[libvirt] polkit auth issue

Jim Fehlig jfehlig at novell.com
Thu Nov 18 05:53:56 UTC 2010

I'm trying to debug a PolicyKit auth issue in libvirt and looking for
some suggestions.

Server has the following policy for user ski52 in
/etc/PolicyKit/PolicyKit.conf :

<match action="org.libvirt.unix.manage">
<match user="ski52">
<return result="auth_self_keep_always"/>

I can authenticate via polkit  when logged directly into server via ssh
as ski52

ski52 at vhost52:~> virsh -c qemu:///system list
Attempting to obtain authorization for org.libvirt.unix.manage.
Authentication is required.
Successfully obtained the authorization for org.libvirt.unix.manage.
 Id Name                 State
 33 vm1                   running

But when using qemu+ssh remotely

ski53 at vhost53:~> virsh -c qemu+ssh://ski52@vhost52/system list
Attempting to obtain authorization for org.libvirt.unix.manage.
Authentication as an administrative user is required.
polkit-grant-helper-pam: pam_authenticated failed: Authentication failure
Failed to obtain authorization for org.libvirt.unix.manage.
error: authentication failed
error: failed to connect to the hypervisor

AFAICT by tracing with gdb, the client calls polkit-auth *locally* when
authentication is needed, instead of invoking polkit-auth on the
server.  This backtrace from gdb on the client machine shows
'polkit-auth --obtain' being called locally from virConnectAuthGainPolkit()

#0  virConnectAuthGainPolkit (privilege=0x7ffff7b8b3ba
"org.libvirt.unix.manage") at libvirt.c:111
#1  0x00007ffff7a912a3 in virConnectAuthCallbackDefault
(cred=0x7fffffffdd20, ncred=1, cbdata=0x0)
    at libvirt.c:149
#2  0x00007ffff7ac367f in remoteAuthPolkit (conn=0x63ec10,
priv=0x7ffff7e25010, in_open=1,
    auth=0x7ffff7dc9bc0) at remote/remote_driver.c:7431
#3  0x00007ffff7ac1d8d in remoteAuthenticate (conn=0x63ec10,
priv=0x7ffff7e25010, in_open=1,
    auth=0x7ffff7dc9bc0, authtype=0x0) at remote/remote_driver.c:6864
#4  0x00007ffff7ab5936 in doRemoteOpen (conn=0x63ec10,
priv=0x7ffff7e25010, auth=0x7ffff7dc9bc0, flags=0)
    at remote/remote_driver.c:854

Has anyone else observed such behavior?  Any hints on how to forward the
polkit-auth call to the server?  Both client and server are libvirt
0.8.5 btw.


More information about the libvir-list mailing list