[libvirt-users] SASL GSSAPI error "Key table entry not found"

Daniel P. Berrange berrange at redhat.com
Wed Jun 30 17:13:15 UTC 2010


On Mon, Jun 28, 2010 at 09:40:49AM -0700, Adam Gray wrote:
> My server and client are running Ubuntu Lucid, libvirt-bin
> 0.7.5-5ubuntu27, qemu-kvm-0.12.3+noroms-0ubuntu9 and I'm using
> virt-viewer-0.0.3-6ubuntu7.xul19 or virt-manager-0.8.2-2ubuntu8 to
> connect. I configured SASL2 to use GSSAPI for libvirt following the
> instructions in the libvirt docs, created a keytab with
> libvirt/my.fully.qualified.domain at MY-REALM.COM (has a dash fwiw) and
> pointed SASL2 and libvirt at /etc/krb5.keytab (changing the location
> of that doesn't seem to work for my version, but that's no biggie).

If changing the location in /etc/sasl2/libvirt.conf doesn't
work then you likely have a broken kerberos/sasl library.
This works in latest versions, but for broken systems you
can workaround it by setting KRB5_KTNAME=/etc/libvirt/krb5.tab
as an env variable when starting libvirtd.

> 
> So I sit on my client and run this:
> virsh -c qemu+tcp://my.fully.qualified.domain/system
> And I get this message on the client:
> error: authentication failed
> error: failed to connect to the hypervisor
> And this on the server logs:
> 16:37:35.278: error : remoteDispatchAuthSaslStart:3135 : sasl start
> failed -1 (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure.  Minor code may provide more information (Key table entry not
> found))

Do you have your server hostname configured to exactly match 
my.fully.qualified.domain (as per hostname -f command), and
is that hostname present in the DNS records, both forward and
reverse lookups. Using /etc/hosts is not sufficient for kerberos
to work IIRC.

> 
> For fun, I ran kdestroy and tried again and got this:
> error: Failed to start SASL negotiation: -1 (SASL(-1): generic
> failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
> provide more information (Credentials cache file '/tmp/krb5cc_1000'
> not found))
> error: failed to connect to the hypervisor

That just says the client doesn't have a ticket so not
really of interest since you just kdestroy'd the ticket :-)

Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|




More information about the libvirt-users mailing list