[Freeipa-users] GSSAPI authentication for libvirt VNC
Marin Bernard
lists at olivarim.com
Sun Aug 30 16:49:49 UTC 2015
Hi,
I followed the instructions from freeipa.org (
https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make libvirt
and VNC use GSSAPI authentication with FreeIPA. The libvirt part works
fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm
unable to get a VNC connection to any guest: both virt-manager and virt
-viewer fail. The former speaks about a "closed or refused connection",
and the latter just closes.
On the KVM host, each VNC login attempt adds the following record to
the systemd journal:
qemu-kvm[3202]: GSSAPI server step 1
On the host, libvirt starts qemu-kvm with a SASL VNC, which seems
correct to me:
# ps -aux | grep qemu-kvm
<snip> -vnc 0.0.0.0:0,sasl <snip>
QEMU may read the VNC keytab
$ ls -l /etc/qemu/
total 4
-rw-------. 1 qemu root 458 30 août 15:48 krb5.tab
Contents of /etc/sasl2/qemu-kvm.conf (comments removed)
mech_list: gssapi
keytab: /etc/qemu/krb5.tab
The client seems to grab correct tickets:
$ klist
Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46
Default principal: marin at CLOUD.OLIVARIM.COM
Valid starting Expires Service principal
30/08/2015 16:11:22 31/08/2015 15:34:53 vnc/nice-hkvm-ctrl-01
.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
30/08/2015 16:08:12 31/08/2015 15:34:53 libvirt/nice-hkvm-ctr
l-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
KVM Host is Centos 7.2, up to date.
FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev.
18.el7.centos.4
Client is Fedora 22, up to date.
I tried to disable both the firewall and SELinux but it did not change
anything.
Do you have any clues ?
Thanks!
Marin.
More information about the Freeipa-users
mailing list