We're finally moving from subversion to Gitlab. But kerberos integration are halting me!

Howdy!

So, our team finally decided to start moving from subversion to Git (and Gitlab), yay! :slight_smile:

I, the sysadmin, have been tasked with starting setting up a Gitlab instance (on prem).

One of our requirements are to have this fit in to our pre-existing RHEL Identity Management (FreeIPA) where the users are stored. Authentication will be 1 Kerberos and 2 LDAP.

I installed the gitlab-ce-16.9.1-ce.0.el9.x86_64 omnibus package following along the instructions at Install self-managed GitLab

The RHEL9 server (fqdn: gitlab.foo.com) is joined to our IPA Realm, and I’ve followed the instructions given on Integrate GitLab with Kerberos

On top of the above url states:

Tier: Free, Premium, Ultimate
Offering: Self-managed

Which I interpret that Kerberos is available in gitlab-ce, is that correct?

The contents of my minimal /etc/gitlab/gitlab.rb is:

external_url 'https://[gitlab.foo.com](http://gitlab.foo.com)'
nginx['ssl_certificate'] = "/etc/ssl/certs/gitlab.foo.com.pem"
nginx['ssl_certificate_key'] = "/etc/ssl/private/gitlab.foo.com.key.pem"

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['kerberos']

gitlab_rails['kerberos_enabled'] = true
gitlab_rails['kerberos_keytab'] = "/etc/http.keytab"

After modifying /etc/gitlab/gitlab.rb I’ve issued a # gitlab-ctl reconfigure, and for good meassure also rebooted the server.

Loading a browser from a client machine (that is joined to the same realm) just shows this when visiting https://gitlab.foo.com

So, basically, no Kerberos logon or button to authenticate using Kerberos.

After trying to dig through the logs in /var/log/gitlab/* (very, very verbose) I cannot find anything obviously wrong. No complaints when issuing # gitlab-ctl reconfigure either, and according to documentation this should work.

I remember some years ago, Kerberos was not included in gitlab-ce, ( I might be wrong here ), so I tried to dnf remove gitlab-ce and replacing it with dnf install gitlab-ee and Kerberos was working out of the box. With same /etc/gitlab/gitlab.rb as I was using with gitlab-ce.

As you can see, the “Sign in with Kerberos” button is present now, and clicking it logs me in (After I’ve approved the user in the Admin panel first, as ‘root’ user)

So, what’s going on here? Am I misunderstanding the documentation that Kerberos is available in the Free version? Is the Free version the same as gitlab-ce ?

Please help me clarify this! :slight_smile:

Kindest regards,
Martin

Edit: Typos

GitLab EE without a subscription behaves like the Free tier. GitLab CE is a package without proprietary code, and pure FOSS. This means that some features cannot be shipped in GitLab CE, for example spam prevention which contains obfuscated training models, more in Spamcheck anti-spam service | GitLab

Some features might also be only available through the Registration Features program, latest update in Registration Features program expands by 16 free features This requires GitLab EE and registration to use the features on the Free tier. I do not see Kerberos in the list in the docs, but maybe it is related to the behavior.

1 Like

Hello @dnsmichi, and thank you for your prompt response!

I don’t feel like my question / request for clarification was properly addressed by your response.

Am I correctly understanding that Kerberos integration should work with the gitlab-ce package, as I understand it by reading the “Integrate GitLab with Kerberos”
it says Free, Premium, Ultimate

Is gitlab-ce considered to be the Free Tier in that context?

Kind regards,
Martin

I think Free in this instance, is related to gitlab-ee without a subscription. It would suggest that also from your results, when Kerberos worked on gitlab-ee, but didn’t work on gitlab-ce.

Although I personally would also have thought that gitlab-ce is also free, and therefore it should work with it. But since you didn’t do any other config changes, just using the same gitlab.rb from your gitlab-ce install, would suggest that gitlab-ce doesn’t include what is required to get Kerberos auth working.

Sorry about that. I did not have much time to research today, and wanted to add some helpful insights into the thread, instead of waiting until two weeks time. I don’t have a Kerberos setup at hand to test ee and ce docker containers against it.

When the docs tier badge highlights the Free tier, it should be available in all editions. Unless the tier badge has additional details, such as different availability on self-managed or SaaS. Or, limited availability for OSS license reasons in only the Enterprise edition. Or, it is a documentation bug.

I did some more search in the source code in gitlab-org/gitlab, Kerberos · Search · GitLab and learned that the integration source code for the Kerberos is in the ee/ directory, with a note in the docs that Kerberos only is available in the Enterprise edition.

I searched a bit more and found this issue where it says to move Kerberos into the Registration Program in 16.6. (which is available to EE free tier users, see my post above). Registration Features - Kerberos user authentication (#422265) · Issues · GitLab.org / GitLab · GitLab Ultimately, the discussion ended with moving the feature to the free tier (which is EE in this case).

TL;DR - Kerberos is available in the Enterprise Edition in the free tier.

I’ve opened an issue to clarify the docs: Docs bug: Kerberos is only available in EE distribution (all tiers) (#444247) · Issues · GitLab.org / GitLab · GitLab

Both editions, Enterprise and Community, offer a Free tier. More in Choose your GitLab distribution | GitLab For this specific context, it is EE but not clarified in the docs. Thanks for the feedback.

1 Like

FYI, the Kerberos documentation has been updated in this MR.

For your setup, I recommend staying on GitLab EE, and use the free tier without a license.

Optionally, you can join the Feature Registration Program to take advantage of free feature access, for example group file templates, advanced search, or group wikis.

Thank you, @dnsmichi for your attention on this, and for creating the Issue & MR :slight_smile:

We’re making great progress on the implementation :slight_smile:

Kind regards,
Martin

1 Like