[Freeipa-users] GSSAPI authentication for libvirt VNC

Marin Bernard lists at olivarim.com
Sat Sep 5 09:47:45 UTC 2015 

Hi,

Thanks a lot for answering me.

Le mardi 01 septembre 2015 à 09:30 -0400, Brendan Kearney a écrit :
> On 08/30/2015 12:49 PM, Marin Bernard wrote:
> > Hi,
> > 
> > I followed the instructions from freeipa.org (
> > https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make
> > libvirt
> > and VNC use GSSAPI authentication with FreeIPA. The libvirt part
> > works
> > fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm
> > unable to get a VNC connection to any guest: both virt-manager and
> > virt
> > -viewer fail. The former speaks about a "closed or refused
> > connection",
> > and the latter just closes.
> > 
> > 
> > On the KVM host, each VNC login attempt adds the following record
> > to
> > the systemd journal:
> > 
> > 	qemu-kvm[3202]: GSSAPI server step 1
> > 
> > 
> > On the host, libvirt starts qemu-kvm with a SASL VNC, which seems
> > correct to me:
> > 
> > 	# ps -aux | grep qemu-kvm
> > 	
> > 	<snip> -vnc 0.0.0.0:0,sasl <snip>
> > 
> > 
> > QEMU may read the VNC keytab
> > 
> > 	$ ls -l /etc/qemu/
> > 	total 4
> > 	-rw-------. 1 qemu root 458 30 août  15:48 krb5.tab
> > 
> > 
> > Contents of /etc/sasl2/qemu-kvm.conf (comments removed)
> > 
> > 	mech_list: gssapi
> > 	keytab: /etc/qemu/krb5.tab
> > 
> > 
> > The client seems to grab correct tickets:
> > 
> > 	$ klist
> > 	Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46
> > 	Default principal: marin at CLOUD.OLIVARIM.COM
> > 
> > 	Valid starting       Expires              Service principal
> > 	30/08/2015 16:11:22  31/08/2015 15:34:53  vnc/nice-hkvm-ctrl-01
> > 	.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
> > 	30/08/2015 16:08:12  31/08/2015 15:34:53  libvirt/nice-hkvm-ctr
> > 	l-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
> > 
> > KVM Host is Centos 7.2, up to date.
> > 
> > FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev.
> > 18.el7.centos.4
> > 
> > Client is Fedora 22, up to date.
> > 
> > I tried to disable both the firewall and SELinux but it did not
> > change
> > anything.
> > 
> > Do you have any clues ?
> > 
> > Thanks!
> > 
> > Marin.
> > 
> my /etc/sasl2/qemu.conf (note the different file name, may be
> relevant*):

I had already tried to rename the file to 'qemu.conf', but it didn't
make any difference. Note that on CentOS 7.2, the file is named
'qemu
-kvm.conf' by default.

> 
> mech_list: gssapi
> keytab: /etc/qemu/qemu.keytab
> sasldb_path: /etc/qemu/passwd.db
> auxprop_plugin: sasldb
> 

My '/etc/sasl2/qemu.conf' file has the same content as yours, except my
keytab is named 'krb5.conf'.

> my /etc/sasl2/libvirt.conf:
> 
> mech_list: gssapi
> keytab: /etc/libvirt/libvirt.keytab
> 

Libvirt GSSAPI works fine for me. My '/etc/sasl2/libvirt.conf' has the
same config as yours, except for the keytab name.

> my /etc/qemu/qemu.keytab file has the principal used/needed for VNC 
> (vnc/host.domain.tld at REALM).  you can check yours with "klist -Kket 
> /path/to/qemu.keytab"
> 

Done. Keytab is valid:

$ sudo klist -Kket qemu/krb5.tab 
Keytab name: FILE:qemu.keytab
KVNO Timestamp           Principal
---- ------------------- ----------------------------------------------
--------
   3 30/08/2015 18:12:20 
vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM (
aes256-cts-hmac-sha1-96)
   3 30/08/2015 18:12:20 
vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM (
aes128-cts-hmac-sha1-96)
   3 30/08/2015 18:12:20 
vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM (
des3-cbc-sha1)
   3 30/08/2015 18:12:20 
vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM (
arcfour-hmac)

> my /etc/libvirt/libvirt.keytab file has the principal used/needed for
> virt-manager or virsh console (libvirt/host.domain.tld at REALM). you
> can 
> check your with "klist -Kket /path/to/libvirt.keytab"

Done too. The keytab is valid and GSSAPI works fine with it:

$ sudo klist -Kket libvirt/krb5.tab
Keytab name: FILE:libvirt/krb5.tab
KVNO Timestamp           Principal
---- ------------------- ----------------------------------------------
--------
   3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl-01.core.nice.cloud.oliv
arim.com at CLOUD.OLIVARIM.COM (aes256-cts-hmac-sha1-96)
   3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl-01.core.nice.cloud.oliv
arim.com at CLOUD.OLIVARIM.COM (aes128-cts-hmac-sha1-96)
   3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl-01.core.nice.cloud.oliv
arim.com at CLOUD.OLIVARIM.COM (des3-cbc-sha1)
   3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl-01.core.nice.cloud.oliv
arim.com at CLOUD.OLIVARIM.COM (arcfour-hmac)

> * the name of the file in /etc/sasl2/ is tied to the name of the 
> application.  find the sysadmin.html page for Cyrus-SASL-libs, which
> states:
> 
> By default, the Cyrus SASL library reads it's options from 
> /usr/lib/sasl2/App.conf (where "App" is the application defined name
> of 
> the application). For instance, Sendmail reads it's configuration
> from 
> "/usr/lib/sasl2/Sendmail.conf" and the sample server application 
> included with the library looks in "/usr/lib/sasl2/sample.conf".
> 

Here is the contents of my '/etc/sasl2/' directory after I ran
'restorecon':

[marin at nice-hkvm-ctrl-01 sasl2]$ ls -lZ
-rw-r--r--. root root system_u:object_r:etc_t:s0       libvirt.conf
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   qemu.conf
-rw-r--r--. root root system_u:object_r:etc_t:s0       qemu-kvm.conf
-rw-r--r--. root root system_u:object_r:etc_t:s0       smtpd.conf

'qemu.conf' and 'qemu-kvm.conf' are identical copies. SELinux seems to
stick to the default file name ('qemu-kvm.conf') and have no knowledge
of 'qemu.conf'. Anyway, as SELinux is disabled, this should not be a
problem.

More information about the Freeipa-users mailing list