diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-07 00:10:34 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-07 00:10:34 +0000 |
| commit | cf63cda866c129bb69a0646b4952f271dc70208f (patch) | |
| tree | 831dda9050cd725a2d3b356f7334a226fba4d84b /doc/integration/kerberos.md | |
| parent | a5f3c50a6b451c6b7709cd632e2917c71ba25391 (diff) | |
| download | gitlab-ce-cf63cda866c129bb69a0646b4952f271dc70208f.tar.gz | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/integration/kerberos.md')
| -rw-r--r-- | doc/integration/kerberos.md | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/integration/kerberos.md b/doc/integration/kerberos.md index 257ba4e6708..da854582c12 100644 --- a/doc/integration/kerberos.md +++ b/doc/integration/kerberos.md @@ -368,6 +368,15 @@ GitLab supports, authentication fails with a message like this in the log: OmniauthKerberosSpnegoController: failed to process Negotiate/Kerberos authentication: gss_accept_sec_context did not return GSS_S_COMPLETE: An unsupported mechanism was requested Unknown error ``` +There are a number of potential causes and solutions for this error message. + +#### Kerberos integration not using a dedicated port + +GitLab CI/CD doesn’t work with a Kerberos-enabled GitLab instance unless the Kerberos integration +is configured to [use a dedicated port](kerberos.md#http-git-access-with-kerberos-token-passwordless-authentication). + +#### Lack of connectivity between client machine and Kerberos server + This is usually seen when the browser is unable to contact the Kerberos server directly. It falls back to an unsupported mechanism known as [`IAKERB`](https://k5wiki.kerberos.org/wiki/Projects/IAKERB), which tries to use @@ -377,6 +386,8 @@ If you're experiencing this error, ensure there is connectivity between the client machine and the Kerberos server - this is a prerequisite! Traffic may be blocked by a firewall, or the DNS records may be incorrect. +#### Mismatched forward and reverse DNS records for GitLab instance hostname + Another failure mode occurs when the forward and reverse DNS records for the GitLab server do not match. Often, Windows clients work in this case while Linux clients fail. They use reverse DNS while detecting the Kerberos @@ -389,6 +400,8 @@ match. So for instance, if you access GitLab as `gitlab.example.com`, resolving to IP address `1.2.3.4`, then `4.3.2.1.in-addr.arpa` must be a `PTR` record for `gitlab.example.com`. +#### Missing Kerberos libraries on browser or client machine + Finally, it's possible that the browser or client machine lack Kerberos support completely. Ensure that the Kerberos libraries are installed and that you can authenticate to other Kerberos services. |