I followed the instructions from freeipa.org (
https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make libvirt
and VNC use GSSAPI authentication with FreeIPA. The libvirt part works
fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm
unable to get a VNC connection to any guest: both virt-manager and virt
-viewer fail. The former speaks about a "closed or refused connection",
and the latter just closes.

On the KVM host, each VNC login attempt adds the following record to
the systemd journal:

        qemu-kvm[3202]: GSSAPI server step 1

On the host, libvirt starts qemu-kvm with a SASL VNC, which seems
correct to me:

        # ps -aux | grep qemu-kvm
        <snip> -vnc,sasl <snip>

QEMU may read the VNC keytab

        $ ls -l /etc/qemu/
        total 4
        -rw-------. 1 qemu root 458 30 août  15:48 krb5.tab

Contents of /etc/sasl2/qemu-kvm.conf (comments removed)

        mech_list: gssapi
        keytab: /etc/qemu/krb5.tab

The client seems to grab correct tickets:

        $ klist
        Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46
        Default principal: ma...@cloud.olivarim.com

        Valid starting       Expires              Service principal
        30/08/2015 16:11:22  31/08/2015 15:34:53  vnc/nice-hkvm-ctrl-01
        30/08/2015 16:08:12  31/08/2015 15:34:53  libvirt/nice-hkvm-ctr

KVM Host is Centos 7.2, up to date.

FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev.

Client is Fedora 22, up to date.

I tried to disable both the firewall and SELinux but it did not change

Do you have any clues ?



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to