[libvirt-users] libvirtd + vir-manager + kerberos
Daniel P. Berrange
berrange at redhat.com
Fri Jan 28 11:07:08 UTC 2011
On Fri, Jan 28, 2011 at 12:59:28AM +0100, Thomas Schweikle wrote:
> Hi!
>
> Having two hosts installed with libvirtd, kvm, qemu on (Ubuntu
> 10.10). Now I have one big problem and one less:
>
> I have set up kerberos for both hosts. Created the principal
> "libvirt/srv1.example.org at EXAMPLE.ORG" and
> "libvirt/srv2.example.org at EXAMPLE.ORG", Exported the krb5.keytab,
> Installed it and tested the servers:
>
> srv1.example.org: I can connect using kerberos after acquiring a
> ticket with kinit.
>
> srv2.example.org: I am asked for user and password. Setup seems to
> be identical. Is there a way to debug, what is going on on this
> server? I'd like to have both respect kerberos and allow logging in
> with no password it already authenticated!
>
> Here is what I've set up:
> /etc/sasl2/libvirt.conf
> listen_tls = 0
> listen_tcp = 1
> mdns_adv = 0
> auth_unix_ro = "none"
> auth_unix_rw = "none"
> auth_tcp = "sasl"
>
> /etc/sasl2/libvirt.conf
> mech_list: gssapi
> keytab: /etc/libvirt/krb5.kqemu
> sasldb_path: /etc/libvirt/passwd.db
>
> I start libvirtd with:
> KRB5_KTNAME=/etc/libvirt/krb5.kqemu
> /usr/sbin/libvirtd -d --listen
>
> In virt-manager I've set both hosts:
> qemu+tcp://srv1.example.org
> qemu+tcp://srv2.example.org
>
> Since both configs are identical (I've ran diff on them) I am a bit
> lost at the moment. I do not have any idea why it works for one
> host, but not the other. Any ideas?
Also check file permissions and make sure you've restarted
libvirtd. Also make sure /etc/hosts is accurate and that
the name reported by 'hostname' command resolves to a real
IP address (ie not 127.0.0.1), and that the IP address
resolves back to the original hostname.
You can set LIBVIRT_DEBUG=1 for virsh, and similar for
libvirtd in /etc/libvirt/libvirtd.conf to see verbose
debugging.
Also 'klist' on the client will show whether the client
ever even started kerberos for the host in question - you
should see the host's ticket present
Daniel
More information about the libvirt-users
mailing list