小贝子编程

从运行 git 1.7.1 的 RHEL 6.8 通过 https 获取 401 未经授权的克隆 TFS 2017 gi



我最近从本地 TFS 2013 升级到 TFS 2017(更新 3(。作为升级\迁移到新服务器的一部分,我们从使用端口 8080 切换到端口 443 (https(。

我们有一台旧的RHEL 6.8机器,我们一直将其用作少量使用Git的Java项目的构建服务器。服务器正在运行 git 1.7.1(RHEL 6 附带(,我们无法再克隆\拉取\推送 TFS 中托管的 Git 存储库。

仅供参考 - 我正在使用导出 GIT_CURL_VERBOSE=1 来加强日志记录。

我最初的问题是 Git 不信任来自我公司内部 CA 的证书(无法识别 Peer 的证书颁发者(我通过将内部证书添加到我的 ca-bundle.crt 来修复此问题。

解决了这个问题后,我现在得到一个我无法弄清楚的 401 未经授权的错误。只要我提供 --ntlm 开关,我就可以使用 cURL 对完全相同的 URL 进行身份验证。Git 似乎正在使用 NTLM,但无论出于何种原因它都拒绝工作。

-sh-4.1$ curl -k -u 'DOMAINusername' --ntlm https://tfs.mycompany.com/tfs/TeamProjectCollection/TeamProjectName/_git/reponame/info/refs?service=git-upload-pack 
Enter host password for user 'DOMAINusername':
001e# service=git-upload-pack
000000a5d9f0c36ca42f5a65fc80bd39162b40b472e06c1b HEAD multi_ack thin-pack side-band side-band-64k no-progress multi_ack_detailed no-done shallow allow-tip-sha1-in-want
003fd9f0c36ca42f5a65fc80bd39162b40b472e06c1b refs/heads/master
0000
-sh-4.1$ curl -k -u 'DOMAINusername' --ntlm https://tfs.mycompany.com/tfs/TeamProjectCollection/TeamProjectName/_git/reponame/info/refs 
Enter host password for user 'DOMAINusername':
d9f0c36ca42f5a65fc80bd39162b40b472e06c1b        refs/heads/master

但是当尝试使用以下命令克隆时,我得到 401。在使用 TFS 2013 升级之前,我们使用 http://DOMAIN\username@tfs.mycompany.com:8080 语法,并且它正在工作。我记得我们必须为此打开基本身份验证。但是,升级到 TFS 2017 后,无论是否启用基本身份验证,它都不再工作。

