Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

hi, sasl_allowed_username_list = [ad...@ipa.example.com ] if I leave this field commented out (default setting), everybody can manage the kvm host. -- Groeten, natxo On Fri, Nov 30, 2012 at 3:42 PM, Daniel P. Berrange berra...@redhat.com wrote: On Fri, Nov 30, 2012 at 09:25:34AM -0500, Simo

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange berra...@redhat.com wrote: On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote: hi, sasl_allowed_username_list = [ad...@ipa.example.com ] if I leave this field commented out (default setting), everybody can manage the kvm host.

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote: hi, sasl_allowed_username_list = [ad...@ipa.example.com ] if I leave this field commented out (default setting), everybody can manage the kvm host. Oh it isn't very obvious, but in this log message: 2012-11-30

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

On Fri, Nov 30, 2012 at 09:25:34AM -0500, Simo Sorce wrote: Hi Natxo, On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote: hi, I'm following the howto on http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate users voor virsh with ipa. I have it mostly working :-)

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote: On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange berra...@redhat.com wrote: On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote: hi, sasl_allowed_username_list = [ad...@ipa.example.com ] if I leave this field

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

On Fri, 2012-11-30 at 16:16 +0100, Natxo Asenjo wrote: On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange berra...@redhat.com wrote: On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote: hi, sasl_allowed_username_list = [ad...@ipa.example.com ] if I leave this field

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

On 11/30/2012 10:20 AM, Daniel P. Berrange wrote: On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote: On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange berra...@redhat.com wrote: On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote: hi, sasl_allowed_username_list =

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

On Fri, Nov 30, 2012 at 11:33:30AM -0500, Dmitri Pal wrote: On 11/30/2012 10:20 AM, Daniel P. Berrange wrote: On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote: On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange berra...@redhat.com wrote: On Fri, Nov 30, 2012 at 03:56:14PM

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

On Fri, Nov 30, 2012 at 4:52 PM, Simo Sorce s...@redhat.com wrote: Natxo it sounds odd that you are getting back a non fully qualified principal name, are you sure your configuration is using SASL/GSSAPI ? What other directives have you configured ? I have followed the howto in the

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange berra...@redhat.com wrote: On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote: Thanks. If I may just hijack this thread: is it possible to whitelist groups instead of individual users to use virsh/virtual manager? I know sasl only

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

On Fri, Nov 30, 2012 at 06:56:28PM +0100, Natxo Asenjo wrote: On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange berra...@redhat.com wrote: On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote: Thanks. If I may just hijack this thread: is it possible to whitelist groups instead