From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jeff King Subject: Re: [PATCH] remote-curl: fall back to Basic auth if Negotiate fails. Date: Sat, 27 Dec 2014 12:56:04 -0500 Message-ID: <20141227175604.GA23732@peff.net> References: <1419652893-477694-1-git-send-email-sandals@crustytoothpaste.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Cc: git@vger.kernel.org, "Dan Langille (dalangil)" , Jonathan Nieder To: "brian m. carlson" X-From: git-owner@vger.kernel.org Sat Dec 27 18:56:16 2014 Return-path: Envelope-to: gcvg-git-2@plane.gmane.org Received: from vger.kernel.org ([209.132.180.67]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Y4vb5-00078h-3p for gcvg-git-2@plane.gmane.org; Sat, 27 Dec 2014 18:56:15 +0100 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751554AbaL0R4K (ORCPT ); Sat, 27 Dec 2014 12:56:10 -0500 Received: from cloud.peff.net ([50.56.180.127]:57330 "HELO cloud.peff.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1751473AbaL0R4J (ORCPT ); Sat, 27 Dec 2014 12:56:09 -0500 Received: (qmail 9529 invoked by uid 102); 27 Dec 2014 17:56:07 -0000 Received: from Unknown (HELO peff.net) (10.0.1.1) by cloud.peff.net (qpsmtpd/0.84) with SMTP; Sat, 27 Dec 2014 11:56:07 -0600 Received: (qmail 21127 invoked by uid 107); 27 Dec 2014 17:56:20 -0000 Received: from sigill.intra.peff.net (HELO sigill.intra.peff.net) (10.0.0.7) by peff.net (qpsmtpd/0.84) with SMTP; Sat, 27 Dec 2014 12:56:20 -0500 Received: by sigill.intra.peff.net (sSMTP sendmail emulation); Sat, 27 Dec 2014 12:56:04 -0500 Content-Disposition: inline In-Reply-To: <1419652893-477694-1-git-send-email-sandals@crustytoothpaste.net> Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org Archived-At: On Sat, Dec 27, 2014 at 04:01:33AM +0000, brian m. carlson wrote: > Apache servers using mod_auth_kerb can be configured to allow the user > to authenticate either using Negotiate (using the Kerberos ticket) or > Basic authentication (using the Kerberos password). Often, one will > want to use Negotiate authentication if it is available, but fall back > to Basic authentication if the ticket is missing or expired. > > Teach the HTTP client code to stop trying authentication mechanisms that > don't use a password (currently Negotiate) after the first failure, > since if they failed the first time, they will never succeed. > > Signed-off-by: brian m. carlson > --- > I was able to reproduce the problem on my server. This fixes the > problem for me both when info/refs requires authentication and when it > does not. Dan, please try and see if this fixes the problem for you. > > I'm not clear on whether NTLM is a passwordless authentication method. > Since I don't use Windows or NTLM, I can't test it, but if it is, just > adding it to HTTP_AUTH_PASSWORDLESS should be sufficient. I don't think this should make things any worse for NTLM if it is. It would just not get the benefit of the feature you are adding, and somebody with a working setup can test and add it at that time, right? I'm not familiar enough with Negotiate auth to do give a thorough review on the logic above. But FWIW, it makes sense to me, and the code looks correct. The number of places you needed to add calls to disable_passwordless_auth is a sign that we might need to factor out our http auth handling better. Though that is not a problem you are introducing. :) The credential struct is already a global for all requests. If you made the "no_passwordless" flag similarly global, it would be enough to set it in handle_curl_result and respect it in get_curl_handle. -Peff