git-svn - Kerberos authentication is not supported #550
Comments
@nightman68 Are you sure that this will fix the problem? You can verify your claim by following this document to rebuild krb5-devel. |
|
@dscho Sorry, I was not precise enough. Next try with reference to Ubuntu 15.10., earlier releases are not usable in this context! I installed your developer SDK and let's see what is linked into serf (hope it's the right lib?!) The serf library must be compiled with krb5 support and for this the krb5-devel package is required and configure for serf library must be run with the argument: I hope it's more clear now?! |
|
@nightman68 it is clearer now. You should be able to verify that this indeed fixes the issue by rebuilding the |
|
OK I tried to build the serf package but without success. Below the steps I run, please correct me if somethings is wrong! Just by the way - a MIT Kerberos is not part of your dist so I have to use Heimdal package?! installed git-sdk-installer-1.0.1-64.7z.exe Something is wring with the repos.?! |
Actually, I think something is wrong with Google Code. As you can see here, the package definition calls for As you can see on their old home page, diff --git a/serf/PKGBUILD b/serf/PKGBUILD
index 54d0165..91d9fc8 100644
--- a/serf/PKGBUILD
+++ b/serf/PKGBUILD
@@ -9,7 +9,7 @@ arch=('i686' 'x86_64')
url="http://code.google.com/p/serf/"
license=('Apache')
makedepends=('scons' 'apr-util-devel')
-source=(http://serf.googlecode.com/svn/src_releases/${pkgbase}-${pkgver}.tar.bz2
+source=(https://archive.apache.org/dist/${pkgbase}/${pkgbase}-${pkgver}.tar.bz2
03-destdir.patch
05-disable-SHLIBVERSION.patch
06-strcasecmp.patch) |
BTW You should not need to do that explicitly. This should be part of the |
|
I tried again and the download was running but the build terminates with error: Any idea? I also tried to build the heimdal package, also with error: |
$ pacman -Qo /usr/include/termios.h
/usr/include/termios.h is owned by msys2-runtime-devel newlib.33764.1b3adb5-1The |
|
OK, I started the wrong shell, with the right one I was able to compile serf after some modifications. The checks are not running: That the authentication is working also the curl library must be compiled with GSSAPI support which is disabled in the package. Here are the changes: diff --git a/curl/PKGBUILD b/curl/PKGBUILD
index bca735d..4fb5787 100644
--- a/curl/PKGBUILD
+++ b/curl/PKGBUILD
@@ -9,7 +9,7 @@ arch=('i686' 'x86_64')
url="http://curl.haxx.se"
license=('MIT')
depends=('ca-certificates')
-makedepends=('libmetalink-devel' 'libcrypt-devel' 'libidn-devel' 'libssh2-devel' 'openssl-devel' 'zlib-devel') # 'libcares-devel' 'heimdal-devel'
+makedepends=('libmetalink-devel' 'libcrypt-devel' 'libidn-devel' 'libssh2-devel' 'openssl-devel' 'zlib-devel' 'heimdal-devel') # 'libcares-devel'
options=('!libtool' 'strip' '!debug')
source=("http://curl.haxx.se/download/${pkgname}-${pkgver}.tar.bz2"{,.asc}
curl-7.32.0-msys2.patch)
@@ -38,7 +38,7 @@ build() {
--enable-ipv6 \
--disable-hidden-symbols \
--disable-ares \
- --without-gssapi \
+ --with-gssapi \
--with-libidn \
--with-libmetalink \
--without-librtmp \
diff --git a/serf/PKGBUILD b/serf/PKGBUILD
index 54d0165..c80d8fd 100644
--- a/serf/PKGBUILD
+++ b/serf/PKGBUILD
@@ -8,7 +8,7 @@ pkgdesc="High-performance asynchronous HTTP client library"
arch=('i686' 'x86_64')
url="http://code.google.com/p/serf/"
license=('Apache')
-makedepends=('scons' 'apr-util-devel')
+makedepends=('scons' 'apr-util-devel' 'heimdal-devel' 'zlib-devel' 'openssl-devel' 'libiconv-devel')
source=(http://serf.googlecode.com/svn/src_releases/${pkgbase}-${pkgver}.tar.bz2
03-destdir.patch
05-disable-SHLIBVERSION.patch
@@ -29,6 +29,7 @@ prepare() {
build() {
cd ${pkgbase}-${pkgver}
scons PREFIX=/usr \
+ GSSAPI=/usr/bin/krb5-config \
CFLAGS="${CFLAGS}"
install -d "${srcdir}/dest/usr" |
