Hide Forgot
Created attachment 484268 [details] Patch fixing the problem Description of problem: git clone against a repository using GSS auth does not work with recent libcurl versions. It used to work fine with libcurl 7.15.5 included in RHEL 5, but in recent curl versions including the 7.19.7-16 version included in RHEL 6 it's broken. Version-Release number of selected component (if applicable): libcurl-7.19.7-16.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Try to do a 'git clone' against a repository using GSS authentication Actual results: First request (GET) authenticates successfully. Second request (POST to git-upload-pack) fails without authentication being tried and nothing is cloned. Expected results: Complete 'git clone' is successfully authenticated. Additional info: The problem is this code in Curl_http_input_auth(): if(data->state.negotiate.state == GSS_AUTHSENT) { /* if we sent GSS authentication in the outgoing request and we get this back, we're in trouble */ infof(data, "Authentication problem. Ignoring this.\n"); data->state.authproblem = TRUE; } When a struct connectdata is used for multiple requests and the first request was authenticated with GSS, data->state.negotiate.state is not reset for subsequent calls to Curl_http_input_auth, which causes the above if statement to be true and the next request to fail without authentication being tried. The attached patch makes sure that the state is always set to GSS_AUTHNONE in output_auth_headers() unless it actually did a successful Curl_output_negotiate(). The attached patch has already been accepted in upstream curl: https://github.com/bagder/curl/commit/6f0ee717c3752e06144e87b45bb56c24ce8237f7
Created attachment 484270 [details] Log showing the problem, from GIT_CURL_VERBOSE=1 git clone When using libcurl 7.15.5 from RHEL 5, or using my patch, the "* Authentication problem. Ignoring this." line interleaved in the last 401 does not appear, and libcurl successfully resends the request with proper authentication.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Kerberos authentication was broken for reused curl handles, which prevented "git clone"' from working with Kerberos authenticated web servers. This is now fixed to allow "git clone" operations to successfully authenticate and carry out operations.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0573.html