On 09/01/2015 07:30 AM, Brendan Kearney wrote:
On 08/30/2015 12:49 PM, Marin Bernard wrote:
Hi,

I followed the instructions from freeipa.org (
https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make libvirt
and VNC use GSSAPI authentication with FreeIPA. The libvirt part works
fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm
unable to get a VNC connection to any guest: both virt-manager and virt
-viewer fail. The former speaks about a "closed or refused connection",
and the latter just closes.


On the KVM host, each VNC login attempt adds the following record to
the systemd journal:

    qemu-kvm[3202]: GSSAPI server step 1


On the host, libvirt starts qemu-kvm with a SASL VNC, which seems
correct to me:

    # ps -aux | grep qemu-kvm

    <snip> -vnc 0.0.0.0:0,sasl <snip>


QEMU may read the VNC keytab

    $ ls -l /etc/qemu/
    total 4
    -rw-------. 1 qemu root 458 30 août  15:48 krb5.tab


Contents of /etc/sasl2/qemu-kvm.conf (comments removed)

    mech_list: gssapi
    keytab: /etc/qemu/krb5.tab


The client seems to grab correct tickets:

    $ klist
    Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46
    Default principal: ma...@cloud.olivarim.com

    Valid starting       Expires              Service principal
    30/08/2015 16:11:22  31/08/2015 15:34:53 vnc/nice-hkvm-ctrl-01
    .core.nice.cloud.olivarim....@cloud.olivarim.com
    30/08/2015 16:08:12  31/08/2015 15:34:53 libvirt/nice-hkvm-ctr
    l-01.core.nice.cloud.olivarim....@cloud.olivarim.com

KVM Host is Centos 7.2, up to date.

FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev.
18.el7.centos.4

Client is Fedora 22, up to date.

I tried to disable both the firewall and SELinux but it did not change
anything.

Do you have any clues ?

Thanks!

Marin.

my /etc/sasl2/qemu.conf (note the different file name, may be relevant*):

mech_list: gssapi
keytab: /etc/qemu/qemu.keytab
sasldb_path: /etc/qemu/passwd.db
auxprop_plugin: sasldb

my /etc/sasl2/libvirt.conf:

mech_list: gssapi
keytab: /etc/libvirt/libvirt.keytab

my /etc/qemu/qemu.keytab file has the principal used/needed for VNC (vnc/host.domain.tld@REALM). you can check yours with "klist -Kket /path/to/qemu.keytab"

my /etc/libvirt/libvirt.keytab file has the principal used/needed for virt-manager or virsh console (libvirt/host.domain.tld@REALM). you can check your with "klist -Kket /path/to/libvirt.keytab"

* the name of the file in /etc/sasl2/ is tied to the name of the application. find the sysadmin.html page for Cyrus-SASL-libs, which states:

By default, the Cyrus SASL library reads it's options from /usr/lib/sasl2/App.conf (where "App" is the application defined name of the application). For instance, Sendmail reads it's configuration from "/usr/lib/sasl2/Sendmail.conf" and the sample server application included with the library looks in "/usr/lib/sasl2/sample.conf".

It is the appname argument of sasl_server_init(3):

sasl_server_init(3)             SASL man pages sasl_server_init(3)

NAME
       sasl_server_init - SASL server authentication initialization

SYNOPSIS
       #include <sasl/sasl.h>

       int sasl_server_init(const sasl_callback_t *callbacks,
                            const char *appname);

DESCRIPTION
sasl_server_init() initializes SASL. It must be called before any calls to sasl_server_start, and only once per process. This call initializes all SASL mechanism drivers (e.g. authentication mechanisms). These are usually found in the /usr/lib/sasl2 directory but the directory may be overridden with the SASL_PATH environment variable (or at compile
       time).

callbacks specifies the base callbacks for all client connections. See
       the sasl_callbacks man page for more information.

appname is the name of the application. It is used for where to find
       the default configuration file.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to