<div dir="ltr">Okay, I've made some headway on this but I've hit a road block. I've setup a test Nginx server and compiled the spnego-http-auth-nginx-module (<a href="https://github.com/stnoonan/spnego-http-auth-nginx-module" target="_blank">https://github.com/stnoonan/<wbr>spnego-http-auth-nginx-module</a>)<wbr>. I've updated two location blocks in my site's configuration file to use the module to authentication with Kerberos:<div><br></div><div><div>        # Test location</div><div>        location                        / {</div><div>                                                root /var/git;</div><div>                                                index index.html;</div><div><br></div><div>                                                # BASIC AUTH #</div><div>                                                #auth_basic             "Restricted";</div><div>                                                #auth_basic_user_file   /var/git/.htpasswd;</div><div><br></div><div>                                                # KERBEROS AUTH #</div><div>                                                <span style="background-color:rgb(255,255,0)">auth_gss                on;</span></div><div><span style="background-color:rgb(255,255,0)">                                                auth_gss_realm          <a href="http://HARMONYWAVE.COM" target="_blank">HARMONYWAVE.COM</a>;</span></div><div><span style="background-color:rgb(255,255,0)">                                                auth_gss_keytab         /etc/krb5.keytab;</span></div><div><span style="background-color:rgb(255,255,0)">                                                auth_gss_service_name   http/<a href="http://mutalisk.harmonywave.com" target="_blank">mutalisk.harmonywave.com</a>;</span></div><div>        }</div><div><br></div><div>        # Static repo files for cloning over https</div><div>        location                        ~ ^.*\.git/objects/([0-9a-f]+/[<wbr>0-9a-f]+|pack/pack-[0-9a-f]+.(<wbr>pack|idx))$ {</div><div>                                                root                    /var/git;</div><div>        }</div><div><br></div><div>        # Requests that need to get to git-http-backend</div><div>        location                        ~ ^.*\.git/(HEAD|info/refs|<wbr>objects/info/.*|git-(upload|<wbr>receive)-pack)$ {</div><div>                                                # BASIC AUTH #</div><div>                                                #auth_basic             "Restricted";</div><div>                                                #auth_basic_user_file   /var/git/.htpasswd;</div><div><br></div><div>                                                # KERBEROS AUTH #</div><div>                                                <span style="background-color:rgb(255,255,0)">auth_gss                on;</span></div><div><span style="background-color:rgb(255,255,0)">                                                auth_gss_realm          <a href="http://HARMONYWAVE.COM" target="_blank">HARMONYWAVE.COM</a>;</span></div><div><span style="background-color:rgb(255,255,0)">                                                auth_gss_keytab         /etc/krb5.keytab;</span></div><div><span style="background-color:rgb(255,255,0)">                                                auth_gss_service_name   http/<a href="http://mutalisk.harmonywave.com" target="_blank">mutalisk.harmonywave.com</a>;</span></div><div><br></div><div>                                                fastcgi_pass    unix:/var/run/fcgiwrap.<wbr>socket;</div><div>                                                fastcgi_param   SCRIPT_FILENAME         /usr/lib/git-core/git-http-<wbr>backend;</div><div>                                                fastcgi_param   PATH_INFO               $uri;</div><div>                                                fastcgi_param   GIT_PROJECT_ROOT        /var/git/;</div><div>                                                fastcgi_param   GIT_HTTP_EXPORT_ALL     "";</div><div>                                                fastcgi_param   REMOTE_USER             $remote_user;</div><div>                                                include         fastcgi_params;</div><div>        }</div><div><div class="gmail_extra"><br></div><div class="gmail_extra">When I try to access the "/" location block from a web browser from within my network it works. The browser asks me for credentials and if I provide them correctly then Nginx passes the index.html file. However when I try to do a git clone to my test repo it always fails with invalid credentials. I've collected two sets of logs and attached them. All the 01_* logs are when I tried to do a git clone to my test repo (and failed). All the 02_* logs are when I successfully logged into my test location ("/"). There are four logs for each set of logs (Nginx - error.log and access.log, Kerberos - krb5kdc.log, and LDAP - slapd.log)</div><div class="gmail_extra"><br></div><div class="gmail_extra">Looking at the logs I see two interesting events. First comparing Nginx's log file I see this:</div><div class="gmail_extra"><ul><li>Both logs show a "401 unauthorized" when requesting the respective resources (this is as expected)</li><li>After the 401 it looks like they Nginx is waiting for credentials (again, expected), however when I request my "/" block it calls the spnego-http-auth-nginx-module module and returns a successful authentication attempt, while when I run a git clone it doesn't (note that both my web browser and git actually ask me for my credentials):</li></ul><div><img src="cid:ii_it32zu0z1_157296205cc523d5" style="margin-right: 0px;" width="956" height="521"><br>​<br></div><div>Second, the Kerberos logs show a "LOOKING_UP_SERVER" error when I try to do a git clone, while when try to just access the "/" block it successfully issues a ticket (I'm assuming that it does that because the spnego module is called successfully from Nginx).