[libvirt-users] [Freeipa-users] libvirt with vnc freeipa

Natxo Asenjo natxo.asenjo at gmail.com
Fri Nov 30 14:56:14 UTC 2012 

hi,

sasl_allowed_username_list = ["admin at IPA.EXAMPLE.COM" ]

if I leave this field commented out (default setting), everybody can
manage the kvm host.
--
Groeten,
natxo


On Fri, Nov 30, 2012 at 3:42 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> On Fri, Nov 30, 2012 at 09:25:34AM -0500, Simo Sorce wrote:
>> Hi Natxo,
>>
>> On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote:
>> > hi,
>> >
>> > I'm following the howto on
>> > http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate
>> > users voor virsh with ipa.
>> >
>> > I have it mostly working :-) except for the fact that libvirtd is not
>> > respecting the sasl_allowed_username_list parameter.
>> >
>> > If I do not set it, and I have a realm ticket, then I may login virsh
>> > or virtual manager and I get tickets for libvirt/vnc services.
>> >
>> > If I do set it, then it tells me the client is not in the whitelist,
>> > so I cannot log in :-)
>
> That indicates the client identity is not matching against the whitelist.
> What are you setting it to ?
>
>> > 2012-11-30 12:00:53.403+0000: 7786: error :
>> > virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in
>> > whitelist
>> > 2012-11-30 12:00:53.403+0000: 7786: error :
>> > virNetSASLContextCheckIdentity:150 : Client's username is not on the
>> > list of allowed clients
>> > 2012-11-30 12:00:53.403+0000: 7786: error :
>> > remoteDispatchAuthSaslStep:2447 : authentication failed:
>> > authentication failed
>> > 2012-11-30 12:00:53.415+0000: 7781: error : virNetSocketReadWire:999 :
>> > End of file while reading data: Input/output error
>> >
>> > Is this a question for the libvirt folks or is it ok to post it here?
>>
>> Seem more like a libvirt or maybe even a cyrus-sasl question but I would
>> be interested in knowing what is going on.
>>
>> Have you used a full principal name including the realm in the list, or
>> just the bare user names ?
>
> Daniel
> --
> |: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org              -o-             http://virt-manager.org :|
> |: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvirt-users mailing list