-sh-4.1$ git clone 'https://DOMAINusername@tfs.mycompany.com/tfs/TeamProjectCollection/TeamProject/_git/reponame'
Initialized empty Git repository in /home/username/git/reponame/.git/
Password:
* Couldn't find host tfs.mycompany.com in the .netrc file; using defaults
* About to connect() to tfs.mycompany.com port 443 (#0)
*   Trying 10.131.44.190... * Connected to tfs.mycompany.com (10.131.44.190) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /home/username/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=tfs.mycompany.com,OU=IT,O=Company Name,L=Chicago,ST=IL,C=US
*       start date: Jun 05 18:12:59 2018 GMT
*       expire date: Jun 04 18:12:59 2020 GMT
*       common name: tfs.mycompany.com
*       issuer: CN=MYCOMPANY-ADIssuingCA01,DC=ad,DC=mycompany,DC=org
> GET /tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/1.7.1
Host: tfs.mycompany.com
Accept: */*
Pragma: no-cache
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/8.5
< X-TFS-ProcessId: 624831c6-b5e1-4f34-a100-404f077c0fbe
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< ActivityId: b38e342d-14ed-4c62-9718-a96c8d5fe14c
< X-TFS-Session: b38e342d-14ed-4c62-9718-a96c8d5fe14c
< X-VSS-E2EID: b38e342d-14ed-4c62-9718-a96c8d5fe14c
< X-FRAME-OPTIONS: SAMEORIGIN
< X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e
< X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.
< WWW-Authenticate: Bearer
< WWW-Authenticate: Basic realm="https://tfs.mycompany.com/tfs"
< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-Powered-By: ASP.NET
< P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
< Lfs-Authenticate: NTLM
< X-Content-Type-Options: nosniff
< Date: Tue, 19 Jun 2018 15:21:16 GMT
< Content-Length: 20181
<
* Ignoring the response-body
* Connection #0 to host tfs.mycompany.com left intact
* Issue another request to this URL: 'https://DOMAINusername@tfs.mycompany.com/tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs?service=git-upload-pack'
* Couldn't find host tfs.mycompany.com in the .netrc file; using defaults
* Re-using existing connection! (#0) with host tfs.mycompany.com
* Connected to tfs.mycompany.com (10.131.44.190) port 443 (#0)
> GET /tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/1.7.1
Host: tfs.mycompany.com
Accept: */*
Pragma: no-cache
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/8.5
< X-TFS-ProcessId: 624831c6-b5e1-4f34-a100-404f077c0fbe
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< ActivityId: b38e34c0-14ed-4c62-9718-a96c8d5fe14c
< X-TFS-Session: b38e34c0-14ed-4c62-9718-a96c8d5fe14c
< X-VSS-E2EID: b38e34c0-14ed-4c62-9718-a96c8d5fe14c
< X-FRAME-OPTIONS: SAMEORIGIN
< X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e
< X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.
< WWW-Authenticate: Bearer
< WWW-Authenticate: Basic realm="https://tfs.mycompany.com/tfs"
* gss_init_sec_context() failed: : Server not found in Kerberos database< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-Powered-By: ASP.NET
< P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
< Lfs-Authenticate: NTLM
< X-Content-Type-Options: nosniff
< Date: Tue, 19 Jun 2018 15:21:16 GMT
< Content-Length: 20181
* The requested URL returned error: 401
* Closing connection #0
* Couldn't find host tfs.mycompany.com in the .netrc file; using defaults
* About to connect() to tfs.mycompany.com port 443 (#0)
*   Trying 10.131.44.190... * Connected to tfs.mycompany.com (10.131.44.190) port 443 (#0)
*   CAfile: /home/username/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=tfs.mycompany.com,OU=IT,O=Company Name,L=Chicago,ST=IL,C=US
*       start date: Jun 05 18:12:59 2018 GMT
*       expire date: Jun 04 18:12:59 2020 GMT
*       common name: tfs.mycompany.com
*       issuer: CN=MYCOMPANY-ADIssuingCA01,DC=ad,DC=mycompany,DC=org
> GET /tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs HTTP/1.1
User-Agent: git/1.7.1
Host: tfs.mycompany.com
Accept: */*
Pragma: no-cache
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/8.5
< X-TFS-ProcessId: 624831c6-b5e1-4f34-a100-404f077c0fbe
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< ActivityId: b38fcb66-14ed-4c62-9718-a96c8d5fe14c
< X-TFS-Session: b38fcb66-14ed-4c62-9718-a96c8d5fe14c
< X-VSS-E2EID: b38fcb66-14ed-4c62-9718-a96c8d5fe14c
< X-FRAME-OPTIONS: SAMEORIGIN
< X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e
< X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.
< WWW-Authenticate: Bearer
< WWW-Authenticate: Basic realm="https://tfs.mycompany.com/tfs"
* gss_init_sec_context() failed: : Server not found in Kerberos database< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-Powered-By: ASP.NET
< P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
< Lfs-Authenticate: NTLM
< X-Content-Type-Options: nosniff
< Date: Tue, 19 Jun 2018 15:21:16 GMT
< Content-Length: 20153
* The requested URL returned error: 401
* Closing connection #0
error: The requested URL returned error: 401 while accessing https://DOMAINusername@tfs.mycompany.com/tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs
fatal: HTTP request failed

我将让我们的 linux 管理员升级此服务器上的 Git 版本,因为我知道它真的已经过时了。我希望这能解决这个问题...但除此之外,我基本上被困在这个问题上,不知道如何解决它。

解决方案是从授权的 RHEL 发行版中通过 Yum 将 Git 升级到最新版本。Git 1.7.1 无法通过 HTTPS 与 TFS git 存储库通信,即使我们将内部根证书添加到 ca-bundle.crt 也是如此。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium