Hi Natxo, On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote:> hi, > > I'm following the howto on > http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate > users voor virsh with ipa. > > I have it mostly working :-) except for the fact that libvirtd is not > respecting the sasl_allowed_username_list parameter. > > If I do not set it, and I have a realm ticket, then I may login virsh > or virtual manager and I get tickets for libvirt/vnc services. > > If I do set it, then it tells me the client is not in the whitelist, > so I cannot log in :-) > > > 2012-11-30 12:00:53.403+0000: 7786: error : > virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in > whitelist > 2012-11-30 12:00:53.403+0000: 7786: error : > virNetSASLContextCheckIdentity:150 : Client's username is not on the > list of allowed clients > 2012-11-30 12:00:53.403+0000: 7786: error : > remoteDispatchAuthSaslStep:2447 : authentication failed: > authentication failed > 2012-11-30 12:00:53.415+0000: 7781: error : virNetSocketReadWire:999 : > End of file while reading data: Input/output error > > Is this a question for the libvirt folks or is it ok to post it here?Seem more like a libvirt or maybe even a cyrus-sasl question but I would be interested in knowing what is going on. Have you used a full principal name including the realm in the list, or just the bare user names ? CCing libvirt-users. Simo. -- Simo Sorce * Red Hat, Inc * New York
Daniel P. Berrange
2012-Nov-30 14:42 UTC
[libvirt-users] [Freeipa-users] libvirt with vnc freeipa
On Fri, Nov 30, 2012 at 09:25:34AM -0500, Simo Sorce wrote:> Hi Natxo, > > On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote: > > hi, > > > > I'm following the howto on > > http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate > > users voor virsh with ipa. > > > > I have it mostly working :-) except for the fact that libvirtd is not > > respecting the sasl_allowed_username_list parameter. > > > > If I do not set it, and I have a realm ticket, then I may login virsh > > or virtual manager and I get tickets for libvirt/vnc services. > > > > If I do set it, then it tells me the client is not in the whitelist, > > so I cannot log in :-)That indicates the client identity is not matching against the whitelist. What are you setting it to ?> > 2012-11-30 12:00:53.403+0000: 7786: error : > > virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in > > whitelist > > 2012-11-30 12:00:53.403+0000: 7786: error : > > virNetSASLContextCheckIdentity:150 : Client's username is not on the > > list of allowed clients > > 2012-11-30 12:00:53.403+0000: 7786: error : > > remoteDispatchAuthSaslStep:2447 : authentication failed: > > authentication failed > > 2012-11-30 12:00:53.415+0000: 7781: error : virNetSocketReadWire:999 : > > End of file while reading data: Input/output error > > > > Is this a question for the libvirt folks or is it ok to post it here? > > Seem more like a libvirt or maybe even a cyrus-sasl question but I would > be interested in knowing what is going on. > > Have you used a full principal name including the realm in the list, or > just the bare user names ?Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|