About "GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)"
369 views
Skip to first unread message
shang...@gmail.com
Mar 18, 2022, 3:49:43 AM3/18/22
to Repo and Gerrit Discussion
Hi Team,
Recently I updated Gerrit from 3.2.6 to 3.4.3, I found the following errors in error_log.
The weird, thing is I did not configure GSSAPI for Gerrit
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
The following are the LDAP and auth sections in Gerrit.config
[ldap]
accountFullName = cn
accountPattern = (&(objectClass=person)(uid=${username}))
accountBase = ou=Users,dc=xxxx,dc=com
server = ldap://ldap.xxxx.xxxx.com
groupBase = ou=Groups,dc=xxxx,dc=com
groupPattern = (&(objectClass=posixGroup)(cn=${groupname}))
accountFullName = cn
accountPattern = (&(objectClass=person)(uid=${username}))
accountBase = ou=Users,dc=xxxx,dc=com
server = ldap://ldap.xxxx.xxxx.com
groupBase = ou=Groups,dc=xxxx,dc=com
groupPattern = (&(objectClass=posixGroup)(cn=${groupname}))
[auth]
type = HTTP_LDAP
httpHeader = REMOTE_USER
type = HTTP_LDAP
httpHeader = REMOTE_USER
The following is the authentication part for apache
<Location /gerrit/login/>
AuthType GSSAPI
AuthName "XXXX Kerberos login"
GssapiSSLonly On
GssapiBasicAuth Off
GssapiCredStore keytab:/etc/httpd/conf/httpd.keytab
GssapiLocalName On
Session On
SessionCookieName gerrit_gssapi_session path=/private;httponly;secure;
Require valid-user
</Location>
AuthType GSSAPI
AuthName "XXXX Kerberos login"
GssapiSSLonly On
GssapiBasicAuth Off
GssapiCredStore keytab:/etc/httpd/conf/httpd.keytab
GssapiLocalName On
Session On
SessionCookieName gerrit_gssapi_session path=/private;httponly;secure;
Require valid-user
</Location>
Is there anybody know why our gerrit looks like this?
Luca Milanesio
Mar 18, 2022, 8:03:57 PM3/18/22
to shang...@gmail.com, Luca Milanesio, Repo and Gerrit Discussion
On 18 Mar 2022, at 07:43, shang...@gmail.com <shang...@gmail.com> wrote:Hi Team,Recently I updated Gerrit from 3.2.6 to 3.4.3, I found the following errors in error_log.The weird, thing is I did not configure GSSAPI for Gerrit[2022-03-18T07:18:18.026Z] [sshd-JGitSshClient[ddcbe34]-nio2-thread-7] WARN org.eclipse.jgit.internal.transport.sshd.GssApiWithMicAuthentication : GSS-API error for mechanism OID 1.2.840.113554.1.2.2
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
The above is about the JGit/SSH client side, not the LDAP or HTTP authentication. Have you checked your replication.config? Are you using replication over git/ssh?
Luca.
The following are the ldap and auth section in gerrit.config
[ldap]
accountFullName = cn
accountPattern = (&(objectClass=person)(uid=${username}))
accountBase = ou=Users,dc=redhat,dc=com
server = ldap://ldap.xxxx.xxxx.com
groupBase = ou=Groups,dc=xxxx,dc=com
groupPattern = (&(objectClass=posixGroup)(cn=${groupname}))
[auth]
type = HTTP_LDAP
httpHeader = REMOTE_USER
The following is authentication part of httpd<Location /gerrit/login/>
AuthType GSSAPI
AuthName "Red Hat Kerberos login"
GssapiSSLonly On
GssapiBasicAuth Off
GssapiCredStore keytab:/etc/httpd/conf/httpd.keytab
GssapiLocalName On
Session On
SessionCookieName gerrit_gssapi_session path=/private;httponly;secure;
Require valid-user
</Location>
Is there anybody know why our gerrit looks like this?
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/d8a21bda-ba33-4c29-a0b8-3a890fd54d6bn%40googlegroups.com.
shang...@gmail.com
Mar 21, 2022, 3:22:04 AM3/21/22
to Repo and Gerrit Discussion
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Thanks, Luc,
We replicate the Gerrit repositories over ssh, I just tested the access target git server over ssh, there is no error for me.
[root@gerrit etc]# su - gerrit2
Last login: Mon Mar 21 06:30:46 UTC 2022 on pts/1
-bash-4.2$ ssh git.stage.xxx.com
Last login: Mon Mar 21 06:31:19 2022 from gerrit.stage.xxx.com
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
This is a Private Computing System Network.
This system is for use only by authorized users. If you do not have
authorization, discontinue use at once.
...
The operating system is RedHat 7.9
The domain is stage.xxx.com
[gerrit2@git ~]$
Last login: Mon Mar 21 06:30:46 UTC 2022 on pts/1
-bash-4.2$ ssh git.stage.xxx.com
Last login: Mon Mar 21 06:31:19 2022 from gerrit.stage.xxx.com
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
This is a Private Computing System Network.
This system is for use only by authorized users. If you do not have
authorization, discontinue use at once.
...
The operating system is RedHat 7.9
The domain is stage.xxx.com
[gerrit2@git ~]$
**********************************************
And the content of replication.config is
[gerrit]
defaultForceUpdate = true
replicateOnStartup = true
autoReload = true
[replication]
lockErrorMaxRetries = 3
[remote "git.stage.xxx.com"]
url = ger...@git.stage.xxx.com:/srv/git/${name}.git
authGroup = git.stage.xxx.com replication group
push = refs/*:refs/*
threads = 2
timeout = 30
replicationRetry = 2
createMissingRepositories = true
replicateProjectDeletions = true
replicationDelay = 0
defaultForceUpdate = true
replicateOnStartup = true
autoReload = true
[replication]
lockErrorMaxRetries = 3
[remote "git.stage.xxx.com"]
url = ger...@git.stage.xxx.com:/srv/git/${name}.git
authGroup = git.stage.xxx.com replication group
push = refs/*:refs/*
threads = 2
timeout = 30
replicationRetry = 2
createMissingRepositories = true
replicateProjectDeletions = true
replicationDelay = 0
Reply all
Reply to author
Forward
0 new messages