[Freeipa-users] GSSAPI authentication for libvirt VNC

Simo Sorce simo at redhat.com
Sat Sep 5 14:09:39 UTC 2015 

On Sat, 2015-09-05 at 14:34 +0200, Marin Bernard wrote:
> Hi again,
> 
> I finally got it working. It appears VNC looks for a file named
> 'spice.conf' in '/etc/sasl2'. On CentOS 7.2, symlinking
> '/etc/sasl2/spice.conf' to '/etc/sasl2/qemu-kvm.conf' is enough:
> 
> $ ls -l /etc/sasl2
> total 12
> -rw-r--r--. 1 root root 1278 30 août  15:50 libvirt.conf
> -rw-r--r--. 1 root root 1291  5 sept. 14:12 qemu-kvm.conf
> -rw-r--r--. 1 root root   49 10 juin   2014 smtpd.conf
> lrwxrwxrwx. 1 root root   13  5 sept. 14:15 spice.conf -> qemu-kvm.conf
> 
> Of course, a 'vnc.conf' symlink won't work. It has to be named
> 'spice.conf' even if you don't use Spice.
> 
> I think this should be documented somewhere. The freeipa.org VNC howto
> seems like a good place to mention it.

It would be nice if you could log into the wiki and add a note.
If you have issues with that just send me a pvt email with the text
you'd add and I'll make the change.

Thanks,
Simo.

