Hi, I followed the instructions from freeipa.org ( https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make libvirt and VNC use GSSAPI authentication with FreeIPA. The libvirt part works fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm unable to get a VNC connection to any guest: both virt-manager and virt -viewer fail. The former speaks about a "closed or refused connection", and the latter just closes.
On the KVM host, each VNC login attempt adds the following record to the systemd journal: qemu-kvm: GSSAPI server step 1 On the host, libvirt starts qemu-kvm with a SASL VNC, which seems correct to me: # ps -aux | grep qemu-kvm <snip> -vnc 0.0.0.0:0,sasl <snip> QEMU may read the VNC keytab $ ls -l /etc/qemu/ total 4 -rw-------. 1 qemu root 458 30 août 15:48 krb5.tab Contents of /etc/sasl2/qemu-kvm.conf (comments removed) mech_list: gssapi keytab: /etc/qemu/krb5.tab The client seems to grab correct tickets: $ klist Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46 Default principal: ma...@cloud.olivarim.com Valid starting Expires Service principal 30/08/2015 16:11:22 31/08/2015 15:34:53 vnc/nice-hkvm-ctrl-01 .core.nice.cloud.olivarim....@cloud.olivarim.com 30/08/2015 16:08:12 31/08/2015 15:34:53 libvirt/nice-hkvm-ctr l-01.core.nice.cloud.olivarim....@cloud.olivarim.com KVM Host is Centos 7.2, up to date. FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev. 18.el7.centos.4 Client is Fedora 22, up to date. I tried to disable both the firewall and SELinux but it did not change anything. Do you have any clues ? Thanks! Marin. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project