specific OS.
Use klist
to see the service principal names (SPN) available in your keytab
file and the encryption type for each SPN:
klist -ke /etc/http.keytab
On an Ubuntu server, the output would look similar to the following:
Keytab name: FILE:/etc/http.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 HTTP/my.gitlab.domain@MY.REALM (des-cbc-crc)
3 HTTP/my.gitlab.domain@MY.REALM (des-cbc-md5)
3 HTTP/my.gitlab.domain@MY.REALM (arcfour-hmac)
3 HTTP/my.gitlab.domain@MY.REALM (aes256-cts-hmac-sha1-96)
3 HTTP/my.gitlab.domain@MY.REALM (aes128-cts-hmac-sha1-96)
Use kinit
in verbose mode to test whether GitLab can use the keytab file to connect to the Kerberos server:
KRB5_TRACE=/dev/stdout kinit -kt /etc/http.keytab HTTP/my.gitlab.domain@MY.REALM
This command shows a detailed output of the authentication process.
Unsupported GSSAPI mechanism
With Kerberos SPNEGO authentication, the browser is expected to send a list of mechanisms it supports to GitLab. If it doesn’t support any of the mechanisms GitLab supports, authentication fails with a message like this in the log:
OmniauthKerberosController: failed to process Negotiate/Kerberos authentication: gss_accept_sec_context did not return GSS_S_COMPLETE: An unsupported mechanism was requested Unknown error
There are a number of potential causes and solutions for this error message.
Kerberos integration not using a dedicated port
GitLab CI/CD doesn’t work with a Kerberos-enabled GitLab instance unless the Kerberos integration is configured to use a dedicated port.
Lack of connectivity between client machine and Kerberos server
This is usually seen when the browser is unable to contact the Kerberos server
directly. It falls back to an unsupported mechanism known as
IAKERB
, which tries to use
the GitLab server as an intermediary to the Kerberos server.
If you’re experiencing this error, ensure there is connectivity between the client machine and the Kerberos server - this is a prerequisite! Traffic may be blocked by a firewall, or the DNS records may be incorrect.
GitLab DNS record is a CNAME record
error
Kerberos fails with this error when GitLab is referenced with a CNAME
record.
To resolve this issue, ensure the DNS record for GitLab is an A
record.
Mismatched forward and reverse DNS records for GitLab instance hostname
Another failure mode occurs when the forward and reverse DNS records for the
GitLab server do not match. Often, Windows clients work in this case while
Linux clients fail. They use reverse DNS while detecting the Kerberos
realm. If they get the wrong realm then ordinary Kerberos mechanisms fail,
so the client falls back to attempting to negotiate IAKERB
, leading to the
above error message.
To fix this, ensure that the forward and reverse DNS for your GitLab server
match. So for instance, if you access GitLab as gitlab.example.com
, resolving
to IP address 10.0.2.2
, then 2.2.0.10.in-addr.arpa
must be a PTR
record for
gitlab.example.com
.
Missing Kerberos libraries on browser or client machine
Finally, it’s possible that the browser or client machine lack Kerberos support completely. Ensure that the Kerberos libraries are installed and that you can authenticate to other Kerberos services.
HTTP Basic: Access denied when cloning
remote: HTTP Basic: Access denied
fatal: Authentication failed for '<KRB5 path>'
If you are using Git v2.11 or newer and see the above error when cloning, you can
set the http.emptyAuth
Git option to true
to fix this:
git config --global http.emptyAuth true
Git cloning with Kerberos over proxied HTTPS
You must comment the following if:
- You see
http://
URLs in the Clone with KRB5 Git Cloning options, whenhttps://
URLs are expected. - HTTPS is not terminated at your GitLab instance, but is instead proxied by your load balancer or local traffic manager.
# gitlab_rails['kerberos_https'] = false
See also: Git v2.11 release notes