|
Good work! The next steps are to commit those changes as two separate commits with excellent commit messages and then to submit them as Pull Requests upstream (https://github.com/Alexpux/MSYS2-packages). |
|
@dscho: I created the commits and the pull request. I hope this works because, as you can assume, I'm from the Subversion community and still not so familiar with the Git flow. |
|
@nightman68 good job! For lurkers, this is the Pull Request in question: msys2/MSYS2-packages#399 |
|
Hi, any hint when this will be included in the git package? |
|
@nightman68 as per https://github.com/Alexpux/MSYS2-packages/commits/master/curl/PKGBUILD it seems that the fix made it into |
|
@dscho sounds good, thank you. I'm looking forward to check it out. |
|
@nightman68 would you mind testing with a Git for Windows SDK? |
|
@dscho yes sure! Just leave a post here with the download link and I will test it before you created the release. Hope this helps. |
|
@nightman68 I was talking about this: https://github.com/git-for-windows/git/wiki/Making-an-installer |
|
@dscho OK, I followed the instructions on the page you posted and after installation the authentication is not working. I checked the serf and curl library and it looks like that they are linked correctly. Give me some time to investigate the problem. I assume that it's related to some more (missing) dependencies. I'll come back when I have news. |
|
Thanks for following up! |
|
@dscho I investigate the problem and here is what I figured out with a complete new Win7 VM and the git-sdk-installer-1.0.2-64.7 package. When you start the git-bash and you follow the necessary steps like on Linux everything is working.
With the installer this is not working at the moment because no Kerberos programs are in the bundle. At least the following 3 programs are required: kinit, klist and kdestroy. I also learned that curl is not involved running git-svn commands. But it's good to have another msys2 program to test the Kerberos auth. Of course this is not the behavior expected by a Windows user - they do not request a TGT manually .-) but I think this is a workaround. Using the git-cmd the Kerberos programs are not found - I assume the path does not include /usr/bin. I made some tests with curl and I was a bit surprised because it's using the TGT from the MS LSA - the desired behavior. Then I recognized that the (default) binary is a mingw64 program for which SSPI is enabled in the build. In the msys2 package it's not present which explains the behavior, the same as for git-svn. I had a closer look to the serf SConstruct script and I figured out that SSPI is enabled automatically for Windows. A try to patch and compile it in msys2 shell failed with a lot of errors. The same behavior in a mingw64 shell. I assume that having a serf mingw64 package would lead to the desired behavior: having the integrated Windows auth. in place. |
Could you paste the relevant output (if it is too long, the first few pages should be sufficient)? Maybe I can identify quickly what's going wrong. |
gcc -o auth/auth_spnego_gss.o -c -march=x86-64 -mtune=generic -O2 -pipe -std=c89 -Wdeclaration-after-statement -Wmissing-prototypes -Wall -O2 -DNDEBUG -DSERF_HAVE_GSSAPI -DSERF_HAVE_SSPI -I. -I/usr/include/apr-1 -I/usr/include -I/usr/include auth/auth_spnego_gss.c
gcc -o auth/auth_spnego_sspi.o -c -march=x86-64 -mtune=generic -O2 -pipe -std=c89 -Wdeclaration-after-statement -Wmissing-prototypes -Wall -O2 -DNDEBUG -DSERF_HAVE_GSSAPI -DSERF_HAVE_SSPI -I. -I/usr/include/apr-1 -I/usr/include -I/usr/include auth/auth_spnego_sspi.c
In file included from /usr/include/w32api/sspi.h:10:0,
from auth/auth_spnego_sspi.c:25:
/usr/include/w32api/ntsecapi.h:15:11: error: unknown type name ‘LONG’
typedef LONG NTSTATUS,*PNTSTATUS;
^
