-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Git LFS should print Kerberos service prinicpal for debugging #5625
Comments
I'm mostly looking for some assistance with figuring out the git lfs debugging issue while trying to troubleshoot this problem, but figured it wise to fill out for the primary issue I'm trying to troubleshoot. I'm running git lfs in VS Code and when the debugger is attached, I can not get it to run within the context of my Git repository, which prevents reaching the code path I need to debug. (Looking in to what is causing the negotiate option to be false and having it fall in to basic auth.) Here is my current launch.json:
|
Hey, Let me provide a little bit of assistance. First, the message “Error reading I'll just say that I don't use VS Code (I'm a Neovim user) and I also only incidentally use Windows, but I wonder if the line If, while you're in the course of debugging this, you decide that you'd like to improve the error message logging in the trace output here, we'd of course love to see a patch for that. I think everyone would agree that it would be nicer to see this in the output of |
That part seems to be right for the go debugger. I do end up with the debugger attached to git-lfs successfully, however it does a test to see if it is in a folder with a git repository and that check fails. (In particular, it's the "rev-parse" call to gitNoLFS on line 749 of git.go in the release-3.4 branch.) This is preventing me from ever getting to the pull I'm trying to run since the execution context for git lfs is off somehow. I suppose I could try dumping the full error and environment from the gitNoLFS call and see if that gives me any more useful details to work on if there isn't anyone else familiar with running gitlfs straight out of vs code's go debugger. |
I don't think anyone else on the core team is familiar with VS Code or its debugger. I believe we're all Vim or Neovim users, and since we run on Unix, we'd use |
Oh wait, I think I might see it. When I switched my working folder over to the actual git repo and ran the commands from there I got a clean git lfs env without errors. I had been trying to run the git lfs env initially from where the binary actually is built by git lfs and it seems that doesn't work. Might just be that the cwd isn't sufficient by itself, so I may need to figure out how to get it to build in to the final path that git lfs is running from on my system so that git is also properly accessible. I'm a bit surprised my path isn't fixing that, but it seems like maybe it could be something along those lines. Or maybe not. Looks like my original git lfs env output was just a bad directory I chose to run it in. After switching to either a real repo or the folder that VS Code is building git-lfs.exe to, I get the following as the git lfs env:
|
For anyone trying to solve similar debugging issues on Windows in VS Code, what finally worked was to build outside of VS Code with |
Ok, so made a major breakthrough on the root of this problem. I still have to track back to why it's getting selected, but it appears that an incorrect SPN is assumed from the URL in gitlfs,, probably from the spnego library, but I haven't confirmed yet. On a machine where gitlfs works, the SPN used is a valid and expected one, however on machines where it does not work, a different endpoint on the machine is selected which is unrelated to the Azure Devops endpoint and does not have a configured SPN record. As a short term fix I am going to try updating my SPN records to include SPNs for the selected SPN for the host being used. I'm also suggesting that we include the selected SPN in trace output to aid debugging for anyone who isn't capable of building and debugging their own version of gitlfs. I'll also continue looking in to why the incorrect SPN name was selected to determine if there is some way to prevent the issue in the first place. |
Ok, so it looks like the URL canonicalize functionality is entirely down in spnego so it does not appear possible to correct from gitlfs. So I think the best we can do here is try to get the used SPN out in the trace and then I'll reach out to the spnego team about the canonicalization issue since it should really be attempting a connection with the provided host prior to canonicalizing it through a DNS lookup/reverse lookup. |
Another note for anyone else having this problem. Check your hosts files. In our case, things were fixed when we removed a host file record for this ip from the machine. Alternately, if you need the hosts file record, just ensure that you also have a record for the proper SPN hostname earlier in the file for the same IP. |
That sounds like a good idea. Are you willing to put the SPN in the trace output here, since you're already in this particular piece of code? I do have a Kerberos setup at home, but it's not set up for Git LFS by default, so it would take me some time to add it. |
Unfortunately I'm not able to anymore without a lot of hoops to jump through. Ownership changed of the company I work for and getting approval for contributions is... difficult. Trying to document here as much as I can to give maximum help to anyone else that comes along the same issue though. :/ |
Okay, I'm going to mark this as an enhancement, then, since it will take some time for me to set up and I'm not necessarily going to be able to get to it in a reasonable amount of time. |
Describe the bug
Attempting to authenticate to Azure Devops Server's (on prem) git repos via Kerberos fails on some machines. Kerberos authentication works correctly for Azure Devops Server website itself. This occurs only on select machines. Most machines in our environment work without issue and can authenticate GitLFS via Kerberos, however select environments fail to authenticate and fall back to basic auth (which fails due to a seperate issue with Azure Devops Server's treatment of git vs git-lfs.)
To Reproduce
Steps to reproduce the behavior:
Expected behavior
GitLFS operates normally.
System environment
Latest version of Git for Windows, though it also has been a problem with previous. Running the latest version of GitLFS (3.4.1) as the 3.4.0 build that was bundled with Git had issues with accessing out of bounds values when trying to connect via basic auth after not using or failing to use Negotiate/Kerberos. Windows 10 machine.
Output of
git lfs env
Additional context
I have a locally built version of git lfs prepared and am attempting to debug, however I've been encountering problems getting it to run on the repo as git is not detected despite my cwd being set to a git repository root.
The text was updated successfully, but these errors were encountered: