diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-12-08 15:07:37 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-12-08 15:07:37 +0300 |
commit | 0f4ce397c91d826ae3cc3551ac51deb5602088fb (patch) | |
tree | 97c66f8efeaf7101e046b7b1ce83c41f1bd4219e /doc/integration/kerberos.md | |
parent | ef44feb7fa697e96b7011aa45ea3ca7e5087a490 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/integration/kerberos.md')
-rw-r--r-- | doc/integration/kerberos.md | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/doc/integration/kerberos.md b/doc/integration/kerberos.md index c7cbc4389f5..a0441b79490 100644 --- a/doc/integration/kerberos.md +++ b/doc/integration/kerberos.md @@ -357,6 +357,38 @@ to a larger value in [the NGINX configuration](https://nginx.org/en/docs/http/ng ## Troubleshooting +### Test connectivity between the GitLab and Kerberos servers + +You can use utilities like [`kinit`](https://web.mit.edu/kerberos/krb5-1.12/doc/user/user_commands/kinit.html) and [`klist`](https://web.mit.edu/kerberos/krb5-1.12/doc/user/user_commands/klist.html) to test connectivity between the GitLab server +and the Kerberos server. How you install these depends on your specific OS. + +Use `klist` to see the service principal names (SPN) available in your `keytab` file and the encryption type for each SPN: + +```shell +klist -ke /etc/http.keytab +``` + +On an Ubuntu server, the output would look similar to the following: + +```shell +Keytab name: FILE:/etc/http.keytab +KVNO Principal +---- -------------------------------------------------------------------------- + 3 HTTP/my.gitlab.domain@MY.REALM (des-cbc-crc) + 3 HTTP/my.gitlab.domain@MY.REALM (des-cbc-md5) + 3 HTTP/my.gitlab.domain@MY.REALM (arcfour-hmac) + 3 HTTP/my.gitlab.domain@MY.REALM (aes256-cts-hmac-sha1-96) + 3 HTTP/my.gitlab.domain@MY.REALM (aes128-cts-hmac-sha1-96) +``` + +Use `kinit` in verbose mode to test whether GitLab can use the keytab file to connect to the Kerberos server: + +```shell +KRB5_TRACE=/dev/stdout kinit -kt /etc/http.keytab HTTP/my.gitlab.domain@MY.REALM +``` + +This command shows a detailed output of the authentication process. + ### Unsupported GSSAPI mechanism With Kerberos SPNEGO authentication, the browser is expected to send a list of |