[Freeipa-users] GSSAPI authentication for libvirt VNC
Rich Megginson
rmeggins at redhat.com
Tue Sep 1 14:10:35 UTC 2015
On 09/01/2015 07:30 AM, Brendan Kearney wrote:
> On 08/30/2015 12:49 PM, Marin Bernard wrote:
>> Hi,
>>
>> I followed the instructions from freeipa.org (
>> https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make libvirt
>> and VNC use GSSAPI authentication with FreeIPA. The libvirt part works
>> fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm
>> unable to get a VNC connection to any guest: both virt-manager and virt
>> -viewer fail. The former speaks about a "closed or refused connection",
>> and the latter just closes.
>>
>>
>> On the KVM host, each VNC login attempt adds the following record to
>> the systemd journal:
>>
>> qemu-kvm[3202]: GSSAPI server step 1
>>
>>
>> On the host, libvirt starts qemu-kvm with a SASL VNC, which seems
>> correct to me:
>>
>> # ps -aux | grep qemu-kvm
>>
>> <snip> -vnc 0.0.0.0:0,sasl <snip>
>>
>>
>> QEMU may read the VNC keytab
>>
>> $ ls -l /etc/qemu/
>> total 4
>> -rw-------. 1 qemu root 458 30 août 15:48 krb5.tab
>>
>>
>> Contents of /etc/sasl2/qemu-kvm.conf (comments removed)
>>
>> mech_list: gssapi
>> keytab: /etc/qemu/krb5.tab
>>
>>
>> The client seems to grab correct tickets:
>>
>> $ klist
>> Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46
>> Default principal: marin at CLOUD.OLIVARIM.COM
>>
>> Valid starting Expires Service principal
>> 30/08/2015 16:11:22 31/08/2015 15:34:53 vnc/nice-hkvm-ctrl-01
>> .core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
>> 30/08/2015 16:08:12 31/08/2015 15:34:53 libvirt/nice-hkvm-ctr
>> l-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
>>
>> KVM Host is Centos 7.2, up to date.
>>
>> FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev.
>> 18.el7.centos.4
>>
>> Client is Fedora 22, up to date.
>>
>> I tried to disable both the firewall and SELinux but it did not change
>> anything.
>>
>> Do you have any clues ?
>>
>> Thanks!
>>
>> Marin.
>>
> my /etc/sasl2/qemu.conf (note the different file name, may be relevant*):
>
> mech_list: gssapi
> keytab: /etc/qemu/qemu.keytab
> sasldb_path: /etc/qemu/passwd.db
> auxprop_plugin: sasldb
>
> my /etc/sasl2/libvirt.conf:
>
> mech_list: gssapi
> keytab: /etc/libvirt/libvirt.keytab
>
> my /etc/qemu/qemu.keytab file has the principal used/needed for VNC
> (vnc/host.domain.tld at REALM). you can check yours with "klist -Kket
> /path/to/qemu.keytab"
>
> my /etc/libvirt/libvirt.keytab file has the principal used/needed for
> virt-manager or virsh console (libvirt/host.domain.tld at REALM). you can
> check your with "klist -Kket /path/to/libvirt.keytab"
>
> * the name of the file in /etc/sasl2/ is tied to the name of the
> application. find the sysadmin.html page for Cyrus-SASL-libs, which
> states:
>
> By default, the Cyrus SASL library reads it's options from
> /usr/lib/sasl2/App.conf (where "App" is the application defined name
> of the application). For instance, Sendmail reads it's configuration
> from "/usr/lib/sasl2/Sendmail.conf" and the sample server application
> included with the library looks in "/usr/lib/sasl2/sample.conf".
It is the appname argument of sasl_server_init(3):
sasl_server_init(3) SASL man pages sasl_server_init(3)
NAME
sasl_server_init - SASL server authentication initialization
SYNOPSIS
#include <sasl/sasl.h>
int sasl_server_init(const sasl_callback_t *callbacks,
const char *appname);
DESCRIPTION
sasl_server_init() initializes SASL. It must be called before
any calls
to sasl_server_start, and only once per process. This call
initializes
all SASL mechanism drivers (e.g. authentication mechanisms).
These are
usually found in the /usr/lib/sasl2 directory but the directory
may be
overridden with the SASL_PATH environment variable (or at
compile
time).
callbacks specifies the base callbacks for all client
connections. See
the sasl_callbacks man page for more information.
appname is the name of the application. It is used for where
to find
the default configuration file.
More information about the Freeipa-users
mailing list