Hi! Having two hosts installed with libvirtd, kvm, qemu on (Ubuntu 10.10). Now I have one big problem and one less: I have set up kerberos for both hosts. Created the principal "libvirt/srv1.example.org at EXAMPLE.ORG" and "libvirt/srv2.example.org at EXAMPLE.ORG", Exported the krb5.keytab, Installed it and tested the servers: srv1.example.org: I can connect using kerberos after acquiring a ticket with kinit. srv2.example.org: I am asked for user and password. Setup seems to be identical. Is there a way to debug, what is going on on this server? I'd like to have both respect kerberos and allow logging in with no password it already authenticated! Here is what I've set up: /etc/sasl2/libvirt.conf listen_tls = 0 listen_tcp = 1 mdns_adv = 0 auth_unix_ro = "none" auth_unix_rw = "none" auth_tcp = "sasl" /etc/sasl2/libvirt.conf mech_list: gssapi keytab: /etc/libvirt/krb5.kqemu sasldb_path: /etc/libvirt/passwd.db I start libvirtd with: KRB5_KTNAME=/etc/libvirt/krb5.kqemu /usr/sbin/libvirtd -d --listen In virt-manager I've set both hosts: qemu+tcp://srv1.example.org qemu+tcp://srv2.example.org Since both configs are identical (I've ran diff on them) I am a bit lost at the moment. I do not have any idea why it works for one host, but not the other. Any ideas? -- Thomas
Daniel P. Berrange
2011-Jan-28 11:07 UTC
[libvirt-users] libvirtd + vir-manager + kerberos
On Fri, Jan 28, 2011 at 12:59:28AM +0100, Thomas Schweikle wrote:> Hi! > > Having two hosts installed with libvirtd, kvm, qemu on (Ubuntu > 10.10). Now I have one big problem and one less: > > I have set up kerberos for both hosts. Created the principal > "libvirt/srv1.example.org at EXAMPLE.ORG" and > "libvirt/srv2.example.org at EXAMPLE.ORG", Exported the krb5.keytab, > Installed it and tested the servers: > > srv1.example.org: I can connect using kerberos after acquiring a > ticket with kinit. > > srv2.example.org: I am asked for user and password. Setup seems to > be identical. Is there a way to debug, what is going on on this > server? I'd like to have both respect kerberos and allow logging in > with no password it already authenticated! > > Here is what I've set up: > /etc/sasl2/libvirt.conf > listen_tls = 0 > listen_tcp = 1 > mdns_adv = 0 > auth_unix_ro = "none" > auth_unix_rw = "none" > auth_tcp = "sasl" > > /etc/sasl2/libvirt.conf > mech_list: gssapi > keytab: /etc/libvirt/krb5.kqemu > sasldb_path: /etc/libvirt/passwd.db > > I start libvirtd with: > KRB5_KTNAME=/etc/libvirt/krb5.kqemu > /usr/sbin/libvirtd -d --listen > > In virt-manager I've set both hosts: > qemu+tcp://srv1.example.org > qemu+tcp://srv2.example.org > > Since both configs are identical (I've ran diff on them) I am a bit > lost at the moment. I do not have any idea why it works for one > host, but not the other. Any ideas?Also check file permissions and make sure you've restarted libvirtd. Also make sure /etc/hosts is accurate and that the name reported by 'hostname' command resolves to a real IP address (ie not 127.0.0.1), and that the IP address resolves back to the original hostname. You can set LIBVIRT_DEBUG=1 for virsh, and similar for libvirtd in /etc/libvirt/libvirtd.conf to see verbose debugging. Also 'klist' on the client will show whether the client ever even started kerberos for the host in question - you should see the host's ticket present Daniel