libvirt users - Jun 2010 - SASL GSSAPI error "Key table entry not found"

My server and client are running Ubuntu Lucid, libvirt-bin
0.7.5-5ubuntu27, qemu-kvm-0.12.3+noroms-0ubuntu9 and I'm using
virt-viewer-0.0.3-6ubuntu7.xul19 or virt-manager-0.8.2-2ubuntu8 to
connect. I configured SASL2 to use GSSAPI for libvirt following the
instructions in the libvirt docs, created a keytab with
libvirt/my.fully.qualified.domain at MY-REALM.COM (has a dash fwiw) and
pointed SASL2 and libvirt at /etc/krb5.keytab (changing the location
of that doesn't seem to work for my version, but that's no biggie).

So I sit on my client and run this:
virsh -c qemu+tcp://my.fully.qualified.domain/system
And I get this message on the client:
error: authentication failed
error: failed to connect to the hypervisor
And this on the server logs:
16:37:35.278: error : remoteDispatchAuthSaslStart:3135 : sasl start
failed -1 (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Key table entry not
found))

For fun, I ran kdestroy and tried again and got this:
error: Failed to start SASL negotiation: -1 (SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
provide more information (Credentials cache file '/tmp/krb5cc_1000'
not found))
error: failed to connect to the hypervisor

So at least the client seems to be presenting my ticket properly, but
the server is either looking for the wrong keytab entry or I can't
read very well.

-adam

Adam Gray <adam at meebo-inc.com> schreibte:
> libvirt/my.fully.qualified.domain at MY-REALM.COM (has a dash fwiw) and
> pointed SASL2 and libvirt at /etc/krb5.keytab
What tells your KDC?

Have a look at

klist -t /etc/krb5.keytab

and look whether the principals match (e.g LIBVIRT/domain is not equal  
libvirt/domain

Ralf

On Mon, Jun 28, 2010 at 09:40:49AM -0700, Adam Gray
wrote:
> My server and client are running Ubuntu Lucid, libvirt-bin
> 0.7.5-5ubuntu27, qemu-kvm-0.12.3+noroms-0ubuntu9 and I'm using
> virt-viewer-0.0.3-6ubuntu7.xul19 or virt-manager-0.8.2-2ubuntu8 to
> connect. I configured SASL2 to use GSSAPI for libvirt following the
> instructions in the libvirt docs, created a keytab with
> libvirt/my.fully.qualified.domain at MY-REALM.COM (has a dash fwiw) and
> pointed SASL2 and libvirt at /etc/krb5.keytab (changing the location
> of that doesn't seem to work for my version, but that's no biggie).
If changing the location in /etc/sasl2/libvirt.conf doesn't
work then you likely have a broken kerberos/sasl library.
This works in latest versions, but for broken systems you
can workaround it by setting KRB5_KTNAME=/etc/libvirt/krb5.tab
as an env variable when starting libvirtd.
> 
> So I sit on my client and run this:
> virsh -c qemu+tcp://my.fully.qualified.domain/system
> And I get this message on the client:
> error: authentication failed
> error: failed to connect to the hypervisor
> And this on the server logs:
> 16:37:35.278: error : remoteDispatchAuthSaslStart:3135 : sasl start
> failed -1 (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure.  Minor code may provide more information (Key table entry not
> found))
Do you have your server hostname configured to exactly match 
my.fully.qualified.domain (as per hostname -f command), and
is that hostname present in the DNS records, both forward and
reverse lookups. Using /etc/hosts is not sufficient for kerberos
to work IIRC.
> 
> For fun, I ran kdestroy and tried again and got this:
> error: Failed to start SASL negotiation: -1 (SASL(-1): generic
> failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
> provide more information (Credentials cache file '/tmp/krb5cc_1000'
> not found))
> error: failed to connect to the hypervisor
That just says the client doesn't have a ticket so not
really of interest since you just kdestroy'd the ticket :-)

Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|