[Freeipa-users] [libvirt-users] libvirt with vnc freeipa
Natxo Asenjo
natxo.asenjo at gmail.com
Fri Nov 30 15:16:56 UTC 2012
On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
>> hi,
>>
>> sasl_allowed_username_list = ["admin at IPA.EXAMPLE.COM" ]
>>
>> if I leave this field commented out (default setting), everybody can
>> manage the kvm host.
>
> Oh it isn't very obvious, but in this log message:
>
>> >> > 2012-11-30 12:00:53.403+0000: 7786: error :
>> >> > virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in
>
> 'admin' is the identity being matched against.
>
> We ought to quote that string int he log message to make it more
> obvious.
>
> So I guess SASL/GSSAPI is not giving us back the REALM, just
> the username
>
> So you need to change your whitelist to leave out the realm.
Bingo!
Thanks. If I may just hijack this thread: is it possible to whitelist
groups instead of individual users to use virsh/virtual manager?
I know sasl only deals with the authentication stuff, buy here you are
also authorizing in the whitelist. If this authorization could go
further to allow ipa groups, that would be ideal from an admin point
of view ;-)
--
groet,
natxo
More information about the Freeipa-users
mailing list