</div><div><ul><li><span style="background-color:rgb(255,255,0)">01_krb5kdc.log:</span></li></ul><div><div>    Sep 14 08:26:15 immortal krb5kdc[1210](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.32.2">10.1.32.2</a>: <span style="background-color:rgb(255,255,0)">LOOKING_UP_SERVER</span>: authtime 0,  <a href="mailto:jschaeffer@HARMONYWAVE.COM">jschaeffer@HARMONYWAVE.COM</a> for HTTP/<a href="mailto:mutalisk.harmonywave.com@HARMONYWAVE.COM">mutalisk.harmonywave.com@HARMONYWAVE.COM</a>, Server not found in Kerberos database</div><div>    Sep 14 08:26:15 immortal krb5kdc[1210](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.32.2">10.1.32.2</a>: <span style="background-color:rgb(255,255,0)">LOOKING_UP_SERVER</span>: authtime 0,  <a href="mailto:jschaeffer@HARMONYWAVE.COM">jschaeffer@HARMONYWAVE.COM</a> for HTTP/<a href="mailto:mutalisk.harmonywave.com@HARMONYWAVE.COM">mutalisk.harmonywave.com@HARMONYWAVE.COM</a>, Server not found in Kerberos database</div></div></div><div><br></div><div><ul><li><span style="background-color:rgb(255,255,0)">02_krb5kdc.log:</span></li></ul><div><div>    Sep 14 08:56:57 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.10.3">10.1.10.3</a>: NEEDED_PREAUTH: <a href="mailto:jschaeffer@HARMONYWAVE.COM">jschaeffer@HARMONYWAVE.COM</a> for krbtgt/<a href="mailto:HARMONYWAVE.COM@HARMONYWAVE.COM">HARMONYWAVE.COM@HARMONYWAVE.COM</a>, Additional pre-authentication required</div><div>    Sep 14 08:56:57 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.10.3">10.1.10.3</a>: ISSUE: authtime 1473865017, etypes {rep=18 tkt=18 ses=18}, <a href="mailto:jschaeffer@HARMONYWAVE.COM">jschaeffer@HARMONYWAVE.COM</a> for krbtgt/<a href="mailto:HARMONYWAVE.COM@HARMONYWAVE.COM">HARMONYWAVE.COM@HARMONYWAVE.COM</a></div><div>    Sep 14 08:56:57 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.10.3">10.1.10.3</a>: NEEDED_PREAUTH: <a href="mailto:jschaeffer@HARMONYWAVE.COM">jschaeffer@HARMONYWAVE.COM</a> for krbtgt/<a href="mailto:HARMONYWAVE.COM@HARMONYWAVE.COM">HARMONYWAVE.COM@HARMONYWAVE.COM</a>, Additional pre-authentication required</div><div>    Sep 14 08:56:57 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.10.3">10.1.10.3</a>: ISSUE: authtime 1473865017, etypes {rep=18 tkt=18 ses=18}, <a href="mailto:jschaeffer@HARMONYWAVE.COM">jschaeffer@HARMONYWAVE.COM</a> for krbtgt/<a href="mailto:HARMONYWAVE.COM@HARMONYWAVE.COM">HARMONYWAVE.COM@HARMONYWAVE.COM</a></div></div></div><div><br></div><div>I've looked around but I couldn't really find a good explanation of what "LOOKING_UP_SERVER" error means in my situation and I've never seen the error myself before.</div><div><br></div><div>I guess where I'm really stuck right now is why does my git block not call this like my "/" block does:</div><div><br></div><div><div>    2016/09/14 08:56:57 [debug] 14254#14254: *3 Basic auth credentials supplied by client</div><div>    2016/09/14 08:56:57 [debug] 14254#14254: *3 Attempting authentication with principal jschaeffer</div><div>    2016/09/14 08:56:57 [debug] 14254#14254: *3 Setting $remote_user to jschaeffer</div><div>    2016/09/14 08:56:57 [debug] 14254#14254: *3 ngx_http_auth_spnego_set_bogus_authorization: bogus user set</div><div>    2016/09/14 08:56:57 [debug] 14254#14254: *3 ngx_http_auth_spnego_basic: returning NGX_OK</div><div>    2016/09/14 08:56:57 [debug] 14254#14254: *3 Basic auth succeeded</div></div><div><br></div><div>On Mon, Sep 12, 2016 at 1:52 PM, Joshua Schaeffer <span dir="ltr"><<a href="mailto:jschaeffer0922@gmail.com" target="_blank">jschaeffer0922@gmail.com</a>></span> wrote:<br></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote"><span>On Mon, Sep 12, 2016 at 1:37 PM, A. Schulze <span dir="ltr"><<a href="mailto:sca@andreasschulze.de" target="_blank">sca@andreasschulze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span><br>
<br>
Am 12.09.2016 um 21:33 schrieb Joshua Schaeffer:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Any chance anybody has played around with Kerberos auth? Currently my SSO<br>
environment uses GSSAPI for most authentication.<br>
</blockquote>
<br></span>
I compile also the module <a href="https://github.com/stnoonan/spnego-http-auth-nginx-module" rel="noreferrer" target="_blank">https://github.com/stnoonan/sp<wbr>nego-http-auth-nginx-module</a><br>
but I've no time to configure / learn how to configure it<br>
... unfortunately ...</blockquote><div><br></div></span><div>I did actually see this module as well, but didn't look into it too much. Perhaps it would be best for me to take a closer look and then report back on what I find.</div><div><br></div><div>Thanks,</div><div>Joshua Schaeffer </div></div><br></div></div>
</blockquote></div><br></div></div></div><div class="gmail_extra">Any help would be appreciated.<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Thanks</div><div class="gmail_extra">Joshua Schaeffer</div></div>