[Freeipa-users] GSSAPI authentication for libvirt VNC
Brendan Kearney
bpk678 at gmail.com
Tue Sep 1 13:30:24 UTC 2015
On 08/30/2015 12:49 PM, Marin Bernard wrote:
> Hi,
>
> I followed the instructions from freeipa.org (
> https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make libvirt
> and VNC use GSSAPI authentication with FreeIPA. The libvirt part works
> fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm
> unable to get a VNC connection to any guest: both virt-manager and virt
> -viewer fail. The former speaks about a "closed or refused connection",
> and the latter just closes.
>
>
> On the KVM host, each VNC login attempt adds the following record to
> the systemd journal:
>
> qemu-kvm[3202]: GSSAPI server step 1
>
>
> On the host, libvirt starts qemu-kvm with a SASL VNC, which seems
> correct to me:
>
> # ps -aux | grep qemu-kvm
>
> <snip> -vnc 0.0.0.0:0,sasl <snip>
>
>
> QEMU may read the VNC keytab
>
> $ ls -l /etc/qemu/
> total 4
> -rw-------. 1 qemu root 458 30 août 15:48 krb5.tab
>
>
> Contents of /etc/sasl2/qemu-kvm.conf (comments removed)
>
> mech_list: gssapi
> keytab: /etc/qemu/krb5.tab
>
>
> The client seems to grab correct tickets:
>
> $ klist
> Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46
> Default principal: marin at CLOUD.OLIVARIM.COM
>
> Valid starting Expires Service principal
> 30/08/2015 16:11:22 31/08/2015 15:34:53 vnc/nice-hkvm-ctrl-01
> .core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
> 30/08/2015 16:08:12 31/08/2015 15:34:53 libvirt/nice-hkvm-ctr
> l-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
>
> KVM Host is Centos 7.2, up to date.
>
> FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev.
> 18.el7.centos.4
>
> Client is Fedora 22, up to date.
>
> I tried to disable both the firewall and SELinux but it did not change
> anything.
>
> Do you have any clues ?
>
> Thanks!
>
> Marin.
>
my /etc/sasl2/qemu.conf (note the different file name, may be relevant*):
mech_list: gssapi
keytab: /etc/qemu/qemu.keytab
sasldb_path: /etc/qemu/passwd.db
auxprop_plugin: sasldb
my /etc/sasl2/libvirt.conf:
mech_list: gssapi
keytab: /etc/libvirt/libvirt.keytab
my /etc/qemu/qemu.keytab file has the principal used/needed for VNC
(vnc/host.domain.tld at REALM). you can check yours with "klist -Kket
/path/to/qemu.keytab"
my /etc/libvirt/libvirt.keytab file has the principal used/needed for
virt-manager or virsh console (libvirt/host.domain.tld at REALM). you can
check your with "klist -Kket /path/to/libvirt.keytab"
* the name of the file in /etc/sasl2/ is tied to the name of the
application. find the sysadmin.html page for Cyrus-SASL-libs, which states:
By default, the Cyrus SASL library reads it's options from
/usr/lib/sasl2/App.conf (where "App" is the application defined name of
the application). For instance, Sendmail reads it's configuration from
"/usr/lib/sasl2/Sendmail.conf" and the sample server application
included with the library looks in "/usr/lib/sasl2/sample.conf".
More information about the Freeipa-users
mailing list