Skip to content

Kerberos Spnego sign-in does not create an identity for the user when `allow_single_sign_on` is set

Summary

Kerberos Spnego sign-in does not create an identity for the user when allow_single_sign_on is set.

Steps to reproduce

  1. Setup Keberos on GDK following the instructions here.
  2. Ensure that allow_single_sign_on: ["kerberos"] is set in your gitlab.yml file. (Its worth noting here that we have an inconsistency between using kerberos and kerberos_spnego currently. See this issue). I have also tried setting allow_single_sign_on: ["kerberos_spnego"] which also doesn't work.
  3. Create a user in GitLab with the username (say) user
  4. Generate a ticket granting ticket (TGT) by running kinit user@GDK.TEST on your local.
  5. Try logging in to gitlab with the "Kerberos Spnego" SSO button. You will see "Signing in using your Kerberos account without a pre-existing GitLab account is not allowed. Create a GitLab account first, and then connect it to your Kerberos account."
  6. Now, if you go to rails console and create an identity for this user manually with Identity.create(user: User.find_by(username: 'user'), extern_uid: 'user@GDK.TEST', provider: 'kerberos'), you will be able to login.

Screenshot_2021-10-26_at_4.38.34_PM

The identity should have been created automatically.

If the step 3 (manually creating a user )is skipped, the user should be created on first time clicking the "Kerberos Spnego" SSO button but the same error as above is shown.

Also, I want to mention here that I was only able to successfully login (after manually creating the identity manually) on Safari only. On Firefox and Google Chrome, I see a 401:

Screenshot_2021-10-26_at_4.09.40_PM

Example Project

What is the current bug behavior?

A kerberos (or kerberos_spengo) identity for the user is not automatically created.

What is the expected correct behavior?

A kerberos (or kerberos_spengo) identity for the user should be automatically created

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

System information
System:
Proxy:		rvm_proxy:
Current User:	sanadliaquat
Using RVM:	yes
RVM Version:	1.29.12
Ruby Version:	2.7.4p191
Gem Version:	3.1.6
Bundler Version:2.1.4
Rake Version:	13.0.6
Redis Version:	6.2.5
Git Version:	2.33.1
Sidekiq Version:6.2.2
Go Version:	go1.17 darwin/amd64

GitLab information
Version:	14.4.0-pre
Revision:	6aeac47202f
Directory:	/Users/sanadliaquat/work/gitlab/gdk-ee/gitlab
DB Adapter:	PostgreSQL
DB Version:	12.8
URL:		http://gdk.test:3000
HTTP Clone URL:	http://gdk.test:3000/some-group/some-project.git
SSH Clone URL:	ssh://git@gdk.test:2222/some-group/some-project.git
Elasticsearch:	no
Geo:		no
Using LDAP:	no
Using Omniauth:	yes
Omniauth Providers: google_oauth2, kerberos_spnego

GitLab Shell
Version:	13.21.1
Repository storage paths:
- default: 	/Users/sanadliaquat/work/gitlab/gdk-ee/repositories
GitLab Shell path:		/Users/sanadliaquat/work/gitlab/gdk-ee/gitlab-shell
Git:		/usr/local/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Sanad Liaquat