Description
I am running into an issue where I am seeing Git 2.6.2 and higher on both Windows and Linux, where the Git client appears to be selecting NTLM instead of Kerberos. I am posting here as I have been unsuccessful at getting this issue posted to the Git mailing list. Kerberos support is Git on Windows is a primary concern. Curiously, GUI programs that are using the embedded Git 1.9.5.msysgit don't seem to have this issue and work correctly.
We are in the process of setting up a Git repository manager that is sitting behind an Nginx or Apache reverse proxy, which authenticates clients using Kerberos. From a general authentication perspective, kerberos appears to be working just fine as browsers and cURL are authenticated just fine. Some of our developers are using Atlasssian SourceTree (which uses an embedded version of git), and Kerberos authentication is working for them. Using Git 2.6.2 on the command line on the same system simply does not work.
On a Windows 7 system, I have set the GIT_CURL_VERBOSE=1 to see what is going on. Atlasssian SourceTree uses embedded Git 1.9.5.msysgit and when I issue a pull request to private repo, I get the following (token abbreviated):
* Adding handle: conn: 0x2fc2ac8
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 2 (0x2fc2ac8) send_pipe: 1, recv_pipe: 0
* Connected to myrepo.com (0.0.0.0) port 80 (#2)
* Server auth using GSS-Negotiate with user 'myuserid'
> GET /scm/repo/my-project.git/info/refs?service=git-upload-pack HTTP/1.1
Authorization: Negotiate YIILjgYGKwYBBQUCoIILgj (Removed for Brevity)
BoMAw==
User-Agent: git/1.9.5.msysgit.0
Host: myrepo.com
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache
< HTTP/1.1 200 OK
< Date: Fri, 30 Oct 2015 11:20:24 GMT
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< WWW-Authenticate: Negotiate jdhslkajhfljhasdlkjfhakljsdhfkljashdflkjahsjk
lfhakljsdhflkah+BhDCBgaADAgEFoQMCAQ+ccccccccccccccccccccccccccccccccccc
cccc/Iu/n/IGu7Jo8Y9xWY6Qa1sRidU6DkVUQIVYD0+rBRorrsxjkBd1N7mDlVltgg+jMzD
xk9NY/JWhwIJqXPA/oI7yjlzJ8enqPG9gyHlqSreg==
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 00:00:00 UTC
< X-AREQUESTID: @9P77Cx680x198x0
< X-ASEN: SEN-L6706246
< X-AUSERID: 1
< X-AUSERNAME: myuserid
< X-ASESSIONID: 14716nd
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< Expires: Tue, 01 Jan 1980 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, max-age=0, must-revalidate
< Content-Type: application/x-git-upload-pack-advertisement
< Set-Cookie: JSESSIONID=55466CA87163DE4D5323977D7D64424C; Path=/; HttpOnly
< Via: 1.1 myrepo.com
< Connection: close
< Transfer-Encoding: chunked
With git/1.9.5.msysgit.0, everything works great, no issues.
On the same system using Git 2.6.2, I get the following:
PS C:\Users\myuserid> git clone http://myuserid@myrepo.com/scm/repo/
my-repo.git
Cloning into 'random-text-files'...
* Couldn't find host myrepo.com in the _netrc file; using defaults
* timeout on name lookup is not supported
* Trying 0.0.0.0...
* Connected to myrepo.com (0.0.0.0) port 80 (#0)
> GET /scm/repo/my-repo.git/info/refs?service=git-upload-pack HTTP/1.1
Host: myrepo.com
User-Agent: git/2.6.2.windows.1
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-US, *;q=0.9
Pragma: no-cache
< HTTP/1.1 401 Authorization Required
< Date: Fri, 30 Oct 2015 18:05:10 GMT
< WWW-Authenticate: Negotiate
< Content-Length: 503
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
* Closing connection 0
* Issue another request to this URL: 'http://myuserid@myrepo.com/scm/repo/
my-repo.git/info/refs?service=git-upload-pack'
* Couldn't find host myrepo.com in the _netrc file; using defaults
* NTLM-proxy picked AND auth done set, clear picked!