> Thanks to Brendan and Rich for helping me to find this out.
> 
> Marin.
> 
> Le samedi 05 septembre 2015 à 11:47 +0200, Marin Bernard a écrit :
> > Hi,
> > 
> > Thanks a lot for answering me.
> > 
> > Le mardi 01 septembre 2015 à 09:30 -0400, Brendan Kearney a écrit :
> > > On 08/30/2015 12:49 PM, Marin Bernard wrote:
> > > > Hi,
> > > > 
> > > > I followed the instructions from freeipa.org (
> > > > https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make
> > > > libvirt
> > > > and VNC use GSSAPI authentication with FreeIPA. The libvirt part
> > > > works
> > > > fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm
> > > > unable to get a VNC connection to any guest: both virt-manager
> > > > and
> > > > virt
> > > > -viewer fail. The former speaks about a "closed or refused
> > > > connection",
> > > > and the latter just closes.
> > > > 
> > > > 
> > > > On the KVM host, each VNC login attempt adds the following record
> > > > to
> > > > the systemd journal:
> > > > 
> > > > 	qemu-kvm[3202]: GSSAPI server step 1
> > > > 
> > > > 
> > > > On the host, libvirt starts qemu-kvm with a SASL VNC, which seems
> > > > correct to me:
> > > > 
> > > > 	# ps -aux | grep qemu-kvm
> > > > 	
> > > > 	<snip> -vnc 0.0.0.0:0,sasl <snip>
> > > > 
> > > > 
> > > > QEMU may read the VNC keytab
> > > > 
> > > > 	$ ls -l /etc/qemu/
> > > > 	total 4
> > > > 	-rw-------. 1 qemu root 458 30 août  15:48 krb5.tab
> > > > 
> > > > 
> > > > Contents of /etc/sasl2/qemu-kvm.conf (comments removed)
> > > > 
> > > > 	mech_list: gssapi
> > > > 	keytab: /etc/qemu/krb5.tab
> > > > 
> > > > 
> > > > The client seems to grab correct tickets:
> > > > 
> > > > 	$ klist
> > > > 	Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46
> > > > 	Default principal: marin at CLOUD.OLIVARIM.COM
> > > > 
> > > > 	Valid starting       Expires              Service principal
> > > > 	30/08/2015 16:11:22  31/08/2015 15:34:53  vnc/nice-hkvm-ctrl-01
> > > > 	.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
> > > > 	30/08/2015 16:08:12  31/08/2015 15:34:53  libvirt/nice-hkvm-ctr
> > > > 	l-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
> > > > 
> > > > KVM Host is Centos 7.2, up to date.
> > > > 
> > > > FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev.
> > > > 18.el7.centos.4
> > > > 
> > > > Client is Fedora 22, up to date.
> > > > 
> > > > I tried to disable both the firewall and SELinux but it did not
> > > > change
> > > > anything.
> > > > 
> > > > Do you have any clues ?
> > > > 
> > > > Thanks!
> > > > 
> > > > Marin.
> > > > 
> > > my /etc/sasl2/qemu.conf (note the different file name, may be
> > > relevant*):
> > 
> > I had already tried to rename the file to 'qemu.conf', but it didn't
> > make any difference. Note that on CentOS 7.2, the file is named
> > 'qemu
> > -kvm.conf' by default.
> > 
> > > 
> > > mech_list: gssapi
> > > keytab: /etc/qemu/qemu.keytab
> > > sasldb_path: /etc/qemu/passwd.db
> > > auxprop_plugin: sasldb
> > > 
> > 
> > My '/etc/sasl2/qemu.conf' file has the same content as yours, except
> > my
> > keytab is named 'krb5.conf'.
> > 
> > > my /etc/sasl2/libvirt.conf:
> > > 
> > > mech_list: gssapi
> > > keytab: /etc/libvirt/libvirt.keytab
> > > 
> > 
> > Libvirt GSSAPI works fine for me. My '/etc/sasl2/libvirt.conf' has
> > the
> > same config as yours, except for the keytab name.
> > 
> > > my /etc/qemu/qemu.keytab file has the principal used/needed for VNC
> > > (vnc/host.domain.tld at REALM).  you can check yours with "klist -Kket
> > > /path/to/qemu.keytab"
> > > 
> > 
> > Done. Keytab is valid:
> > 
> > $ sudo klist -Kket qemu/krb5.tab 
> > Keytab name: FILE:qemu.keytab
> > KVNO Timestamp           Principal
> > ---- ------------------- --------------------------------------------
> > --
> > --------
> >    3 30/08/2015 18:12:20 
> > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
> >  (
> > aes256-cts-hmac-sha1-96)
> >    3 30/08/2015 18:12:20 
> > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
> >  (
> > aes128-cts-hmac-sha1-96)
> >    3 30/08/2015 18:12:20 
> > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
> >  (
> > des3-cbc-sha1)
> >    3 30/08/2015 18:12:20 
> > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM
> >  (
> > arcfour-hmac)
> > 
> > > my /etc/libvirt/libvirt.keytab file has the principal used/needed
> > > for
> > > virt-manager or virsh console (libvirt/host.domain.tld at REALM). you
> > > can 
> > > check your with "klist -Kket /path/to/libvirt.keytab"
> > 
> > Done too. The keytab is valid and GSSAPI works fine with it:
> > 
> > $ sudo klist -Kket libvirt/krb5.tab
> > Keytab name: FILE:libvirt/krb5.tab
> > KVNO Timestamp           Principal
> > ---- ------------------- --------------------------------------------
> > --
> > --------
> >    3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl
> > -01.core.nice.cloud.oliv
> > arim.com at CLOUD.OLIVARIM.COM (aes256-cts-hmac-sha1-96)
> >    3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl
> > -01.core.nice.cloud.oliv
> > arim.com at CLOUD.OLIVARIM.COM (aes128-cts-hmac-sha1-96)
> >    3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl
> > -01.core.nice.cloud.oliv
> > arim.com at CLOUD.OLIVARIM.COM (des3-cbc-sha1)
> >    3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl
> > -01.core.nice.cloud.oliv
> > arim.com at CLOUD.OLIVARIM.COM (arcfour-hmac)
> > 
> > > * the name of the file in /etc/sasl2/ is tied to the name of the 
> > > application.  find the sysadmin.html page for Cyrus-SASL-libs,
> > > which
> > > states:
> > > 
> > > By default, the Cyrus SASL library reads it's options from 
> > > /usr/lib/sasl2/App.conf (where "App" is the application defined
> > > name
> > > of 
> > > the application). For instance, Sendmail reads it's configuration
> > > from 
> > > "/usr/lib/sasl2/Sendmail.conf" and the sample server application 
> > > included with the library looks in "/usr/lib/sasl2/sample.conf".
> > > 
> > 
> > Here is the contents of my '/etc/sasl2/' directory after I ran
> > 'restorecon':
> > 
> > [marin at nice-hkvm-ctrl-01 sasl2]$ ls -lZ
> > -rw-r--r--. root root system_u:object_r:etc_t:s0       libvirt.conf
> > -rw-r--r--. root root unconfined_u:object_r:etc_t:s0   qemu.conf
> > -rw-r--r--. root root system_u:object_r:etc_t:s0       qemu-kvm.conf
> > -rw-r--r--. root root system_u:object_r:etc_t:s0       smtpd.conf
> > 
> > 'qemu.conf' and 'qemu-kvm.conf' are identical copies. SELinux seems
> > to
> > stick to the default file name ('qemu-kvm.conf') and have no
> > knowledge
> > of 'qemu.conf'. Anyway, as SELinux is disabled, this should not be a
> > problem.
> > 
> 


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list