GSSAPI fails with "could not restart authentication" when pulling from Kerberos enabled bitbucket server

[jonathanturcotte]

We have setup a bitbucket server (Bitbucket 6.6.1 Data Center edition) with Kerberos authentication using the Kantega v3.6.5 bitbucket plugin, and can clone successfully using git from the commandline. As the same user with the same Kerberos tickets, libgit2 compiled with -DUSE_GSSAPI=ON fails to clone the same repository with the error "could not restart authentication".

The error is coming from src/transports/auth_negotiate.c:

	} else if (ctx->gss_context != GSS_C_NO_CONTEXT) {
		git_error_set(GIT_ERROR_NET, "could not restart authentication");
		error = -1;
		goto done;
	}

Using gdb I've confirmed that for some reason on the second time through this function, gss_context is no longer a null pointer even though gss_init_sec_context returned a request for auth to continue.

I was able to fix the issue by modifying this else if block to be similar to what is shown in the GNU Generic Security Service (GSS) API Reference Manual, on page 14:

	} else if (ctx->gss_context != GSS_C_NO_CONTEXT) {
                  gss_delete_sec_context(&status_minor, &ctx->gss_context, GSS_C_NO_BUFFER);
                  ctx->gss_context = GSS_C_NO_CONTEXT;
	}

Tested using libgit2.0.25.1 on RHEL 7, with the above bitbucket server setup. The behaviour looks to be the same in the newest source.

[ethomson]

Hmm, reading page 14 it looks like it calls gss_delete_sec_context and then breaks out of the loop, is that not correct? (It may not be, the formatting on that document is atrocious.)

[jonathanturcotte]

Yeah I'm honestly not sure why they do that. But from the next page:

If the initial call of gss_init_sec_context() fails, the implementation should not create a context object, and should leave the value of the context_handle parameter set to GSS_C_NO_CONTEXT to indicate this. In the event of a failure on a subsequent call, the implementation is permitted to delete the "half-built" security context (in which case it should set the context_handle parameter to GSS_C_NO_CONTEXT), but the preferred behavior is to leave the security context untouched for the application to delete (using gss_delete_sec_context).

That's what this change does, but I'm not sure if libgit2 is the "implementation" or the "application" in this example.

[mattmaynes]

Hi @ethomson, I am working with @jonathanturcotte on debugging this issue with our client. We took the latest patch which was merged in #5236 and had tested it in our environment which worked. We then set this to our client and they hit a different problem.

could not parse principal: An invalid name was supplied (131072.0)

It appears that during the negotiate phase when we ask for a next token (

libgit2/src/transports/auth_negotiate.c

Line 123 in aa4cd77

negotiate_err_set(status_major, status_minor,

) we encounter an issue with the server name. It appears that the target name which is set on

libgit2/src/transports/auth_negotiate.c

Line 266 in aa4cd77

git_buf_puts(&ctx->target, "HTTP@");

is invalid when we ask for the next token.

Is there anything else we can do to debug this issue? Are there any steps we can take to help find the root cause? Thank you for your help!

[ethomson]

Does plain git work here with SPNEGO? What about a browser?

[mattmaynes]

Sorry for the delay @ethomson, I must have missed the Github notification - Yes plain git works here at the command line. This is using a similar Enterprise Bitbucket setup with Kerberos.

[jonathanturcotte]

Hi @ethomson, sorry for the delay in getting back to you.

Given that the error happens in gss_import_name, I was suspicious that it might have something to do with the Service Principal they're using, but we've verified with them that it's alphanumeric with the only special characters being "/", ".", "@", and "-", which look kosher to me.

Only other thing I know is that they have the https_proxy environment variable set, and it doesn't seem to be working for them when connecting to public repos like GitHub (they get "No route to host" errors). It doesn't seem to be affecting their connection to their internal bitbucket server though. As a result, I imagine it's unrelated to this gssapi issue, but I wanted to mention it here in case it turns out to be relevant.

Attached is a GIT_CURL_VERBOSE git clone log from the client with sensitive data removed. Let me know if you see anything that can point us in the right direction. Thanks for your continued help with this!

git_trace.txt

[ethomson]

Interesting! Proxies are always a tricky one. Can you try without any proxy variables set?

[jonathanturcotte]

Still happens even without the proxy variables set unfortunately.

[ethomson]

Just curious - did this ever get resolved?

[jonathanturcotte]

No unfortunately, is there anything else we can do to help debug the issue?

[ethomson]

• Server auth using Negotiate with user 'REDACTED'

Can you tell me what this looks like without providing the literal redacted information? I want to make sure we're using the same name. How is the user name transformed? The server name? Is part or all of it converted to upper case? etc.

[jonathanturcotte]

The user name that appears in the "Server auth using Negotiate with user" line is just the normal user name (alphanumeric characters only). When doing something like kinit he gets a prompt with the same username in the format username@XXXX.YYYY

We don't see any transformation in the git server. The client directly copies the URL from bitbucket, and the URLs printed by the verbose clone are the same but with a suffix (e.g. /git-upload-pack).

[ethomson]

Interesting. I would expect to see something like an SPN... this will often look like http@FOO.COM or http/FOO.COM. Possible that's not getting logged. But I think that's the "name" in question.