问题
I've been bashing my head against the desk, attempting to provide an out of box, windows workstation git for developers. This already 100% works on Linux, you kinit, and then you ssh without being prompted.
The Active Directory Domain Serves as the Kerberos Server, KDC etc.. My Linux Clients can get their kerberos tickets from it, and pass them to my linux servers, without any problem. In fact I've been so burned with kerberos AD, I know it incredibly well unfortunately.
Normally on Linux clients, I have to have a proper krb5.conf, does git for windows support this type of config? DO I just throw one in the "etc" directory?
Thanks, I appreciate any help, replicating this client experience on "git for windows".... or getting hard confirmations that clearly indicate this is not actually possible.
回答1:
After some intense research, I was able to understand why this was never going to work.
Basically to have Kerberos support from the native OS, you have to use the same linked library as the native OS. This means that when you login Windows, your ticket is available to any program which link to the Windows SSPI.
GitBash isn't a full OS port, as it has no native integration with the Windows SSPI. Now if you had a kinit
compiled with the same library as in GitBash, at LEAST you could manually do a second kinit
. This is exactly what I used to do on Cygwin. I found GitBash DID have GSSAPI support compiled in, but without the accompanying kinit, there is no way to pass a ticket.
I'd either need to make my own version of GitBash, including a compiled kinit
, or go back to Cygwin. Neither was a remotely supportable option, considering this is an enterprise environment.
What I DO believe is possible, is setting Git to use the putty's plink
, the recent versions have SSPI linked for its Kerberos.
来源:https://stackoverflow.com/questions/31122065/git-for-windows-domain-kerberos-ssh-to-linux-server