/usr/include/w32api/ntsecapi.h:19:11: error: unknown type name ‘ULONG’
typedef ULONG LSA_OPERATIONAL_MODE,*PLSA_OPERATIONAL_MODE;
^
In file included from /usr/include/w32api/sspi.h:10:0,
from auth/auth_spnego_sspi.c:25:
/usr/include/w32api/ntsecapi.h:52:5: error: unknown type name ‘USHORT’
USHORT Flags;
^
/usr/include/w32api/ntsecapi.h:53:5: error: unknown type name ‘USHORT’
USHORT Level;
^
/usr/include/w32api/ntsecapi.h:54:5: error: unknown type name ‘ACCESS_MASK’
ACCESS_MASK AccessMask;
^
/usr/include/w32api/ntsecapi.h:59:5: error: unknown type name ‘ULONG’
ULONG Length;
^
/usr/include/w32api/ntsecapi.h:60:5: error: unknown type name ‘ULONG_PTR’
ULONG_PTR Data[2];
^
/usr/include/w32api/ntsecapi.h:61:5: error: unknown type name ‘PVOID’
PVOID Address;
^
/usr/include/w32api/ntsecapi.h:68:5: error: unknown type name ‘ULONG’
ULONG CategoryId;
^
/usr/include/w32api/ntsecapi.h:69:5: error: unknown type name ‘ULONG’
ULONG AuditId;
^
/usr/include/w32api/ntsecapi.h:70:5: error: unknown type name ‘ULONG’
ULONG ParameterCount;
^
/usr/include/w32api/ntsecapi.h:71:5: error: unknown type name ‘ULONG’
ULONG Length;
^
/usr/include/w32api/ntsecapi.h:72:5: error: unknown type name ‘USHORT’
USHORT Type;
^
/usr/include/w32api/ntsecapi.h:73:5: error: unknown type name ‘ULONG’
ULONG Flags;
^
In file included from /usr/include/w32api/sspi.h:10:0,
from auth/auth_spnego_sspi.c:25:
/usr/include/w32api/ntsecapi.h:111:5: error: unknown type name ‘USHORT’
USHORT Length;
^
/usr/include/w32api/ntsecapi.h:112:5: error: unknown type name ‘USHORT’ |
|
That looks like a forgotten/missing |
|
For me, this patch seems to work: diff --git a/SConstruct b/SConstruct
index b05726f..48cde85 100644
--- a/SConstruct
+++ b/SConstruct
@@ -367,8 +367,11 @@ if gssapi and CALLOUT_OKAY:
return env.MergeFlags(cmd, unique)
env.ParseConfig('$GSSAPI --libs gssapi', parse_libs)
env.Append(CPPDEFINES='SERF_HAVE_GSSAPI')
-if sys.platform == 'win32':
+if sys.platform == 'win32' or sys.platform == 'msys':
env.Append(CPPDEFINES=['SERF_HAVE_SSPI'])
+ if sys.platform == 'msys':
+ env['SECUR32_LIBS'] = '-lsecur32'
+ env.Append(LIBS='secur32')
# On some systems, the -R values that APR describes never make it into actual
# RPATH flags. We'll manually map all directories in LIBPATH into new
@@ -385,8 +388,9 @@ pkgconfig = env.Textfile('serf-%d.pc' % (MAJOR,),
'@LIBDIR@': '$LIBDIR',
'@INCLUDE_SUBDIR@': 'serf-%d' % (MAJOR,),
'@VERSION@': '%d.%d.%d' % (MAJOR, MINOR, PATCH),
- '@LIBS@': '%s %s %s -lz' % (apu_libs, apr_libs,
- env.get('GSSAPI_LIBS', '')),
+ '@LIBS@': '%s %s %s %s -lz' % (apu_libs, apr_libs,
+ env.get('GSSAPI_LIBS', ''),
+ env.get('SECUR32_LIBS', '')),
})
env.Default(lib_static, lib_shared, pkgconfig)
diff --git a/auth/auth_spnego_sspi.c b/auth/auth_spnego_sspi.c
index 32b719e..1f07329 100644
--- a/auth/auth_spnego_sspi.c
+++ b/auth/auth_spnego_sspi.c
@@ -22,6 +22,8 @@
#include <apr_strings.h>
#define SECURITY_WIN32
+#include <windows.h>
+#include <netdb.h>
#include <sspi.h>
/* SEC_E_MUTUAL_AUTH_FAILED is not defined in Windows Platform SDK 5.0. */@nightman68 maybe you can take it from here? |
|
@dscho yes, I will check it! |
|
Yeap, it works. |
|
Nice! Would you mind wrapping this up as a Pull Request for upstream? I am bogged down with other stuff... |
|
OK. I created the pull request but the checks have failed?!?! |
You need to rebase your pull request on top of our recent changes before the CI will even test them. |
|
OK I did but the CI build for aspell is terminating with error?! |
|
@mingwandroid why is |
|
@dscho I made some checks with an installer based on the latest release with libserf 1.3.8-3 and they run without problems. For the authentication the native MS LSA is used. I think it can be deployed with the next release. Thanks for your support! BTW: I made also some tests on issue #274 and will post the results. |
|
Perfect, thanks!