* timeout on name lookup is not supported
* Hostname myrepo.com was found in DNS cache
* Trying 0.0.0.0...
* Connected to myrepo.com (0.0.0.0) port 80 (#1)
> GET /scm/repo/my-repo.git/info/refs?service=git-upload-pack HTTP/1.1
Host: myrepo.com
User-Agent: git/2.6.2.windows.1
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-US, *;q=0.9
Pragma: no-cache
< HTTP/1.1 401 Authorization Required
< Date: Fri, 30 Oct 2015 18:05:10 GMT
< WWW-Authenticate: Negotiate
< Content-Length: 503
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
* Closing connection 1
* Issue another request to this URL: 'http://myuserid@myrepo.com/scm/repo/
my-repo.git/info/refs?service=git-upload-pack'
* Couldn't find host myrepo.com in the _netrc file; using defaults
* NTLM-proxy picked AND auth done set, clear picked!
* timeout on name lookup is not supported
* Hostname myrepo.com was found in DNS cache
* Trying 0.0.0.0...
* Connected to myrepo.com (0.0.0.0) port 80 (#2)
* Server auth using Negotiate with user 'myuserid'
> GET /scm/repo/my-repo.git/info/refs?service=git-upload-pack HTTP/1.1
Host: myrepo.com
Authorization: Negotiate
TlRMTVNTUAABAAAAt4II4gXXXXXXXXXXXXXXXXXXXXXGAbEdAAAADw==
User-Agent: git/2.6.2.windows.1
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-US, *;q=0.9
Pragma: no-cache
< HTTP/1.1 401 Authorization Required
< Date: Fri, 30 Oct 2015 18:05:10 GMT
< Content-Length: 503
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
* Closing connection 2
Password for 'http://myuserid@myrepo.com/scm/repo/my-repo.git':
* Couldn't find host myrepo.com in the _netrc file; using defaults
* NTLM-proxy picked AND auth done set, clear picked!
* timeout on name lookup is not supported
* Hostname myrepo.com was found in DNS cache
* Trying 0.0.0.0...
* Connected to myrepo.com (0.0.0.0) port 80 (#3)
> GET /scm/repo/my-repo.git/info/refs?service=git-upload-pack HTTP/1.1
Host: myrepo.com
User-Agent: git/2.6.2.windows.1
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-US, *;q=0.9
Pragma: no-cache
< HTTP/1.1 401 Authorization Required
< Date: Fri, 30 Oct 2015 18:05:15 GMT
< WWW-Authenticate: Negotiate
< Content-Length: 503
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
* Closing connection 3
fatal: Authentication failed for 'http://myuserid@myrepo.com/scm/repo/
my-repo.git/'
And here it fails. The authentication fails at the web server and it’s never hitting the Bitbucket Server behind it. I have tried this with Nginx and the spnego-http-auth-nginx-module. To rule out if it was something with the spnego-http-auth-nginx-module implementation, I have also tried it with Apache 2.2 and mod_auth_kerb and got similar results. Here is the server side logs from Apache:
[Fri Oct 30 13:14:14 2015] [debug] src/mod_auth_kerb.c(1279):
[client 10.23.6.40] Acquiring creds for HTTP/myrepo.com@MY.DOMAIN
[Fri Oct 30 13:14:14 2015] [debug] src/mod_auth_kerb.c(1692):
[client 10.23.6.40] Verifying client data using KRB5 GSS-API
[Fri Oct 30 13:14:14 2015] [debug] src/mod_auth_kerb.c(1708):
[client 10.23.6.40] Client didn't delegate us their credential
[Fri Oct 30 13:14:14 2015] [debug] src/mod_auth_kerb.c(1736):
[client 10.23.6.40] Warning: received token seems to be NTLM, which
isn't supported by the Kerberos module. Check your IE configuration.
It would appear that the Git client is somehow defaulting to NTLM rather than Kerberos and causing things to break. The story is the same on the Linux side as well. Is there a similar environment variable in Git like GIT_CURL_VERBOSE that can used to control the authentication mechanism being used? Or is there some more information on how Git/libcurl make the determination to use NTLM vs Kerberos?
Ryan-