[Freeipa-users] GSSAPI authentication for libvirt VNC

Brendan Kearney bpk678 at gmail.com
Tue Sep 1 13:30:24 UTC 2015 

On 08/30/2015 12:49 PM, Marin Bernard wrote:
> Hi,
>
> I followed the instructions from freeipa.org (
> https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make libvirt
> and VNC use GSSAPI authentication with FreeIPA. The libvirt part works
> fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm
> unable to get a VNC connection to any guest: both virt-manager and virt
> -viewer fail. The former speaks about a "closed or refused connection",
> and the latter just closes.
>
>
> On the KVM host, each VNC login attempt adds the following record to
> the systemd journal:
>
> 	qemu-kvm[3202]: GSSAPI server step 1
>
>
> On the host, libvirt starts qemu-kvm with a SASL VNC, which seems
> correct to me:
>
> 	# ps -aux | grep qemu-kvm
> 	
> 	<snip> -vnc 0.0.0.0:0,sasl <snip>
>
>
> QEMU may read the VNC keytab
>
> 	$ ls -l /etc/qemu/
> 	total 4
> 	-rw-------. 1 qemu root 458 30 août  15:48 krb5.tab
>
>
> Contents of /etc/sasl2/qemu-kvm.conf (comments removed)
>
> 	mech_list: gssapi
> 	keytab: /etc/qemu/krb5.tab
>
>
> The client seems to grab correct tickets:
>
> 	$ klist
> 	Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46
> 	Default principal: marin at CLOUD.OLIVARIM.COM
>
> 	Valid starting       Expires              Service principal
> 	30/08/2015 16:11:22  31/08/2015 15:34:53  vnc/nice-hkvm-ctrl-01
> 	.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
> 	30/08/2015 16:08:12  31/08/2015 15:34:53  libvirt/nice-hkvm-ctr
> 	l-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
>
> KVM Host is Centos 7.2, up to date.
>
> FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev.
> 18.el7.centos.4
>
> Client is Fedora 22, up to date.
>
> I tried to disable both the firewall and SELinux but it did not change
> anything.
>
> Do you have any clues ?
>
> Thanks!
>
> Marin.
>
my /etc/sasl2/qemu.conf (note the different file name, may be relevant*):

mech_list: gssapi
keytab: /etc/qemu/qemu.keytab
sasldb_path: /etc/qemu/passwd.db
auxprop_plugin: sasldb

my /etc/sasl2/libvirt.conf:

mech_list: gssapi
keytab: /etc/libvirt/libvirt.keytab

my /etc/qemu/qemu.keytab file has the principal used/needed for VNC 
(vnc/host.domain.tld at REALM).  you can check yours with "klist -Kket 
/path/to/qemu.keytab"

my /etc/libvirt/libvirt.keytab file has the principal used/needed for 
virt-manager or virsh console (libvirt/host.domain.tld at REALM). you can 
check your with "klist -Kket /path/to/libvirt.keytab"

* the name of the file in /etc/sasl2/ is tied to the name of the 
application.  find the sysadmin.html page for Cyrus-SASL-libs, which states:

By default, the Cyrus SASL library reads it's options from 
/usr/lib/sasl2/App.conf (where "App" is the application defined name of 
the application). For instance, Sendmail reads it's configuration from 
"/usr/lib/sasl2/Sendmail.conf" and the sample server application 
included with the library looks in "/usr/lib/sasl2/sample.conf".

More information about the Freeipa-users mailing list