It will. I always update via Pacman before releasing. Thank you so much for your contribution! |
|
BTW: I tested it on Win 7 and Win 10 |
|
Very good! BTW there is a timeline for upstream's 2.8.0: http://tinyurl.com/gitCal. Unless there is a 2.7.3 (for which I do not see a reason right now), that will be the date when your improvement hits a Git for Windows release. |
|
I checked the authentication again with release 2.8.1 in the company (real enterprise AD setup) and it works fine. The issue can be closed as resolved. |
|
Thanks! |
|
I do apologize for commenting on this three months after this was closed. I wish to ask if this was to enable authentication with Kerberos and GSSAPI, or if it was to enable default credentials supplied via Kerberos or GSSAPI. My company has an svn server with GSSAPI enabled, and via various browsers, SharpSVN, and the curl installed with Git for Windows passing |
|
Sorry but I can't follow you. What do you mean with default credentials? Kerberos is using a TGT to obtain a Kerberos ticket for the SVN service principal. I made the testy only for a server which is configured to use Apache with mod_auth_kerb. This configuration normally shows the list of the repositories without authentication. For access to the content of a repository the authentication is required. The first test I make is using the IE or FF to access the repos. content. For IE the integrated auth. needs to be enabled. For FF network.negotiate-auth.trusted-uris must be set to the server FQDN or just to the trailing part of it like .corp. SharpSVN I don't know use the command line client from CollabNet this supports Kerberos. For curl you must use --negotiate not --ntlm. When you have to pass a proxy specify the required auth. method for the proxy as additional argument e.g. --proxy-ntlm or --proxy-negotiate |
|
I think I understand what you are saying, and also clearing up my misconceptions as to what this is. I do believe that we are using mod_auth_sspi as the authentication method for Apache. And, if I understand what you said, SSPI is NTLM and not Kerberos. If that is the case, then that means either I am looking for ntlm support in git-for-windows, or I need to try to enable mod_auth_kerb in apache instead of (or maybe, in addition to) mod_auth_sspi. And, by 'try to enable,' I really mean 'try to get the architect to agree to enable.' |
|
I don't know mod_auth_sspi, sorry. I'm using mod_auth_kerb because it is supporting all client OS like Linux, Solaris, Windows... So I think it is the best choice!? When you have a look to the conversation above and you search for SSPI you'll see that we enabled SSPI (a Microsoft "invention") which supports both: Kerberos and NTLM. So when you're using --negotiate for curl for instance it is trying first Kerberos and and as next NTLM. Enable the debug mode and you see what's going on. Good luck! |
git-svn is not supporting Kerberos authentication, which is feature needed in big organizations. That this authentication is working the serf library must be compiled/linked with Kerberos.
You need to install krb5-devel package and configure needs this argument
--with-gssapi=/usr/lib/mit/
Any chance to get this feature. I can support you testing this.
The text was updated successfully, but these errors were encountered: