CentOS virt - Dec 2017 - spice server and GSSAPI

Hello,

Does anyone have spice server for KVM Linux guests working with GSSAPI
authentication? I've been trying for a while and I simply can't get it
to work. I don't know what I'm doing wrong. I wouldn't be surprised
if
I've misunderstood something.

I followed this guide:

https://www.freeipa.org/page/Libvirt_with_VNC_Consoles

Yes, the above is for VNC consoles. I just adapted that write up for
spice. When I try to connect to a console from either virt-manager or
with virt-viewer, I'm prompted to enter a password (though I shouldn't
be). When I type in my freeipa domain password, it gets rejected. 

libvirtd with Kerberos and GSSAPI is working perfectly.  I can use
virt-manager from my Fedora 26 desktop with the below URI:

qemu+tcp://ranbir at kvmhost01/system

virt-manager connects, I get a list of all the running KVMs and I can
work with them like I would if I was running virt-manager over ssh with
X forwarding. The only that doesn't work is viewing the consoles.

Details:

- my host is a fully updated CentOS 7 system
- libvirtd is set to listen for tcp connections
- I added the service spice/kvmhost01.theinside.rnr
- I created a keytab for the above and put it on kvmhost01 in  
  /etc/qemu-kvm/krb5.tab
- the above file has owner:group set to qemu:root with perms 600
- I have the following in /etc/sasl2/qemu-kvm.conf

  mech_list: gssapi
  keytab: /etc/qemu-kvm/krb5.tab

- I have the following in /etc/libvirt/qemu.conf

  spice_listen = "0.0.0.0"
  spice_tls = 0
  spice_sasl = 1
  spice_sasl_dir = "/etc/sasl2/"

- the first time I try to view a console, I get the
  kerberos tickets I expect to:

  Ticket cache: KEYRING:persistent:625400004:krb_ccache_7rtJmh8
  Default principal: ranbir at THEINSIDE.RNR

  Valid starting       Expires              Service principal
  2017-12-29 18:37:45  2017-12-30 18:01:40  spice/kvmhost01.theinside.rnr at
THEINSIDE.RNR
  2017-12-29 18:37:40  2017-12-30 18:01:40  libvirt/kvmhost01.theinside.rnr at
THEINSIDE.RNR
  2017-12-29 18:01:40  2017-12-30 18:01:40  krbtgt/THEINSIDE.RNR at
THEINSIDE.RNR

I'm surprised there isn't more info available about this online.
That's
  why I'm now here asking for assistance.

Does anyone have any suggestions/advice?

Thanks in advance!

-- 
Ranbir

On Fri, 2017-12-29 at 19:43 -0500, Ranbir wrote:
> Hello,
> 
> Does anyone have spice server for KVM Linux guests working with
> GSSAPI
> authentication? I've been trying for a while and I simply can't get
> it
> to work. I don't know what I'm doing wrong. I wouldn't be
surprised
> if
> I've misunderstood something.
Damn it, I "figured" it out. I fixed my issues by removing the video
and graphics hardware from the KVMs and adding them back in with the
exact same settings. I can now view the consoles!

I don't know what removing/adding those two bits of hardware did to fix
the issue. I had even dumped the XML configs of the running KVMs before
and after doing the hardware changes and upon review, they're exactly
the same. 

:: shrug ::

I just have to say FreeIPA + Kerberos + GSSAPI for libvirtd and spice
server is fantastic.

-- 
Ranbir